Recent Discussions
How to get the Protection History from a device
Hello, I would like to get the Protection History without the user intervention. I don't understand why is not in the device page in Microsoft 365 Defender initially... I tried to find a way to doing it in the Advanced hunting, but it's new for me, if some one have the command, thanks in advance. I tried with the Live response, but you can only use the CMD(Is it a way to initiate the Live response with Powershell ?) run a powershell script and tried to get the output file, but i got every time the error : Empty file, even if i doing a -outfile with my PP script and tried to get this specific file... Someone can help me please 🙂 ? ThanksTracking Sent Emails from a Shared Mailbox with Delegated Access
Here is a detailed post to the Microsoft help forum about tracking down who sent emails from a shared mailbox with delegated access and send as rights: Title: Tracking Sent Emails from a Shared Mailbox with Delegated Access Dear Microsoft Community, I'm reaching out for assistance with an issue I'm encountering regarding a shared mailbox in my organization. The shared mailbox has been configured with delegated access and "Send As" rights for certain users. However, I'm finding that emails are being sent from this shared mailbox, and I need to determine which user is responsible for those sent messages. Here's some more context on the setup: We have a shared mailbox that multiple employees within my organization can access and send emails from using their individual user accounts. The shared mailbox has been granted "Delegate Access" and "Send As" rights to these authorized users. Whenever an email is sent from the shared mailbox, it appears to come from the shared mailbox address rather than the individual user's email address. I need to be able to track down and identify which user sent a specific email from the shared mailbox. My main questions are: How can I determine which user account was used to send a specific email from the shared mailbox? Is there logging or audit functionality within Microsoft 365 that would allow me to see the user who sent an email from the shared mailbox? Are there any third-party tools or add-ons that could provide this level of tracking and visibility for emails sent from a shared mailbox? I'm hoping the Microsoft community can provide some guidance and recommendations on the best approach to resolve this issue. Being able to identify the user responsible for emails sent from the shared mailbox is crucial for maintaining security and accountability within our organization. Thank you in advance for your assistance. I look forward to hearing back from the community. Best regards,
Security Baselines section disappears
I arrived here from this page... https://learn.microsoft.com/en-us/defender-xdr/entity-page-device ... which details all the possible sections of a given device when located within the Assets->Devices section of the Defender portal. When I click on a machine, I see most of the sections along the top (Overview, Incidents & alerts, Timeline, etc) and I can click on each one but as soon as I click on a device, the 'Security Baseline' section momentarily appears then disappears. The link to Security Baselines is also broken in the link I pasted above. can anyone else access this section? Regards, Graham
MS Defender XDR API missing Alerts
The Microsoft Defender XDR API is missing Alerts that are visible in the console (https://security.microsoft.com). The number of Alerts returned by the Incident API is limits to 150. This information is no where in the documentation. If you have an Incident with greater than 150 Alerts, the API will not provide all the Alerts for a given Incident. https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents My team has confirmed this behavior across hundreds of tenants and thousands of Incidents. MS Premier Support has not been helpful in understanding if this is a known issue or a bug. Has anyone encountered this issue and have any information? Obviously closing the Incident will solve the problem, but for ongoing investigations this is not alway an option.
Deploying Defender for Business without o365 accounts
Hi, I have few SMB customers, who due to nature of their buiness do not want/need o365 accounts. Beside, their company policy does not allow them to store any business data in clouds abroad. However, they all have their local AD domain and Windows-only environment. Now, I would like to setup Defender for Business + Huntress MDR as a good and affordable threat protection combo, but here my questions begin. Please, shed some light on this: Does Defender for Business actually need endpoint users to be actually signed-in into their o365 accounts for full protection to work properly? What if they aren't - would full protection still be in place, or would Defender for business functionality drop down to basic antivirus, like regular Defender? Is Defender for Business in my case really so complicated and hard to install and setup? I've read some instructions and there is a ton of documentation, Ps scripts and tools, like Intune and such and despite being 40+ years in computer engineering, I got lost. Mostly because I do not use a ton of Microsoft products daily. Does Defender for Business have some easy to manage Cloud management tool, where I would see and manage all installed Defenders for Business? Or must I learn those Intunes, Azure, o365 Security and Defender portals, which are total overkill for those SMB which I manage? Thank you!
Pending actions notification via KQL / Graph API
Hello, I'm looking for a way to get notifications when an investigation is in Pending Approval state. I have tried searching the logs in Defender and Sentinel and have tried finding a graph request that could get this information, but no luck. Is this something that exists? Thank you for any help regarding this topic. Kristof
Defender - Cloud Activity Logs suspicious
Hi, I just noticed this logs from Defender - Cloud Apps > Activity Logs, seems all our Microsoft Cloud PC has these logs, looks suspicious for me as it is querying our Domain Admins account it seems, but would like to confirm. If this is suspicious, can help how to mitigate this please, thank you.
Administrative activity from a non-corporate IP address
Hi, Defender XDR raises incidents almost every day regarding OneDrive for Business sharing policies. Event description is: Change sharing policy: OneDrive Site Collection <b>https://xxxx-my.sharepoint.com/personal/user_domain_fi</b>; Parameters: property <b>Share Using Anonymous Links</b> <b>True</b>, property <b>Share With Guests</b>, property <b>ShareUsingAnonymousLinks</b> <b>From False To True</b>, property <b>ShareUsingAnonymousLinks - New Value</b> <b>True</b> Anonymous links are not allowed and when checking users onedrive site collection settings after alert it is still not allowed. Are these only false positives? Matched policy is Administrative activity from a non-corporate IP address and Alert Product is Microsoft Defender for Cloud Apps ~ Jukka ~"Open Wi-Fi Connection on one endpoint" - network name is "hidden for privacy"?
Background: We have Defender for Endpoint, and Intune installed on our corporate Android devices. I'm not sure what changed recently but we are now getting tons of alerts everyday forOpen Wi-Fi Connection on one endpoint. When I go in to investigate further every alert says: Device ID : <<unique ID>> connected to an open Wi-Fi network : hidden for privacy Is there any way to see what the actual network connected to is, to determine if this is a risk or if it is just needs user education?
XDR Unified RBAC deadline
Has Microsoft set a date for when the Unified RBAC permission model will become mandatory? All the documents I've read indicate that it's voluntary right now. Eventually it will become the default. Permissions Management: Defender XDR's RBAC Walkthrough for Microsoft Defender for Office 365 | Microsoft Community Hub ChuckDefender XDR - how to grant "undo action" Permissions on File Quarantine?
Dear Defender XDR Community I have a question regarding the permissions to "undo action" on a file quarantine action in the action center. We have six locations, each location manages their own devices. We have created six device groups so that Accounts from Location 1 can only manage/see devices from Location 1 as well. Then we created a custom "Microsoft Defender XDR" Role with the following permissions. This way the admins from location 1 can manage all Defender for Endpoint Devices / incidents / recommendations etc. without touching devices they aren't managing.. very cool actually! BUT - if a file gets quarantined, it might want to be released again because of false positive etc. I can do that as a global admin, but not as an admin with granularly assigned rights - the option just isnt there.. I don't want to give them admins a more privileged role because of - you know - least privileges. but i don't have the option to allow "undo action" on file quarantine events, besides that being a critical feature for them to manage their own devices and not me having to de-quarantine files i dont care about.. Any thoughts on how to give users this permission?Ransomware alert
Morning community, I have a question and I hope I am in the right place. We use M365 Defender as a SIEM solution and a Ransome alert came recently. In the timeline, there were more than 10 instances of taskkill involved. As far as I am informed the tool is set up to trigger an alert on several taskkill execution events. However, there was a PGHook.dll clipped/involved in the mix and has a direct link to the Ransomware in the timeline. My question is: Would the PGHook.dll had assisted in creating the alert or did the M365 defender pick up only on the number of taskkill events? Thank you in advance. Danapi-uk.securitycenter.microsoft.com - Vulnerability dates missing
Hi. We've started to see the following fields with inacurate data (red text below) coming via the Defender API. Example call: https://api-uk.securitycenter.microsoft.com/api/recommendations/va-_-microsoft-_-windows_11/vulnerabilities Response: { "@odata.context": "https://api-uk.securitycenter.microsoft.com/api/$metadata#PublicVulnerabilityDto", "@odata.count": 97, "value": [ { "id": "CVE-2024-43543", "name": "CVE-2024-43543", "description": null, "severity": "Medium", "cvssV3": 0.0, "cvssVector": null, "exposedMachines": 1, "publishedOn": "0001-01-01T00:00:00Z", "updatedOn": "0001-01-01T00:00:00Z", "firstDetected": "2024-10-17T09:14:19Z", "publicExploit": false, "exploitVerified": false, "exploitInKit": false, "exploitTypes": [], "exploitUris": [], "cveSupportability": null, "tags": [ "PartiallyPatchable" ], "epss": null }, **** single object extracted. The data appears to display in the portal without issue as you can see below: Has anyone else using the Defender API seen this on their environment at all? Cheers. NigelDefender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,Automating detection engineering for MS 365 Defender
I'm working at a MSSP managing multiple customers. We build a lot of custom detections rules in the MS 365 Defender portal of the customers. We have a library of standard custom detections we use for all our customer. However it is very labor intensive to manage all those detections. I'm thinking of automating it so it is all manageable from one platform. But the MS documentation doesn't speak about API features to create edit and remove custom detections in MS 365. Is there anyway to automate this process?
Recent Blogs
- 4 MIN READDo you want to become a ninja for Microsoft Defender XDR? We can help you get there!Dec 16, 2024
- 10 MIN READMicrosoft Defender XDR Monthly news December 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets w...Dec 09, 2024
