Recent Discussions
Tracking Sent Emails from a Shared Mailbox with Delegated Access
Here is a detailed post to the Microsoft help forum about tracking down who sent emails from a shared mailbox with delegated access and send as rights: Title: Tracking Sent Emails from a Shared Mailbox with Delegated Access Dear Microsoft Community, I'm reaching out for assistance with an issue I'm encountering regarding a shared mailbox in my organization. The shared mailbox has been configured with delegated access and "Send As" rights for certain users. However, I'm finding that emails are being sent from this shared mailbox, and I need to determine which user is responsible for those sent messages. Here's some more context on the setup: We have a shared mailbox that multiple employees within my organization can access and send emails from using their individual user accounts. The shared mailbox has been granted "Delegate Access" and "Send As" rights to these authorized users. Whenever an email is sent from the shared mailbox, it appears to come from the shared mailbox address rather than the individual user's email address. I need to be able to track down and identify which user sent a specific email from the shared mailbox. My main questions are: How can I determine which user account was used to send a specific email from the shared mailbox? Is there logging or audit functionality within Microsoft 365 that would allow me to see the user who sent an email from the shared mailbox? Are there any third-party tools or add-ons that could provide this level of tracking and visibility for emails sent from a shared mailbox? I'm hoping the Microsoft community can provide some guidance and recommendations on the best approach to resolve this issue. Being able to identify the user responsible for emails sent from the shared mailbox is crucial for maintaining security and accountability within our organization. Thank you in advance for your assistance. I look forward to hearing back from the community. Best regards,Fish_TacosDec 02, 2024Brass Contributor10Views0likes0CommentsAdministrative activity from a non-corporate IP address
Hi, Defender XDR raises incidents almost every day regarding OneDrive for Business sharing policies. Event description is: Change sharing policy: OneDrive Site Collection <b>https://xxxx-my.sharepoint.com/personal/user_domain_fi</b>; Parameters: property <b>Share Using Anonymous Links</b> <b>True</b>, property <b>Share With Guests</b>, property <b>ShareUsingAnonymousLinks</b> <b>From False To True</b>, property <b>ShareUsingAnonymousLinks - New Value</b> <b>True</b> Anonymous links are not allowed and when checking users onedrive site collection settings after alert it is still not allowed. Are these only false positives? Matched policy is Administrative activity from a non-corporate IP address and Alert Product is Microsoft Defender for Cloud Apps ~ Jukka ~JVaDec 02, 2024Copper Contributor11Views0likes0CommentsDefender - Cloud Activity Logs suspicious
Hi, I just noticed this logs from Defender - Cloud Apps > Activity Logs, seems all our Microsoft Cloud PC has these logs, looks suspicious for me as it is querying our Domain Admins account it seems, but would like to confirm. If this is suspicious, can help how to mitigate this please, thank you.Champ14-1020Dec 02, 2024Copper Contributor5Views0likes0CommentsXDR Unified RBAC deadline
Has Microsoft set a date for when the Unified RBAC permission model will become mandatory? All the documents I've read indicate that it's voluntary right now. Eventually it will become the default. Permissions Management: Defender XDR's RBAC Walkthrough for Microsoft Defender for Office 365 | Microsoft Community Hub ChuckscenixNov 26, 2024Copper Contributor37Views1like0Comments- anuson_gangNov 25, 2024Copper Contributor18Views0likes0Comments
Defender for Endpoints - Domain Controllers
Hi What is the correct process for managing and deploying policies for Windows server 2019 domain controllers. I know thatSecurity settings management doesn't work on and isn't supported on 2019 DCs as per (https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration?view=o365-worldwide#configure-your-tenant-to-support-microsoft-defender-for-endpoint-security-configuration-management So how do I manage and get policies to a 2019 DC ThanksSolved7.2KViews1like4CommentsDefender XDR - how to grant "undo action" Permissions on File Quarantine?
Dear Defender XDR Community I have a question regarding the permissions to "undo action" on a file quarantine action in the action center. We have six locations, each location manages their own devices. We have created six device groups so that Accounts from Location 1 can only manage/see devices from Location 1 as well. Then we created a custom "Microsoft Defender XDR" Role with the following permissions. This way the admins from location 1 can manage all Defender for Endpoint Devices / incidents / recommendations etc. without touching devices they aren't managing.. very cool actually! BUT - if a file gets quarantined, it might want to be released again because of false positive etc. I can do that as a global admin, but not as an admin with granularly assigned rights - the option just isnt there.. I don't want to give them admins a more privileged role because of - you know - least privileges. but i don't have the option to allow "undo action" on file quarantine events, besides that being a critical feature for them to manage their own devices and not me having to de-quarantine files i dont care about.. Any thoughts on how to give users this permission?doedoedoeNov 21, 2024Copper Contributor26Views0likes0CommentsRansomware alert
Morning community, I have a question and I hope I am in the right place. We use M365 Defender as a SIEM solution and a Ransome alert came recently. In the timeline, there were more than 10 instances of taskkill involved. As far as I am informed the tool is set up to trigger an alert on several taskkill execution events. However, there was a PGHook.dll clipped/involved in the mix and has a direct link to the Ransomware in the timeline. My question is: Would the PGHook.dll had assisted in creating the alert or did the M365 defender pick up only on the number of taskkill events? Thank you in advance. DanDanAlexanderNov 17, 2024Copper Contributor1.7KViews0likes5Commentsapi-uk.securitycenter.microsoft.com - Vulnerability dates missing
Hi. We've started to see the following fields with inacurate data (red text below) coming via the Defender API. Example call: https://api-uk.securitycenter.microsoft.com/api/recommendations/va-_-microsoft-_-windows_11/vulnerabilities Response: { "@odata.context": "https://api-uk.securitycenter.microsoft.com/api/$metadata#PublicVulnerabilityDto", "@odata.count": 97, "value": [ { "id": "CVE-2024-43543", "name": "CVE-2024-43543", "description": null, "severity": "Medium", "cvssV3": 0.0, "cvssVector": null, "exposedMachines": 1, "publishedOn": "0001-01-01T00:00:00Z", "updatedOn": "0001-01-01T00:00:00Z", "firstDetected": "2024-10-17T09:14:19Z", "publicExploit": false, "exploitVerified": false, "exploitInKit": false, "exploitTypes": [], "exploitUris": [], "cveSupportability": null, "tags": [ "PartiallyPatchable" ], "epss": null }, **** single object extracted. The data appears to display in the portal without issue as you can see below: Has anyone else using the Defender API seen this on their environment at all? Cheers. NigelNigel ClarkNov 16, 2024Copper Contributor39Views0likes0Comments