Recent Discussions
api-uk.securitycenter.microsoft.com - Vulnerability dates missing
Hi. We've started to see the following fields with inacurate data (red text below) coming via the Defender API. Example call: https://api-uk.securitycenter.microsoft.com/api/recommendations/va-_-microsoft-_-windows_11/vulnerabilities Response: { "@odata.context": "https://api-uk.securitycenter.microsoft.com/api/$metadata#PublicVulnerabilityDto", "@odata.count": 97, "value": [ { "id": "CVE-2024-43543", "name": "CVE-2024-43543", "description": null, "severity": "Medium", "cvssV3": 0.0, "cvssVector": null, "exposedMachines": 1, "publishedOn": "0001-01-01T00:00:00Z", "updatedOn": "0001-01-01T00:00:00Z", "firstDetected": "2024-10-17T09:14:19Z", "publicExploit": false, "exploitVerified": false, "exploitInKit": false, "exploitTypes": [], "exploitUris": [], "cveSupportability": null, "tags": [ "PartiallyPatchable" ], "epss": null }, **** single object extracted. The data appears to display in the portal without issue as you can see below: Has anyone else using the Defender API seen this on their environment at all? Cheers. Nigel
Support for LDAPS Auth events in XDR IdentityLogonEvents table?
We have a requirement to implement LDAPS auth for an appliance against AD DCs in a legacy environment. The DCs are running Defender for Identity. While testing, using LDAP, I can trace login events in the IdentityLoginEvents table, however when switching to LDAPS, I can't see any related events logged here. Interactive logins using LDAPS are working successfully, as expected, and appear in the Windows event log as EventID:4776 on the DC (but don't appear in the defender portal). It was then that I discovered that this expected behaviour according to the list of supported logon types listed here. IdentityLogonEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn I'm puzzled that XDR would support a cleartext legacy authentication method like LDAP, but would not support the more secure LDAPS protocol. Is there any rationale for this, or intention to introduce support ?Threat hunting help
I'm hoping someone can help me here. I'm using the below very common queries to find USB activity. It finds FildCreated, FileModified, FileRenamed and FileDeleted. What I don't seem to able to find is file reads. i.e. someone doubles click on a file on the USB and it opens essentially reading the file from the USB. Anyone know how to find a file read from USB? let DeviceNameToSearch = ''; // DeviceName to search for. Leave blank to search all devices. let TimespanInSeconds = 900; // Period of time between device insertion and file copy let Connections = DeviceEvents | where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == "PnpDeviceConnected" | extend parsed = parse_json(AdditionalFields) | project DeviceId,ConnectionTime = Timestamp, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds) | where DriveClass == 'USB' and DeviceDescription == 'USB Mass Storage Device'; DeviceFileEvents | where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and FolderPath !startswith "c" and FolderPath !startswith @"\" | join kind=inner Connections on DeviceId | where datetime_diff('second',Timestamp,ConnectionTime) <= TimespanInSecondsXDR Critical asset management - Custom classifications not picking up assets
Hi community, I tried creating a number of Custom classifications. For example, by creating a filter on Identity -> AD Roles, or Cloud resource -> Category -> virtual_machine. When previewing the filter during creation, it displays the desired results. The classifications are created without any errors. But when I go back after refreshing the page, the Custom classifications I just created contain "0" resources. Clicking any classification , on the Assets tab, they show zero members (assets). What did I do wrong? Best Regards, AndyIncidents from Custom Detection Rules never have Emails for Evidence
let ignoreAddresses = datatable(address:string) [@'email address removed for privacy reasons',@'email address removed for privacy reasons']; let ignoreSpamSubjects = datatable(address:string) [@'ignored subject 1',@'ignored subject 2']; // Time range needs to be set in the UI dropdown in order for LatestDeliveryLocation filter to work (i.e., live table vs streaming API). EmailEvents | where SenderFromDomain in~ (_getEXOAcceptedDomains) | where DetectionMethods has_any('URL detonation reputation', 'URL malicious reputation') and not(RecipientEmailAddress in~ (ignoreAddresses) or SenderFromAddress in~ (ignoreAddresses)) | where not (Subject has_any (ignoreSpamSubjects)) | where (parse_json( AuthenticationDetails).DMARC =~ 'Pass' and EmailDirection =~ 'Inbound') or (EmailDirection =~ 'Intra-org') | where (LatestDeliveryLocation in~ ('Quarantine', 'Junk folder') and not (LatestDeliveryAction =~ 'Quarantine release')) and parse_json(ConfidenceLevel).Phish in~ ('Normal','High') | join kind=inner ( EmailUrlInfo | summarize Urls = make_list(Url) by NetworkMessageId ) on NetworkMessageId I've got the above query saved as a detection rule, which works fine except for one thing - the emails are never present in the Evidence tab of the generated incidents. Meanwhile the Recipients show up in the Mailbox and User assets as I'm using Entity mapping to mapping the RecipientEmailAddress / RecipientObjectId to those 2 entity types. The only thing I can find about Emails is that for Actions to be possible on the Emails in the query results - "The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages." (ref) - which is being satisfied. The Evidence available is the IP of the sender, and an empty email cluster, like this: In the incident above there are 2 emails, and the 4 assets are the user and mailbox for each of the 2 emails' Recipient. I can successfully just use the query manually to find and manage those emails, but a big part of the goal with these detection rules, at least in my opinion, is to be able to easily manage the evidence. In this exact case, I'm looking for inbound emails coming from our own Accepted Domains in the SenderFromAddress, which pass DMARC, but are in Quarantine, detected as Phish. The idea is to watch out for false positives due to URL detonation reputation since most of the messages fitting this criteria are coming in from various emailing services (e.g., Constant Contact, MailChimp, SendGrid, etc.) and these services tend to end up on the reputation lists a few times per month. Just wondering if there are any tricks anyone knows about to help me populate the emails into my resulting incidents.XDR deception - decoy working - lures not deploying
Hi everyone, i am trying to create some custom deceptions with the help of this blog post: Stack Your Deception: Stacking MDE Deception Rules with Thinkst Canarytokens ยท Attack the SOC The decoys are working (if i ping a host i specified - alerts are raised). But i cannot find the lures. I created some special lures for high privilege personas and placed them into {HOME}\ and a filepath beneath that. But i cannot find the files (show hidden is on). Are the folders also created by deception? It's 5 days now - so time should also not be the problem. How to troubleshoot? BR Stephan
Inaccurate Reporting for Installed Apps in Defender
Hi, This morning (UK) we noticed that Defender (All users are E5 and we have MDE P2) is showing very inaccurate reporting for various apps installed on users machines. Example, Chrome is showing as only installed on 180 machines, where it is actually installed on over 1.4K end user machines, including mine which shows in Defender as not an installed app. There is nothing showing at the moment in Service Health for this issue. I have also completed the 'Report Inaccuracy' in Defender as well. This was working perfectly fine as of yesterday Other apps I have noticed as showing inaccurate results for are old Teams installs Note that this may have been a short termed glitch as figures are slowly going back to what we would expectMy Exposure Management > Attack Surface > Attack Paths still has nothing to show
I tried for many tenants, many cases. All tenants have MDE, Sentinel, Other 365 Defender like MDO, MDI, MDCA licenses enabled already, even I added more defined critical assets. I still cannot see anything from this Attack Paths page. Is there anything else I should do or check to use this feature?
Defender Browser/Domain blocks
Hello, We have an issue with Defender for Endpoint, with most users, When we add browsers/domains in DLP settings "Browser and domain restrictions to sensitive data" usually an unallowed browser would not open in a blocked browser by default and would redirect to edge. For some users, This does not work, We have checked the affected devices and they have configuration status, policy sync status of successful, user status is Valid user. On the device itself the tasks/services are running and have been restarted already. Setting e.g.Microsoft Defender for Endpoint export function now decreased?
Good afternoon everyone, Could someone please comment if they are experiencing the same problem as myself. Whenever now I am trying to export Vulnerabilities (CVE's from Defender Portal) it seems now the extract is limited to 8000 entries, although this figure used to be 10,000 according to the following article. Export incidents queue to CSV files - Microsoft Defender XDR | Microsoft Learn Now only since this month , when I am trying to create reports for our customer this is only showing me 8000 entries in the exported excel where the dashboard shows results even higher than 8000. This new limit which I presume has been introduced by Microsoft is not enough for our reporting and I need an urgent solution. Setting additional filters is still not possible since for example high category vulns over 90 days are still over the 8000 threshold . This would not have been a problem with the 10,000 entry limit. Anyone can confirm this is the same for them , or offer a workaround? Thanks in advance. kind regards, IanIdentityLogonEvents table Roadmap
Is there a roadmap for this:consolidate all sign-in schema information into theIdentityLogonEventstable. This is with respect toAADSignInEventsBeta &AADSpnSignInEventsBetabeing offered on a short-term basis to allow you to hunt through Microsoft Entra sign-in events. AADSpnSignInEventsBeta table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn AADSignInEventsBeta table in the advanced hunting schema - Microsoft Defender XDR | Microsoft LearnGDAP Permissions in XDR Unified Security Experience
Hi folks, hope someone might know how to sort this one... Here's a screenshot of the same tenant. On the left is our CSP GDAP'd to Global Admin. On the right is a proper GA in the tenant. Not only is the interface different (see the options in the left column), certain incidents and alerts aren't visible to the GDAP'd GA nor are certain tables (DeviceEvents, SigninLogs) using Advanced hunting. I know there are new RBAC roles available for Defender, but everything I've read states that if the GDAP'd role has GA we should be good. What gives? Thanks, Ross.Rolles and Responsibiliets Defender XDR
Dear, I need some help, looking for a draw where the Microsoft defender tools are positioned in a SOC and the roles and responsibilties, i have seen ones a draw on the MS websites, but cannot find one. Please help, need to convince the IT who does not have SOC experience
Recent Blogs
- Easily deploy Defender for Identity with the new, unified agent and integrate four new privileged identity access (PAM) providers for improved prioritization of the most critical identities in your e...Nov 19, 2024
- The speed, scale, and precision of AI-powered attacks have introduced an entirely new level of complexity to the cybersecurity landscape. Defending against these advanced threats requires more than j...Nov 19, 2024
