Category: Microsoft Defender XDR | Microsoft Community Hub

Recent Discussions

ASR rule "Block Win32 API calls from Office macro Block XLS
Hi All, we have deploy defender for Endpoint in customer organization and the rule "ASR rule "Block Win32 API calls from Office macro" block old version of Excel with macro, we set exclusion for a path that contain this file but problem persist. If we convert this file into new version of Excel problem not appears, there is a solution for this problem or we need to convert all files into new version ? Many Thanks Guido
Solved
Deleted
Jun 27, 2024 Place Microsoft Defender XDR
microsoft defender for endpoint
1.5KViews
0likes
3Comments
Defender - Export or capture certificate expiry data
Hi There, I am attempting to pull expired certificate information from Defender. My question is thus two fold: Is it possible to create an email or alert based on certificates due to expire in 30 days. Is it possible to call an API for Defender for Endpoint? Our current solution for alerts on expiring certificates in the domain is no longer sustainable and I am looking at redesigning the solution, however, before we can do a proper solution, we need to do something a little less manual and this will be our start. Alert Rule I can see that the certificate information is under the Inventories of the Vulnerabilities blade in Defender Endpoint which suggests that an expiring certificate should alert as a Vulnerability. Is this correct, if so how would I go about creating an alert to identify this? API or Information passing Is it possible to use API to call the information of certificates from Defender, again I have looked and found nothing. If API's aren't possible I saw that I can ship the data to Event Hub which would be useful but again I need to know if the certificate information is captured and passed on if I do this. Does anyone have this information? Thanks,
Solved
GavinDatacom
Copper Contributor
Jun 17, 2024 Place Microsoft Defender XDR
Alerts
automation
learning
microsoft defender for endpoint
Remediation
368Views
0likes
1Comment
Incidents and Alerts blades missing in Defender portal
Hi, We recently found out that the incidents and alerts blades have disappeared from our Defender portal. This is true for both Global Admin and Security Administrator roles. We use A5 licenses in our tenant. Not sure what happened. Microsoft Unified support has not been very helpful in even replying to our query. Can someone please point us in the right direction. We don't know what has happened. Thanks in advance,
Solved
arifvase
Copper Contributor
May 23, 2024 Place Microsoft Defender XDR
Alerts
Incident Management
investigation
513Views
0likes
1Comment
Entra ID protection - Integration into Defender XDR
Hi everyone, is it possible to integrate this into Defender? Or is there a hunt or Cloud App Policy that will trigger an Alert in Defender Portal? BR Stephan
Solved
StephanGee
Steel Contributor
Apr 26, 2024 Place Microsoft Defender XDR
Incident Management
microsoft defender for endpoint
playbooks
2.2KViews
1like
8Comments
MacOS set preferences - manual deployment without MDM
Hello, we are testing Microsoft Defender on macOS devices. It is working and reporting in the Defender portal. I see in documentation that there are examples of creating config profile in Jamf and Intune: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide Is it possible to create a simple config profile manually (without using any MDM system) for testing purposes? Something like we can do on Linux OS:https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide- using config file/etc/opt/microsoft/mdatp/managed/mdatp_managed.json Thanks!
Solved
djolenole
Brass Contributor
Apr 24, 2024 Place Microsoft Defender XDR
microsoft defender for endpoint
Onboarding
501Views
0likes
2Comments
EICAR file is not blocked by Defender for Endpoint on Linux
Hello, we are testing Microsoft Defender for Endpoint on Linux Ubuntu devices. I successfully onboarded machine, it is visible in Defender portal and I am able to generate incident using test https://aka.ms/LinuxDIY However, I am not able to detect/block EICAR test file using suggested command: curl -o ~/Downloads/eicar.com.txthttps://www.eicar.org/download/eicar.com.txt After it, eicar.com.txt file is in Downloads folder and nothing happens. "mdatp health" output: Configuration in mdatp_managed.json file: Am I missing something? Thanks
Solved
djolenole
Brass Contributor
Apr 22, 2024 Place Microsoft Defender XDR
microsoft defender for endpoint
1.2KViews
0likes
2Comments
abnormal Behavior in Users Devices
hi security guys I am facing strange behaviors on Microsoft EDR that show in timeline Windows Defender Advanced Threat Protection\SenseIR.exeis using fake accounts which are not exist in Microsoft Active directory and Azure Active Directory Is considering a normal behavior, hacked orWindows Defender Advanced Threat Protection zero day vulnerable. the below sample from timeline that related with fake account. Event Time Machine Id Computer Name Action Type File Name Folder Path Sha1 Sha256 MD5 Process Command Line Account Domain Account Name Account Sid Logo Id Process Id Process Creation Time Process Token Elevation Registry Key Registry Value Name Registry Value Data Remote Url Remote Computer Name Remote IP Remote Port Local IP Local Port File Origin Url File Origin IP Initiating Process SHA1 Initiating Process SHA256 Initiating Process File Name Initiating Process Folder Path Initiating Process Id Initiating Process Command Line Initiating Process Creation Time Initiating Process Integrity Level Initiating Process Token Elevation Initiating Process Parent Id Initiating Process Parent File Name Initiating Process Parent Creation Time Initiating Process MD5 Initiating Process Account Domain Initiating Process Account Name Initiating Process Account Sid Initiating Process Logon Id Report Id Additional Fields App Guard Container Id Protocol Logon Type Process Integrity Level Registry Value Type Previous Registry Value Name Previous Registry Value Data Previous Registry Key File Origin Referrer Url Sensitivity Label Sensitivity Sub Label Is Endpoint Dlp Applied Is Azure Info Protection Applied Alert Ids Categories Severities Is Marked Data Type 2024-04-19T12:22:10.987 6595e6522d8db8d92425250a4fe68dd7ce1fc1db PC1 InboundRdpConnection LITC fake account S-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf2 3247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0 8332 powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}" 2024-04-19T12:21:13.582 System Default 7192 SenseIR.exe 2024-04-19T12:21:11.307 NT AUTHORITY system S-1-5-18 1.65E+09 T1021.001 (bolster) Techniques 2024-04-19T12:22:10.987 6595e6522d8db8d92425250a4fe68dd7ce1fc1db PC1 WindowsDomainAccountLogonSuccess LITC fake account S-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf2 3247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0 8332 powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}" 2024-04-19T12:21:13.582 System Default 7192 SenseIR.exe 2024-04-19T12:21:11.307 NT AUTHORITY system S-1-5-18 9.09E+08 T1078.002 (bolster) Techniques 2024-04-19T12:22:10.987 6595e6522d8db8d92425250a4fe68dd7ce1fc1db PC1 LogonSuccess LITC fake account S-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf2 3247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0 8332 powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}" 2024-04-19T12:21:13.582 System Standard 7192 \Device\HarddiskVolume3\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe 2024-04-19T12:21:11.307 nt authority system S-1-5-18 28953 {"IsLocalLogon":false} CachedRemoteInteractive Events 2024-04-19T12:22:10.987 6595e6522d8db8d92425250a4fe68dd7ce1fc1db PC1 WindowsDomainAccountLogonSuccess LITC fake account S-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf2 3247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0 8332 powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}" 2024-04-19T12:21:13.582 System Default 7192 SenseIR.exe 2024-04-19T12:21:11.307 NT AUTHORITY system S-1-5-18 8.59E+08 T1078.002 (bolster) Techniques 2024-04-19T12:22:10.987 6595e6522d8db8d92425250a4fe68dd7ce1fc1db PC1 InboundRdpConnection LITC fake account S-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf2 3247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0 8332 powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}" 2024-04-19T12:21:13.582 System Default 7192 SenseIR.exe 2024-04-19T12:21:11.307 NT AUTHORITY system S-1-5-18 8.45E+08 T1021.001 (bolster) Techniques 2024-04-19T12:22:10.987 6595e6522d8db8d92425250a4fe68dd7ce1fc1db PC1 LogonSuccess LITC fake account S-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf2 3247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0 8332 powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}" 2024-04-19T12:21:13.582 System Standard 7192 \Device\HarddiskVolume3\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe 2024-04-19T12:21:11.307 nt authority system S-1-5-18 28952 {"IsLocalLogon":false} CachedRemoteInteractive Events 2024-04-19T12:22:10.987 6595e6522d8db8d92425250a4fe68dd7ce1fc1db PC1 LogonAttempted LITC fake account 7c04ec2377e32b3c742f581f6c5437464dd2cf2 3247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8 powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0 8332 powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\ Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Algorithm SHA256; if (!( $calculatedHash.Hash -eq '575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789')) { exit 323;}; Start-Transcript -Path 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\PSScriptOutputs\PSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt'; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1' -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}" 2024-04-19T12:21:13.582 System Default 7192 SenseIR.exe 2024-04-19T12:21:11.307 NT AUTHORITY system S-1-5-18 28951 Events 2024-04-19T12:22:09.728 6595e6522d8db8d92425250a4fe68dd7ce1fc1db PC1 InteractiveRemoteComponentInvocation LITC fake account S-1-5-21-3977750084-2905094788-454684165-926103861 1.71E+09 T1078 (Friends)/T1021.001 (Friends) Techniques 2024-04-19T12:22:09.728 6595e6522d8db8d92425250a4fe68dd7ce1fc1db PC1 WindowsDomainAccountLogonSuccess LITC fake account S-1-5-21-3977750084-2905094788-454684165-926103861 D398B9D68B555K9K6K041K8Pia8849D1A6B1AC4 63A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691A lsass.exe C:\Windows\System32 824 lsass.exe 2024-04-18T08:04:00.305 System Default 928 wininit.exe 2024-04-18T08:04:00.107 NT AUTHORITY system S-1-5-18 9.6E+08 T1078.002 (bolster) Techniques 2024-04-19T12:22:09.728 6595e6522d8db8d92425250a4fe68dd7ce1fc1db PC1 LogonSuccess LITC fake account S-1-5-21-3977750084-2905094788-454684165-926103861 D398B9D68B555K9K6K041K8Pia8849D1A6B1AC4 63A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691A lsass.exe C:\Windows\System32\lsass.exe 824 lsass.exe 2024-04-18T08:04:00.305 System Standard 928 wininit.exe 2024-04-18T08:04:00.107 nt authority system S-1-5-18 28934 {"IsLocalLogon":false} RemoteInteractive Events thanks in advance
Solved
ahmedamer
Copper Contributor
Apr 20, 2024 Place Microsoft Defender XDR
investigation
1.1KViews
0likes
1Comment
Stream alerts from Defender for Cloud
Is it possible to have alerts originating from Defender to Cloud to use Defender XDR Streaming API to forward alerts to an Eventhub? If currently have event Streaming API configured in Defender XDR to forward alerts to our Graylog system which works fine for alerts originating from Defender for Endpoint ect, however when I generate test alerts in Defender for Cloud they appear on the Alerts page in the Security/Defender-portal, but they are not forwarded to our Eventhub. I've been able to work around it by configuring continuous export to Eventhub directly in Defender for Cloud instead, but just wonder if it is supposed to work via Defender XDR "Streaming API"?
Solved
msundman78
Copper Contributor
Apr 16, 2024 Place Microsoft Defender XDR
Alerts
521Views
0likes
1Comment
Security Operator, but can add to TABL
I currently have the Entra ID Security Operator PIM role activated, and I am able to add email addresses to the TABL, as well as managing Anti-Spam and Anti-Phishing policies. In the past, I've needed to be a Security Administrator to do this. Has something changed? If not, could this be an unintended consequence of me activating the MDO workloads for Unified RBAC?
Solved
SKadish
Brass Contributor
Feb 15, 2024 Place Microsoft Defender XDR
Microsoft Defender for Office 365
Response Actions
784Views
0likes
4Comments
Defender XDR Unified RBAC - Cannot manage incidents
I've been configuring the new Defender XDR Unified RBAC roles, and two things that I cannot find permissions for are managing incidents and alerts. No matter what I configure, those buttons stay greyed out. This is despite configuring a role that has all Security Operations and Security Posture read and manage permissions. Other functions are working, for instance being able to block users via the TABL, or Search & Purge permissions. Can I please get some help?
Solved
SKadish
Brass Contributor
Feb 13, 2024 Place Microsoft Defender XDR
Incident Management
microsoft defender for endpoint
Microsoft Defender for Office 365
Response Actions
2KViews
0likes
6Comments
Do Defender XDR Custom RBAC Roles stack?
Are permissions granted by Defender XDR Unified RBAC Custom Roles additive? For instance, if a user uses PIM to assume a role with permissions A & B, and then uses PIM a second time to assume a role with permissions C & D, will the user then have permissions A, B, C, & D? Or will they only have permissions C & D?
Solved
SKadish
Brass Contributor
Jan 30, 2024 Place Microsoft Defender XDR
automation
microsoft defender for endpoint
Microsoft Defender for Office 365
playbooks
siem
508Views
0likes
2Comments
Moving away from Microsoft Defender XDR onto using some other solution - any actions required?
Hi All, I manage one O365 tenant that has been using the Microsoft Defender and had licensed for the Defender Plan 2 - The licenses are about to expire and they want to jump on to another product for the security systems and leave Defender behind - Any actions needed in the https://security.microsoft.com portal to off-board from using the Defender or just wait for the licenses to expire? Or will it take care of it self after the licenses are no longer valid? As you might guess from my question, I'm not the one who was onboarding the Defender so please - If steps are need - explain those actions with clear instructions what and where is needed without Defender specific terminology and acronyms 🙂 Kindly, Em.
Solved
EmMabel
Copper Contributor
Jan 19, 2024 Place Microsoft Defender XDR
learning
707Views
0likes
3Comments
Defender for Endpoints - Domain Controllers
Hi What is the correct process for managing and deploying policies for Windows server 2019 domain controllers. I know thatSecurity settings management doesn't work on and isn't supported on 2019 DCs as per (https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration?view=o365-worldwide#configure-your-tenant-to-support-microsoft-defender-for-endpoint-security-configuration-management So how do I manage and get policies to a 2019 DC Thanks
Solved
Fhilp
Brass Contributor
Dec 06, 2023 Place Microsoft Defender XDR
microsoft defender for endpoint
Onboarding
threat intelligence
7KViews
0likes
3Comments
Device Events table
Hello from Greece, i have a strange issue. I cannot run any query in advanced hunting starting with deviceevents. The device section is totally missing. Even if i type it it is marked red and i receive an error. Is there any way i can update my schema? I want the asr auditing events from my subscription. Thank you! Panos
Solved
Panos83
Copper Contributor
Nov 23, 2023 Place Microsoft Defender XDR
microsoft defender for endpoint
2.6KViews
0likes
5Comments
New Email Response Actions in Microsoft Defender XDR
Hi, Can Microsoft please allow the use of punctuation when adding a new Rule Name or in the description for this functionality. Example below is when adding a new rule name, but using a hyphen (so that on first look, a user can see that the rule was created for a manual action) In the description, it doesn't allow you to use any commas, or any full stops (periods)
Solved
Brok3NSpear
Brass Contributor
Nov 22, 2023 Place Microsoft Defender XDR
Alerts
microsoft defender for endpoint
Response Actions
942Views
2likes
5Comments
Advanced Hunting
Trying to run this query for advanced hunting but getting the below syntax error. Can anyone help with this query? Also does anyone know a good resource to use for learning the Kusto language used for these queries?
Solved
Bosanac89
Copper Contributor
Nov 16, 2023 Place Microsoft Defender XDR
automation
investigation
microsoft defender for endpoint
Microsoft Defender for Office 365
threat hunting
1.2KViews
1like
3Comments
Whitelisting .exe files - Defender for Endpoint
Hello, Does anyone know where you can whitelist .exe files? Or add paths in defender to be whitelisted for specific endpoints? We have software that requires the user to run the .exe file and it keeps being flagged as malware even though we know its false positive.
Solved
Bosanac89
Copper Contributor
Nov 15, 2023 Place Microsoft Defender XDR
microsoft defender for endpoint
11KViews
0likes
3Comments
Understanding the use of the Evidence Role field in Alert Tuning
Hi there, I am looking for some help with understanding the use of the Evidence Role field when tuning an alert. I currently receive a false positive alert that I am trying to automatically set to resolved. There are a few conditions that need to be met to qualify as this alert and one of those is to have a certain ip involved. When setting up the involved IP, I would use this configuration for example (all specifics redacted): along with a collection of other details such as hostname etc.. I understand the functionality of all of it other than the Evidence role field and the subsequent options it has, being In or Not in, and the final dropdown having these options: I have been unable to find suitable advice online to do with alert tuning outside of the basic functionality and how to setup - so if there is a resource somewhere that I have missed, a pointer in that direction would also be greatly appreciated. I am looking for an explanation as to what this field does / means, and where/if I need it to achieve what I want to do. Thank you for the help 🙂
Solved
JoshuaN1
Copper Contributor
Nov 13, 2023 Place Microsoft Defender XDR
Alerts
automation
Incident Management
learning
2KViews
0likes
5Comments
Duplicate Azure Device when onboarding Defender for Endpoint
Hi I have a device which is "Microsoft Entra registered" with a owner assigned, they have logged into Microsoft account theirdevice. We have onboarded the device toDefender for Endpoint and it now shows a 2nd device entry with the same name, no join type but Microsoft Defender for Endpoint as its Security SettingsManagement. This is obviously created when onboarded but why does AZ not sort out duplicate devices? Wen assigning the device to a group it causes issues as the device shows twice
Solved
Fhilp
Brass Contributor
Oct 11, 2023 Place Microsoft Defender XDR
microsoft defender for endpoint
3.3KViews
1like
8Comments
Spam being delivered to Junk folder
I am still having spam messages being delivered to the Junk folder, even after setting Spam Message Action to delete the message (see first image below). I also ran a message trace and found that the message was filtered as spam and delivered to the Junk folder (see second image below). Why am I getting spam delivered to my Junk folder when I explictily chose to have it deleted?
Solved
w4C777
Copper Contributor
Oct 11, 2023 Place Microsoft Defender XDR
Microsoft Defender for Office 365
2.4KViews
0likes
19Comments

Recent Discussions

ASR rule "Block Win32 API calls from Office macro Block XLS

Defender - Export or capture certificate expiry data

Incidents and Alerts blades missing in Defender portal

Entra ID protection - Integration into Defender XDR

MacOS set preferences - manual deployment without MDM

EICAR file is not blocked by Defender for Endpoint on Linux

abnormal Behavior in Users Devices

Stream alerts from Defender for Cloud

Security Operator, but can add to TABL

Defender XDR Unified RBAC - Cannot manage incidents

Do Defender XDR Custom RBAC Roles stack?

Moving away from Microsoft Defender XDR onto using some other solution - any actions required?

Defender for Endpoints - Domain Controllers

Device Events table

New Email Response Actions in Microsoft Defender XDR

Advanced Hunting

Whitelisting .exe files - Defender for Endpoint

Understanding the use of the Evidence Role field in Alert Tuning

Duplicate Azure Device when onboarding Defender for Endpoint

Spam being delivered to Junk folder

Events

Recent Blogs

Ignite news: Seamless protection for your on-prem identities with Defender for Identity

Ignite news: What's new in Microsoft Defender XDR?

Resources

Share

Tags