Latest Discussions
Automating detection engineering for MS 365 Defender
I'm working at a MSSP managing multiple customers. We build a lot of custom detections rules in the MS 365 Defender portal of the customers. We have a library of standard custom detections we use for all our customer. However it is very labor intensive to manage all those detections. I'm thinking of automating it so it is all manageable from one platform. But the MS documentation doesn't speak about API features to create edit and remove custom detections in MS 365. Is there anyway to automate this process?Tosty20Nov 08, 2024Copper Contributor812Views0likes3CommentsSupport for LDAPS Auth events in XDR IdentityLogonEvents table?
We have a requirement to implement LDAPS auth for an appliance against AD DCs in a legacy environment. The DCs are running Defender for Identity. While testing, using LDAP, I can trace login events in the IdentityLoginEvents table, however when switching to LDAPS, I can't see any related events logged here. Interactive logins using LDAPS are working successfully, as expected, and appear in the Windows event log as EventID:4776 on the DC (but don't appear in the defender portal). It was then that I discovered that this expected behaviour according to the list of supported logon types listed here. IdentityLogonEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn I'm puzzled that XDR would support a cleartext legacy authentication method like LDAP, but would not support the more secure LDAPS protocol. Is there any rationale for this, or intention to introduce support ?PhilpenNov 07, 2024Copper Contributor29Views1like0CommentsRemoving old M365 Defender incident email notification
Hi, Does anyone know where I can turn off the old M365 Defender incident email notifications? A while back I setup alerting for High incidents using this, but I cannot find that same notification rule anymore to remove it. I have checked Defender XDR Email notifications view, but the old rule from M365 dosent exists there. And I know it exists, because my new email notification rule in Defender XDR is set to email me for Medium and High alerts, but for all High alert I am getting duplicate notifications.Tobias_MoeNov 04, 2024Copper Contributor1KViews0likes4CommentsUpdate OpenSSL recommendation
Hi all, I've been trying to find out how to deal with "openssl" recommendation that I get on almost all end user computers in Defender. I'm just not sure how to deal with it... It doesn't seem to be a particular app or so.... From what I see when I check the "software inventory" page of the devices, there are many references to different files/dll?? See some few examples below: c:\program files\windowsapps\e046963f.aimeetingmanager_3.1.18.0_x64__k1h2ywk1493x8\aimeetingmanager\libcrypto-3-x64.dll c:\program files\zoom\bin\libcrypto-3-zm.dll c:\program files\dell\dell peripheral manager\libcrypto-1_1-x64.dll c:\windows\system32\driverstore\filerepository\udcdriver.inf_amd64_d70e6df8e9ed1889\x64\service\libssl-1_1-x64.dll How you deal with it? .. is that something that can be pushed via Intune..?sumo83Oct 28, 2024Iron Contributor29KViews1like10CommentsASR Exclusions
Hi all, I've been experiencing with ASR exclusions at several clients with same results... 1. Rules in Audit mode, exclusion added but file keep comming back in report for all exclusions... 2. Using Get-MpPreferenceon endpoint do not show any exclusion at all Endpoints are W10/11 22h2 My questions are 1. Do exclusions only get pushed to endpoint on block mode? 2. Exclusions are being added to the asr policy, do i need to set them some place else? GPO? 3. If I create a audit policy and a block policy with different group assignment, setting same exclusions in both. Moving endpoint from the audit group to the block group. Will this work? Ive been told only one asr policy can be in place audit or block.... 4. Per rule exclusions, ive been told not to use... not working... is this true? Thank youSolvedFrancois_PapillonOct 22, 2024Copper Contributor3.8KViews2likes13CommentsXDR Deception
Hey, I need some assistance with deploying an XDR deception rule. Here's the situation: I have created a deception rule with a specific tag, including 5 decoys and 2 lures. However, I'm encountering a problem with the deployment process. After 24 hours(deployment), I'm facing the following issues: - The rule has been deployed to only one tagged host out of a total of 4 hosts. - Only one decoy has been created out of the 5 decoys I configured. I've tried looking into the settings and redoing everything from scratch, but the issues persist. Has anyone encountered a similar problem or have any insights on how to resolve this? Your assistance would be greatly appreciated! Thanks in advance!ansbossOct 22, 2024Copper Contributor850Views1like6CommentsThreat hunting help
I'm hoping someone can help me here. I'm using the below very common queries to find USB activity. It finds FildCreated, FileModified, FileRenamed and FileDeleted. What I don't seem to able to find is file reads. i.e. someone doubles click on a file on the USB and it opens essentially reading the file from the USB. Anyone know how to find a file read from USB? let DeviceNameToSearch = ''; // DeviceName to search for. Leave blank to search all devices. let TimespanInSeconds = 900; // Period of time between device insertion and file copy let Connections = DeviceEvents | where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == "PnpDeviceConnected" | extend parsed = parse_json(AdditionalFields) | project DeviceId,ConnectionTime = Timestamp, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds) | where DriveClass == 'USB' and DeviceDescription == 'USB Mass Storage Device'; DeviceFileEvents | where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and FolderPath !startswith "c" and FolderPath !startswith @"\" | join kind=inner Connections on DeviceId | where datetime_diff('second',Timestamp,ConnectionTime) <= TimespanInSecondslfk73Oct 17, 2024Brass Contributor197Views0likes1Comment