Forum Discussion

ansboss's avatar
ansboss
Copper Contributor
May 24, 2024

XDR Deception

Hey,

 

I need some assistance with deploying an XDR deception rule. Here's the situation:

 

I have created a deception rule with a specific tag, including 5 decoys and 2 lures. However, I'm encountering a problem with the deployment process. After 24 hours(deployment),  I'm facing the following issues:

 

- The rule has been deployed to only one tagged host out of a total of 4 hosts.
- Only one decoy has been created out of the 5 decoys I configured.


I've tried looking into the settings and redoing everything from scratch, but the issues persist.

Has anyone encountered a similar problem or have any insights on how to resolve this? Your assistance would be greatly appreciated!

 

Thanks in advance!

  • DylanInfosec's avatar
    DylanInfosec
    Brass Contributor

    Hi ansboss 

    experienced a similar situation but it seemed to correct itself after another day. Can you confirm the lures landed in their expected locations?

     

    TBH I could’ve done more to confirm whether it was an actual deployment issue or just a UI bug. I would give it another day, make sure those devices are on and checking in to Defender regularly.

     

    Best,

    Dylan

    • ansboss's avatar
      ansboss
      Copper Contributor

      DylanInfosec 

      Hi,

      I have used both {HOME}/ and C:\Users.

      My fifth attempt to deploy is still in progress after over three days.

      Any update from your side?

      Thank you/\

      • DylanInfosec's avatar
        DylanInfosec
        Brass Contributor

        Hey ansboss,

        I had success a few days later using {HOME}\ ,ensure you use a backslash, I see you may have used a forward slash above.

         

        I’m actually looking right now and can confirm I have a UI bug where my test rule says it’s still “In progress” and deployed to 0 devices. Yet I can confirm that the lures have all been set on my device. This is a “Basic” deception rule so I wonder if there’s an issue with the decoys being configured in the rule but not pushed down to the system as it’s not advanced.


        You can check out the rule I created and the working paths I used for the rule on my blog, here(Attack the SOC) . Will also put a change request for the MS Docs to include an example of how to properly format the {HOME} variable as I did the same thing you did.

         

        - Dylan

    • AngMara's avatar
      AngMara
      Copper Contributor
      Running into a similar issue here. How did things turn out ansboss ?
  • Fbacchin's avatar
    Fbacchin
    Copper Contributor
    Check if your proxy isn't blocking your clients communication with Deception backend servers : automatedirstrprd*.blob.core.windows.net

Resources