Forum Discussion
XDR Deception
Hey,
I need some assistance with deploying an XDR deception rule. Here's the situation:
I have created a deception rule with a specific tag, including 5 decoys and 2 lures. However, I'm encountering a problem with the deployment process. After 24 hours(deployment), I'm facing the following issues:
- The rule has been deployed to only one tagged host out of a total of 4 hosts.
- Only one decoy has been created out of the 5 decoys I configured.
I've tried looking into the settings and redoing everything from scratch, but the issues persist.
Has anyone encountered a similar problem or have any insights on how to resolve this? Your assistance would be greatly appreciated!
Thanks in advance!
- DylanInfosecBrass Contributor
Hi ansboss
experienced a similar situation but it seemed to correct itself after another day. Can you confirm the lures landed in their expected locations?
TBH I could’ve done more to confirm whether it was an actual deployment issue or just a UI bug. I would give it another day, make sure those devices are on and checking in to Defender regularly.
Best,
Dylan
- ansbossCopper Contributor
Hi,
I have used both {HOME}/ and C:\Users.
My fifth attempt to deploy is still in progress after over three days.
Any update from your side?
Thank you/\
- DylanInfosecBrass Contributor
Hey ansboss,
I had success a few days later using {HOME}\ ,ensure you use a backslash, I see you may have used a forward slash above.
I’m actually looking right now and can confirm I have a UI bug where my test rule says it’s still “In progress” and deployed to 0 devices. Yet I can confirm that the lures have all been set on my device. This is a “Basic” deception rule so I wonder if there’s an issue with the decoys being configured in the rule but not pushed down to the system as it’s not advanced.
You can check out the rule I created and the working paths I used for the rule on my blog, here(Attack the SOC) . Will also put a change request for the MS Docs to include an example of how to properly format the {HOME} variable as I did the same thing you did.- Dylan
- DylanInfosecBrass Contributor
- FbacchinCopper ContributorCheck if your proxy isn't blocking your clients communication with Deception backend servers : automatedirstrprd*.blob.core.windows.net