Welcome! Please have your questions ready. Our speakers and subject matter experts are here and ready to answer them!

I've got new servers with Server 2022. I've got Azure Arc setup and they are receiving all security logs Windows Security Events via AMA. I would also like to send the Sysmon logs to Sentinel. I've done this in the past using the legacy Agent and it seems like the logs end up in the Logmanagement Events table. For the new servers I added a rule to the Windows Security Events via AMA connector to collect "Microsoft-Windows-Sysmon/Operational!*". This seems to pull in the events but they are going to the Sentinel SecurityEvent table. This is throwing off all the parcers as they are looking in the events table. I've tried changing the resource group on the rule to Sentinel and "LogAnalyticsDefaultResources" but it does not seem to make a difference. (Does this matter for anything?) My question is am I setting it up the Sysmon collection correctly?. And if I am how do I get the logs to the event table so the parsers work correctly.

Apologies for the lack of formatting. I promise i used spaces and paragraphs but the text boxes here didn't appreciate that effort. Thanks for taking the time to read through my submissions below. One final point would be possible feature requests: Better logging of Live Response activations and channel destruction in M365 Defender. I see there is "connect" logging now but no destruction logging yet. On the Windows Event Logging on the host, both AIR and Live Response use the same commands when launching the SenseIR.exe with arguments "OnlineSenseIR"(opposed to Threat Hunting using "OfflineSenseIR"). Could AIR and LR be split out so that we can alert on the process argument to detect each individually? This includes SenseIR.exe "OnlineSenseIR" being abused by Device Discovery. Thanks again everyone!

Further to the Defender AV Sample Submission process, we understand that the M365 Defender AIR (Automated Investigations and Response) service can also request files be sent for analysis based on telemetry it's correlated. When AIR requests a file be sent for Sample Submission, what is the logical flow between AIR and Defender AV for requesting and sending the suspicious file to the blob, and getting a response back? I.E: Does Defender AV send the sample, get a response and then inform the AIR service? Alternatively, does AIR request that Defender AV send the file for analysis, but AIR receives the response directly from the blob before instructing Defender AV to allow or block the file? If AIR gets notified directly, how is this handled with the anonymisation process of submitted files in the previous question? Is there any documentation on the data destruction process of samples held in the blobs following the Sample Submission of Cloud Delivered Protection?

We've researched into how Defender AV interacts with suspicious files, which includes the 'decision matrix' flowchart, showing a file's metadata and then itself being sent to a blob store for review by AI/ML analysis. The following questions focus on further technical information around this Sample Submission process. When selecting Send Safe Samples Automatically: Is there an exhaustive list for what file types are sent to the cloud for review? Is there an exhaustive list for what file types a user will be prompted for approval to send? Or does Defender AV scan the file for possible PII and then prompt the user? In the event a user does not respond to a prompt, what happens? Noting that any files sent to the cloud for review are anonymised of company related identifiers, can we identify: Where does the anonymisation occur on data sent to the cloud for review; is this done by Defender AV on the tenant side or by a process in the cloud before analysis? Effectively, where is the table held for the company data <> hash conversion of the anonymisation. If anonymisation is done in the cloud, what security is there around protecting the pre-anonymisation data, the anonymisation process and the databases controlling the company data <> anonymised data link. This includes protection from MS employees. Can they freely see this data, or are there protections around account elevation to review this information? Also, if the anonymisation is done in the cloud, is there job segregation between those who work on the anonymisation process/data and those who monitor the blob store and AI/ML analysis of submitted samples? The attack story here is that an MS engineer could access the anonymised data conversion tables, then use these identifiers to search the submitted samples in the blob to identify and collect specific company based files (that could contain Company IP). Can we confirm that only automated systems analyse the files submitted to the blob store for Sample Submission. No engineers review this data, albeit in anonymised fashion, prior to the automated systems flagging malware? We assume a human engineer then reviews the sample when a malware detection is hit. When the engineer reviews the malware detection, do they see anonymised or deanonymised data? From the last few questions, we are looking to understand who in MS has access to our data, anonymised or not, during the sample submission process. What data is sent from the blob to Defender AV, post sample submission? Is any other data sent outside of a block/no block decision post scanning? Can the Sample Submission Defender > Blob channel be reversed by a MS engineer or otherwise, to send arbitrary code or files down from the cloud to Defender AV and its host? How long is Samples sent to the cloud retained for and does this honour the data residency of our tenant? If Defender AV is setup on its own on a host and not connected to Azure, but Sample Submission is enabled; what residency rules does Defender AV use when sending samples to the blobs for analysis, and what retention rules does it use?

When dealing with engineering and development of the M365 Defender Portal and associated products (MDE): Do Microsoft have separated Development, Test and Production environments for producing, testing and deploying new features or updates? Do they enforce secondary reviews before code pushes? Do any of the non-prod environments have a copy of production data, for purposes to testing prior to deployment? Or are the datasets separated from each other (whereby prod data stays in prod, test contains anonymised or fake data)?

Looking at M365 Defender Portal specifically, would Microsoft ever take any action to change, update or modify the UAC on M365 Defender portal, or any settings in the portal, unilaterally? In the event a MS Engineer enters our tenant, for whatever reason: Do they have by default/can get Admin (Sec/Global level) permissions to our tenant, while working within it? Do MS Engineers have/can get access to the Live Response feature in M365 Defender? Would they use it in any case? If Microsoft Engineers can get access to/use Live Response – are there any additional features available to Microsoft Engineers beyond user accessible features when in Live Response?

For when Microsoft Engineers access our tenant directly, when they've both separately been invited and when they haven't (for special troubleshooting and service restoration etc..): Do we get alerted at any point in either event, that an MS Engineer is currently in our tenant? We understand Lockbox is applicable to some services such as VMs, but does not cover all of Azure. We understand that when creating support tickets, we can opt out of having an Engineer enter our tenant for support. Does an option exist to stop engineers entering our tenant for all cases and not just support? This is beyond the scope of protecting "customer data" stored in any DB's or VM's, but all company data within the Azure tenant. We've read that Microsoft Engineers can enter our tenant for special troubleshooting reasons. Is all access, for any reason, restricted to an approved elevation of privilege? Does Microsoft have any written agreements detailing when this access will occur and after what checks?

I've read and heard that Microsoft employs strong security for customer tenant access by their engineers; when it comes to an MS engineer accessing a M365 Defender Portal: Am i able to get more information on how these processes look, or the general steps an engineer takes to gain access (even at a high level). Such as JIT Access Request (Max 4 hours to tenant, with description why they need access and if there's been customer approval), secondary approval by a MS manager and post action reviews by a colleague or something similar? Is there scenarios where a solo engineer can gain limited access to a customer tenant? If this information is protected and requires an NDA, can i provide my business email as we have a signed NDA with Microsoft.

Do we submit questions before the event here, or during the event?