Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

XDR Deception

Copper Contributor

Hey,

 

I need some assistance with deploying an XDR deception rule. Here's the situation:

 

I have created a deception rule with a specific tag, including 5 decoys and 2 lures. However, I'm encountering a problem with the deployment process. After 24 hours(deployment),  I'm facing the following issues:

 

- The rule has been deployed to only one tagged host out of a total of 4 hosts.
- Only one decoy has been created out of the 5 decoys I configured.


I've tried looking into the settings and redoing everything from scratch, but the issues persist.

Has anyone encountered a similar problem or have any insights on how to resolve this? Your assistance would be greatly appreciated!

 

Thanks in advance!

4 Replies

Hi @ansboss 

experienced a similar situation but it seemed to correct itself after another day. Can you confirm the lures landed in their expected locations?

 

TBH I could’ve done more to confirm whether it was an actual deployment issue or just a UI bug. I would give it another day, make sure those devices are on and checking in to Defender regularly.

 

Best,

Dylan

@DylanInfosec 

Hi,

I have used both {HOME}/ and C:\Users.

My fifth attempt to deploy is still in progress after over three days.

Any update from your side?

Thank you/\

Hey @ansboss,

I had success a few days later using {HOME}\ ,ensure you use a backslash, I see you may have used a forward slash above.

 

I’m actually looking right now and can confirm I have a UI bug where my test rule says it’s still “In progress” and deployed to 0 devices. Yet I can confirm that the lures have all been set on my device. This is a “Basic” deception rule so I wonder if there’s an issue with the decoys being configured in the rule but not pushed down to the system as it’s not advanced.


You can check out the rule I created and the working paths I used for the rule on my blog, here(Attack the SOC) . Will also put a change request for the MS Docs to include an example of how to properly format the {HOME} variable as I did the same thing you did.

 

- Dylan

Hi @ansboss,

wanted to check-in and see how things have gone for you.

 

How’s it all looking?

 

- Dylan