User Profile
john66571
Iron Contributor
Joined Dec 05, 2022
User Widgets
Recent Discussions
Re: Lack of alerts in Sentinel
Probably resolved by now, but make sure in the XDR connector in sentinel that you have "import incidents" enabled. You dont really need to import deviceevents and all those from DFE, then you are paying double for that (as its free in XDR portal) - unless you really wanna build hunts and detections around it (you can use custom detection in XDR then).Re: MSSP Multi-Tenant Handling with Lighthouse and Defender XDR
This is an opinion of mine after working 10-15 years in the Security Operation side of EDR, XDR and IR. There is not a single scenario where you as a MSSP or partner will be looked upon with positive view if you want to call analytic rules, custom detections or similar logic as "IP's" and hide them from your customer. Specially not in the Microsoft echosystem. The value is not your custom detection, there are TONS of communities out there sharing those. Its understanding them and presenting that to the partner. You are both in it for the security. With that said, you have some solid questions, but analytic rules need to have custom lookups (you have to make them all custom to look in specific workspaces). the alerts/incident will only be listed under that workspace with that filter.[DevOps] dps.sentinel.azure.com no longer responds
Hello, Ive been using Repository connections in sentinel to a central DevOps for almost two years now. Today i got my first automated email on error for a webhook related to my last commit from the central repo to my Sentinel intances. Its a webhook that is automticly created in connections that are made the last year (the once from 2 years ago dont have this webhook automaticly created). The hook is found in devops -> service hooks -> webhooks "run state change" for each connected sentinel However, after todays run (which was successfull, all content deployed) this hook generates alerts. It says it cant reach: (EU in my case) eu.prod.dps.sentinel.azure.com full url: https://eu.prod.dps.sentinel.azure.com/webhooks/ado/workspaces/[REDACTED]/sourceControls/[REDACTED] So, what happened to this domain? why is it no longer responding and when was it going offline? I THINK this is the hook that sets the status under Sentinel -> Repositories in the GUI. this success status in screenshoot is from 2025/02/06, no new success has been registered in the receiving Sentinel instance. For the Sentinel that is 2 year old and dont have a hook in my DevOps that last deployment status says "Unknown" - so im fairly sure thats what the webhook is doing. So a second question would be, how can i set up a new webhook ? (it want ID and password of the "Azure Sentinel Content Deployment App" - i will never know that password....) so i cant manually add ieather (if the URL ever comes back online or if a new one exists?). please let me know.Update content package Metadata
Hello Sentinel community and Microsoft. Ive been working on a script where i use this command: https://learn.microsoft.com/en-us/rest/api/securityinsights/content-package/install?view=rest-securityinsights-2024-09-01&tabs=HTTP Ive managed to successfully create everything from retrieving whats installed, uninstalling, reinstalling and lastly updating (updating needed to be "list, delete, install" however :'), there was no flag for "update available"). However, now to my issue. As this work like a charm through powershell, the metadata and hyperlinking is not being deployed - at all. So i have my 40 content packages successfully installed through the REST-api, but then i have to visit the content hub in sentinel in the GUI, filter for "installed" and mark them all, then press "install". When i do this the metadata and hyperlinking is created. (Its most noticeable that the analytic rules for the content hubs are not available under analytic rules -> Rule templates after installing through the rest api). But once you press install button in the GUI, they appear. So i looked in to the request that is made when pressing the button. It uses another API version, fine, i can add that to my script. But it also uses 2 variables that are not documented and encrypted-data. they are called c and t: Im also located in EU and it makes a request to SentinelUS. im OK with that, also as mentioned, another API version (2020-06-01) while the REST APi to install content packages above has 2024-09-01. NP. But i can not simulate this last request as the variables are encrypted and not available through the install rest api. They are also not possible to simulate. it ONLY works in the GUI when pressing install. Lastly i get another API version back when it successfully ran through install in GUI, so in total its 3 api versions. Here is my code snippet i tried (it is basically a mimic of the post request in the network tab of the browser then pressing "install" on the package in content hub, after i successfully installed it through the official rest api). function Refresh-WorkspaceMetadata { param ( [Parameter(Mandatory = $true)] [string]$SubscriptionId, [Parameter(Mandatory = $true)] [string]$ResourceGroup, [Parameter(Mandatory = $true)] [string]$WorkspaceName, [Parameter(Mandatory = $true)] [string]$AccessToken ) # Use the API version from the portal sample $apiVeri = "?api-version=" $RefreshapiVersion = "2020-06-01" # Build the batch endpoint URL with the query string on the batch URI $batchUri = "https://management.azure.com/\$batch$apiVeri$RefreshapiVersion" # Construct a relative URL for the workspace resource. # Append dummy t and c parameters to mimic the portal's request. $workspaceUrl = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroup/providers/Microsoft.OperationalInsights/workspaces/$WorkspaceName$apiVeri$RefreshapiVersion&t=123456789&c=dummy" # Create a batch payload with several GET requests $requests = @() for ($i = 0; $i -lt 5; $i++) { $requests += @{ httpMethod = "GET" name = [guid]::NewGuid().ToString() requestHeaderDetails = @{ commandName = "Microsoft_Azure_SentinelUS.ContenthubWorkspaceClient/get" } url = $workspaceUrl } } $body = @{ requests = $requests } | ConvertTo-Json -Depth 5 try { $response = Invoke-RestMethod -Uri $batchUri -Method Post -Headers @{ "Authorization" = "Bearer $AccessToken" "Content-Type" = "application/json" } -Body $body Write-Host "[+] Workspace metadata refresh triggered successfully." -ForegroundColor Green } catch { Write-Host "[!] Failed to trigger workspace metadata refresh. Error: $_" -ForegroundColor Red } } Refresh-WorkspaceMetadata -SubscriptionId $subscriptionId -ResourceGroup $resourceGroup -WorkspaceName $workspaceName -AccessToken $accessToken (note: i have variables higher up in my script for subscriptionid, resourcegroup, workspacename and token etc). Ive tried with and without mimicing the T and C variable. none works. So for me, currently, installing content hub packages for sentinel is always: Install through script to get all 40 packages Visit webpage, filter for 'Installed', mark them and press 'Install' You now have all metadata and hyperlinking available to you in your Sentinel (such as hunting rules, analytic rules, workbooks, playbooks -templates). Anyone else manage to get around this or is it "GUI" gated ? Greatly appreciated.Re: RSS feeds to security blogs?
For anyone ending up here, i had previously written a RSS aggregator that aggregates multiple RSS feeds into one using python and free github actions/workflow. I have now added the ability to aggregate HTML (urls) into one big RSS feed to (hopefully they will return here soon tho!). https://github.com/hitem/rss-aggregator Theoretically, you can set up a repo for each feed you want and then you have a rss feed for each blog again. But this is not the solution, this is a workaround :3 Default value is based on ingestion, ie: append_mode = false It runs every hour on github actions -> looks back 2 hours -> constructs the RSSfeed.xml -> ingestion in teams/slack/tasks runs every hour and post whats in the RSSfeed.xml. However, if you wish to have a history in the feed etc (to view it in rss viewers such as feedly), swap the append_mode = true. This is to make the feed suit your needs.RSS feeds to security blogs?
Hello, After the update of blogs here i no longer see any RSS feeds or links. Where can those RSS feed be found now? It was the only newsfeed where blogs could be aggregated. perhaps im just blind :) but i cant find the new RSS feeds. Thank you! Previously (before this weeks update) the links to those RSS feed was as follows: https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSecurityandCompliance https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Identity https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=CoreInfrastructureandSecurityBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=AzureNetworkSecurityBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=IdentityStandards https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftThreatProtectionBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderCloudBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderATPBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderIoTBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=DefenderExternalAttackSurfaceMgmtBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Vulnerability-Management https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=DefenderThreatIntelligence https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSecurityExperts https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=Microsoft-Security-Baselines https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftSentinelBlog https://techcommunity.microsoft.com/gxcuf89792/rss/board?board.id=MicrosoftDefenderforOffice365BlogDefender for Servers (p1 and p2) - Policies? (gpo/intune)
Hello Microsoft and Community members! I have a very brief question after reading up on Defender for Servers (and Defender for Endpoint) learn pages after the vacations 🙂 (i notice they all had updates). However, there is still no information regarding Defender for Servers and how to manage the EDR system (policies in intunes, GPO or SCCM). If we enable the Defender for Servers in the Defender for Cloud plane, will all these policies (such as Antivirus, ASR and EDR) automatically be enabled? And if so, which ASR rules are in block mode, which are in audit mode - what server exclusions are on by default? (if any) etc etc. Intune policies for MDE dont have all settings for servers, so previously we have had to manage everything through MDE onboarding and GPO's for servers (and intune for desktops). But when setting up Defender for Servers there is not a single mention about any of these settings for the EDR/Antimalware agent (ASR, Antivirus etc etc - i belive there are many tenants that have simply just enabled Defender for Servers in Defender for Cloud and are missing out on everything ASR etc - or?). Thanks!Re: Entra ID Identity Protection - MFA registration policy
josequintino Thank you for a well informed and well structured response. Very much appreciated indeed! I have been (since yesterday) checking and testing the SSPR feature "require users to reconfirm their registered information" as a possible solution with a dynamic group that look for accounts that are 1 week of age or less. This means the dynamic group will only have new accounts and then require them to register security information (and put SSPR enabled to this specific dynamic group). However, my challenge then is to exclude group/service accounts as they should not be covered. We will see, ive also explored the option to only cover a specific app (and make an appregistration with a website or sharepoint site) that is covered with the MFA requierment through CA. But then again, if a new user is not visiting that app the on-boarding will not happen, then i could theoretically just advice them to register MFA methods under myaccount (aka.ms/mfasetup etc). Thank you, i have some thinkinering to do and we will see what solution (perhaps multiple) i have to use and consider. It is indeed a struggle when an internal network needs to be excluded from CA.Entra ID Identity Protection - MFA registration policy
Hello Everyone, Ive been reading up a lot on the possibility to enforce MFA registrations for users in different types of tenants. Until recently ive always used CA policies to enforce the MFA requirement and follow ring-based deployments. Then i had a few instances where i was able to use Entra ID Identity protection "MFA Registration Policy" and target each ring group instead. These has all been E5 tenants. However, now im encountering a tenant where i can not use CA rules to enforce (this specific network must be excluded) and not everyone has Entra ID P2 licenses covering all the users (so i can not use the Entra Identity Protection "MFA Registration Policy") - However, i would love to use the policy for the amount of users that has the License. So my question is, if i activate the "MFA Registration Policy" for "all users" - will it be smart enough to only target those with valid licenses or do i need to create dynamic groups to single out all the 5-6 different licenses types that includes the P2 ? The more i read on recent changes in both product pages, learn and elsewhere im unable to find if i can actually use "MFA Registration Policy" with or without licenses - so if anyone is able to point me in the right direction here i would be happy to. Much appreciated. edit: I also know about the SSPR and get the "combined registration", however, in this instance we are unable to use SSPR. (alltho, it seems i can target an empty group with SSPR, enable it, and have some sort enforcement this way, but it seems to "the wrong way"). What i wish to achieve is every new account should register for MFA in an environment where i can not cover "the office location" with a CA that enforce MFA. I can not use SSPR combined user registration and therefor im looking into Identity protection MFA registration Policy but unclear about license requirement.CA: Require compliant or hybrid Azure AD joined device
Hello Guys, I have been trying to wrap my head around this Conditional Access policy. I want a policy that is requiring Compliant or Hybrid-Joined device. My settings: Users: All users (excluded: guests and external consultants) Apps: All apps Grant: Compliant or Hybrid Joined device. At first i selected no conditions as i wanted to cover everything, but i notice that some of cloud-only accounts could no longer use PIM in Azure (unless they came from compliant device) - So i made a dynamic group that excludes all onmicrosofts accounts (my cloud only external admins, consultants). It seems to also work if i exclude "browser" in conditions. However, this got me thinking. Will i have to exclude perhaps 'intune enrollment' and any other applications? (intune enrollment as example as a device is not compliant until its enrolled, thus being blocked? Also, same goes for hybrid-joined which seems to take a while, but there is no app i can exclude for that). Basically, what im asking is if you have any experience in this CA rule and what apps you had to exclude to make it work. Is it something im obviously missing here? Thank you.Re: License delegation to Role Based groups
There is still no information on this. All my old groups remain with the delegated licenses (from December 2022). But no new groups can have it added to them. However, its not possible to create RBAC (resource) based PIM groups that are not role assignable - these can have the licenses attach to them - but that dosent solve the above issue we have with Azure AD roll assigned PIM groups.License delegation to Role Based groups
Hello good people! I have recently encountered an issue with delegating licenses to role based groups. It has worked for the duration of whole 2022. I have used this feature to cover my PIM/PAG groups with the correct licensing. Today when i was going to create these groups in a new tenant (which i do every month) i was unable to. Something must have changed recently and i can not find any information on it. Usually i had the "licensing" blade enabled under the group (i still do for regular groups). So instead i went into the specific licens in Azure AD and chosed "group assigned", there i could see my previous added role-based groups, but when i try to add a new one they are grayed out with "Role assignable groups are not allowed." on them. All i could find was an update to MicrosoftDOCS on github to get the documentation changed: https://github.com/MicrosoftDocs/azure-docs/pull/102870/commits/eab96510be5331bc665872e29c54a681c41137d3 (from 17 dec 2022) Do anyone have any additional information on what have changed, when and why? Im wondering how i should cover these groups now with the licensing. Maybe its now automatic? (All Role-based groups are automatically assigned P1 to members and if converted to PIM/PAG, it gets a P2 licenses for members?). Thank you!
