User Profile
cyb3rmik3
MVP
Joined 3 years ago
User Widgets
Recent Discussions
Re: how to disable Defender on Windows Server with tamper protection enabled
Hello siyuan_yin, I think MDE documentation is super clear with the issue you are facing. It seems you need to disable tamper protection temporarily and then make sure you edit the following registry key as described and then switch tamper protection back on. And yes, what you are facing is depicted here: If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: How to fetch dynamic tags in Defender for Endpoint (Machines API or KQL)?
Hello vinaygowlla, I built the following query which: allows you to choose the devices of your interest based on OSPlatform values allows you to set the threshold based on last seen for what you count as an active device builds a table where in each row's first column is the DeviceName and then following columns represent the tags (both Dynamic and Manual) each device in each row gets a "tick" emoji where the tag is present, this helps for readability in the results I hope this helps with your request. // Define which devices are of interest based on OSPlatform value let OS = dynamic(["Windows10","Windows11"]); // Set the threshold for what counts as an active device // Devices not seen in the last 7 days (or choose otherwise) will be excluded let ActiveThresholdDays = 7; DeviceInfo | where OSPlatform has_any (OS) | extend LastSeen = Timestamp // Normalize the dynamic and manual tags columns | extend DynamicTagsArray = iif(isnull(DeviceDynamicTags), dynamic([]), todynamic(DeviceDynamicTags)) | extend ManualTagsArray = iif(isnull(DeviceManualTags), dynamic([]), todynamic(DeviceManualTags)) // Combine both manual and dynamic tags into a single array per device | extend AllTags = array_concat(DynamicTagsArray, ManualTagsArray) // Exclude devices with no tags | where array_length(AllTags) > 0 | mv-expand Tag=AllTags | extend Tag = tostring(Tag) | extend DaysSinceLastSeen = datetime_diff("day", now(), LastSeen) | where DaysSinceLastSeen <= ActiveThresholdDays | summarize HasTag=any(true) by DeviceName, Tag // Replace the boolean flag (1) with an emoji for readability in the results // If the device has tag, mark with ✅, otherwise leave blank | extend HasTagMark = iif(HasTag == true, "✅", "") | evaluate pivot(Tag, any(HasTagMark), DeviceName) If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: can we disable Multi Stage grouping in Sentinel/ Defender
Hi dnivaraxTE, as of this moment, there is no way to deactivate or override Multi-Stage Incident Grouping (MSIG) in Defender XDR, the same implies in Microsoft Sentinel. Some alternatives: Work with SecurityAlert and AlertEvidence tables which will provide information on alerts rather than Incidents. You may create custom analytic rules within Sentinel, which would allow incorporating Defender alerts and would give full control of how you Incidents are created and grouped. If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: Can I use Microsoft Defender for Endpoint for CIS benchmark assessment
Hello Huaye, If your servers are already on Azure Arc with MDC P2 enabled go through the Unified Security Operations portal, Endpoints > Vulnerability management > Baseline assessments > Profiles and here click Create. Here, you can choose the CIS version required. And following you can choose specific configurations and also specific devices groups per tags. Let me know if this helped. If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: Microsoft Defender for cloud and XDR integration
Hi ALEMPR1, Have you gone through the recently updated documentation from Microsoft? Alerts and incidents in Microsoft Defender XDR for Microsoft Defender for Cloud - Microsoft Defender for Cloud | Microsoft Learn If you already have MDC enabled in your subscriptions, then I would suggest going through the RBAC model suggested in the documentation. If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: Generic Logic App to ingest IOCs in text format
Hello HA13029, according to Microsoft (https://github.com/MicrosoftDocs/dataexplorer-docs/tree/main/data-explorer/kusto/query) Use the externaldata operator to retrieve small reference tables of up to 100 MB from an external storage artifact. Other than that, standard query limits (https://learn.microsoft.com/kusto/concepts/query-limits) apply to external data queries as well. If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: How to get access to Move or Delete e-mail?
Hey Joseph_Moran Can you check the following setting as well? Are both options enabled? It's under Unified SecOps portal > Settings > Defender XDR > Permissions and roles. If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: Generic Logic App to ingest IOCs in text format
Hey HA13029, I am not sure that a logic app would be enough for this kind of task, you might need indeed to use logic apps but you will need a storage to save the IoCs, probably an automation to clear out duplicates, then parse them and maybe using Graph API to upload them to ThreatIntelIndicators table. Why don't you try building analytics using KQL with relevant rules around them? There's plenty of threat intelligence feeds here: Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat Intel feeds that can be used without additional requirements. Contains multiple types such as IP, URL, CVE and Hash. and some KQL queries as examples on how to make use of them. You could then head to your Unified SecOps portal and build Analytics to detect for IoCs in your tables of interest (DeviceNetworkEvents etc) based on the intelligence feed. If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: How to get access to Move or Delete e-mail?
Hello Joseph_Moran, make sure in the Unified Security Operations portal (or Defender XDR) you have properly setup your Unified RBAC permissions and roles for you and your team. In Security operations permissions, there is an option for Email & collaboration advanced actions which will allow you to soft or hard delete the suspicious emails. If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: What URLs are allowed when a device is in isolation?
Hello HansDoerr & cyber-joe Unfortunately, everything outside Outlook, Teams and Skype for Business nothing else is allowed as a network connection including any custom rules. Relevant documentation: https://learn.microsoft.com/defender-endpoint/respond-machine-alerts#isolate-devices-from-the-network?wt.mc_id=MVP_376769 If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: Integration of Microsoft Defender into SIEM Open Source via Syslog
Hello ciberociber Unfortunately, syslog export is not supported out of the box for Defender XDR portal. The only way to achieve this is like this: First send your events to Event hub. Then, use Azure Functions to send you logs to your SIEM through syslog. For the second step, there is no documentation and you will probably need some customization, but I found something similar that might give you a taste (GitHub - miguelangelopereira/azuremonitor2syslog: Forward Azure monitor logs to syslog (via Event Hub)). Hope this helps. If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: MS 365 Defender - What permissions are needed to move and delete emails in Explorer?
Layne123 hello, The following documentation includes all information you need to know about the Unified RBAC model in Defender XDR: Microsoft Defender XDR Unified role-based access control (RBAC) - Microsoft Defender XDR | Microsoft Learn. Long story short, by allowing access to Exchange Online Permissions and MDI as in the screenshot you provided you allow taking actions like the one you requested in the first place. You should go ahead, and follow my first message to cover your requirement about Remediate malicious email delivered. If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: MS 365 Defender - What permissions are needed to move and delete emails in Explorer?
Hi Layne123 , I think both resources might need some refreshing. Have you tried to create a custom role? Under System, choose Permissions > Create a custom role > Create a custom role > Add your role name and description > In Choose permissions choose Security operations > Select custom permissions and then make sure you choose Email & collaboration advanced actions (manage). Make sure you also allow Read-only to Alerts and any other permissions you might need. Email & collaboration advanced actions permissions should be enough to soft and hard delete messages. If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a likeRe: MDE logs backup suggestions
Hi abon13, the only way to ingest to a log analytics workspace, is through Sentinel. Streaming API will get your logs to either a storage account, or event hub. If I have answered your question, please mark your post as Solved If you like my response, please consider giving it a like
