User Profile
danny_grasso
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Investigation Insights Workbook IP address Search
Is there a way to roll back to a previous version of the investigation insights workbook? The new workbook from the content hub no longer allows you to enter an IP address without selecting entities and then IP addressees from the entity list. This was really useful when wanting to just search on an IP address that was suspect and related IOCs, Account sign in etc. Please provide suggestions for either rolling back the Investigation Insights workbook or other ways to achieve the same.Investigation state Queued
I see a number of messages in our Defender XDR Incidents with a status of Queued. What does this status mean? This appears to only be related to Defender for Office 365 incidents, usually email reported as junk/phish/notjunk etc type of incidents. Regardless of whether I investigate or change the status of the incident, in remains in the Incidents list as queued. I cannot find clear documentation on what this state means or what action is required to resolve/close the incident. Can anyone shed any light on the what the queued state means and how to resolve a queued incident.Find OpenSSL affected files using advanced hunting
While it's possible to view an individual devices software inventory in Defender XDR - this becomes an inefficient way of identifying and addressing vulnerable applications that use OpenSSL components. I am trying to use advanced hunting to find when an OpenSSL vulnerability exists and when a weakness is present on devices and supply the affected files. So far my query looks like this but I cannot figure out how to get the Weaknesses where count is >=1. DeviceTvmSoftwareVulnerabilities | join kind=innerunique (DeviceTvmSoftwareEvidenceBeta) on DeviceId | where SoftwareVendor contains "openssl"Create a device group based on system defined tag?
I am trying to create a device group for internet facing devices and there is already an internet facing system tag assigned to these devices. However, when I create a group trying to use the internet facing tag I get no members. If I manually assign a tag then the group populates. I'm trying to do this to create a notification for internet facing services that have a known vulnerability. Can anyone confirm whether this functionality is available?Workbook formatting customization
Hi Azure Monitor Humans, I'm trying to find some information about advanced formatting in Azure Monitor (or any) workbooks. I'm getting a handle on grouping and visualizations but having problems with layout. I've looked at the Microsoft Documentation which is great to get started but can't find any advanced formatting guides or help. An example image is attached - what I'd like to do is format the labels to be in line with the pie charts and also center the data in the query item. Can anyone point me at some guides that either show how to do this in the editor or sample Advanced Editor commands that are available for formatting? I want my workbooks to look awesome and right now they're not 😞 Thanks DannyDefender for Endpoint for macOS feedback
Hi MDE humans, Two points of feedback to MDE on macOS which we are trialing internally. Client ran a full scan after being concerned about security on their macOS. The full scan scanned not only the root volume but also the time machine mount attached to the mac. The issue was that the time machine device stored terabytes of data and took days to scan. The interesting behavior out of this is that while MDE detected adware within a DMG, I did not get an alert in M365 Defender until the scan had finished. So two requests: 1. Is there a way to limit scanning to not follow symlinks across the network - similar to how a full scan on Windows will do C: by default but not network attached drives. 2. Can we be notified through MDE when the threat is found in a full scan - not on completion of the scan. Thanks DannyAuditing creation of PSTNGateway/SBC
We're looking to audit creation of Teams administrative functions in Azure and I've seen references to this info being available in Cloud App Security activity logs. Specifically I'm looking to audit deletion and creation events for PSTNGateways/SBC objects. We ran a test create and delete in our tenant and I can see the option in the MCAS activity log for activity type equals New-CSOnlinePSTNGateway but this is not returning any results. Is this just an ingestion delay or do I need to enable an auditing setting somewhere else to be able to view/alert on this type of activity? Thanks DannyRemoving a Defender for Endpoint workspace
Hi Humans, I'm trying to remember how to completely remove a Defender for Endpoint workspace (it's been a while). We're doing some trials and want to remove data and decommission the workspace entirely. We know how to off-board devices but need to ensure the workspace is cleaned up also. I thought in earlier revisions there was an option to delete the workspace but cannot find that now. Any ideas appreciated.
