User Profile

mongie105

Copper Contributor

Joined Feb 27, 2020

6 Posts6 LikesLikes received

View All Badges

User Widgets

Recent Discussions

Dealing with "Email reported by user as malware or phish"
We're working through automation of our Defender 365 incidents in Sentinel to try and reduce the operational load on our team. One of the most common incidents we receive is "Email reported by user as malware or phish". We were hoping to use the result of the automated investigation to determine whether the automated action should be approved, but I have no idea how to get the result of the automated investigation into a playbook. Does anyone have any suggestions? How do you deal with these types of incidents? Thanks!
May 10, 2021 Place Microsoft Sentinel
5.4KViews
1like
1Comment
Re: Definitive guide for aligning ASR Rules with ActionTypes?
Tali Ash I see you've just posted about extensions to the schema - are you able to help with this, or at least point me to someone that can help?
Aug 20, 2020 Place Microsoft Defender for Endpoint
9.7KViews
0likes
0Comments
Definitive guide for aligning ASR Rules with ActionTypes?
Hello, We're currently auditing a bunch of ASR rules, and I'm trying to pull out data from advanced hunting so that I can see which rules are safe to enable. I was hoping someone might be able to help with aligning the ASR Rule Names with the ActionTypes used for hunting. I have found several, but there are a few I still haven't figured out. What are the Audited/Blocked "ActionTypes" for the following rules? Block executable content from email client and webmail Block execution of potentially obfuscated scripts Use advanced protection against ransomware Block process creations originating from PSExec and WMI commands Block Office communication application from creating child processes Block Adobe Reader from creating child processes Block persistence through WMI event subscription The documentation points me to the Schema listing in the hunting console, but the only action type listed is AsrOfficeChildProcessAudited. It would be good if someone could add the rest into this list... I have found the following ActionTypes by searching for "ASR*" they all logically line up with their rules. AsrExecutableOfficeContentAudited AsrExecutableOfficeContentBlocked AsrLsassCredentialTheftAudited AsrLsassCredentialTheftBlocked AsrOfficeChildProcessAudited AsrOfficeChildProcessBlocked AsrOfficeMacroWin32ApiCallsAudited AsrOfficeMacroWin32ApiCallsBlocked AsrOfficeProcessInjectionAudited AsrOfficeProcessInjectionBlocked AsrScriptExecutableDownloadAudited AsrScriptExecutableDownloadBlocked AsrUntrustedExecutableAudited AsrUntrustedExecutableBlocked AsrUntrustedUsbProcessAudited AsrUntrustedUsbProcessBlocked Thanks, Alex
Aug 19, 2020 Place Microsoft Defender for Endpoint
10KViews
1like
6Comments
Confirmation of when Defender/Defender ATP deletes files
Hi All, We're fairly new to Defender ATP, and one of the things that is particularly frustrating at the moment is that it is unclear from the securitycenter.microsoft.com portal when evidence in a particular alert or incident has been deleted, and when it has just been prevented from running. I know that in some cases, the files are deleted, but there isn't any clear indication in the portal on when this happens. We get A LOT of unwanted software tickets, and it would be significantly easier to process incidents if we could easily see when offending files have been deleted, or when we need to do this ourselves. If this exists and I'm just missing it, I'd love to be pointed to where I can find this information. Thanks, Alex
Aug 12, 2020 Place Microsoft Defender for Endpoint
782Views
1like
0Comments

Recent Blog Articles

No content to show