User Profile
AnalystGuy
Copper Contributor
Joined 5 years ago
User Widgets
Recent Discussions
Finding MCAS Policy Changes
Background: I've got these connectors to Sentinel working... Microsoft 365 Defender (Preview) Office 365 and I wan to alert on changes made to MCAS policies, which I would think would appear in the former. But I'm not seeing them. For example, I had an alert on the Remote Code Execution Attempt policy. It was legitimate activity, so I edited the policy to make an exception. I want to see an audit trail of that exception but I'm not finding it in Sentinel. Any ideas?1.5KViews0likes1CommentCreating a detection rule for CloudAppEvents (#Solorigate)
In reading this excellent write-up from Microsoft threat analytics: https://securitycenter.windows.com/threatanalytics3/2b74f636-146e-48dd-94f6-5cb5132467ca/analystreport It includes this threat hunting query for MS 365 to detect changes in domain federation trust settings: let auditLookback = 1d; CloudAppEvents | where Timestamp > ago(auditLookback) | where ActionType =~ "Set federation settings on domain." | extend targetDetails = parse_json(ActivityObjects[1]) | extend targetDisplayName = targetDetails.Name | extend resultStatus = extractjson("$.ResultStatus", tostring(RawEventData), typeof(string)) | project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent But I can't create a detection rule for it. Even if you add "ReportID" to the last line, attempting to create a detection rule throws the error Can't save detection rule Your query must return a column with impacted users, devices, or mailboxes. How can I create a detection rule based on this query so I can get alerts?2.5KViews0likes0CommentsHunting for deletion events
I was reading about a ransomware strain that deletes any folder called "System Volume Information" in an effort to prevent recovery, so I went to setup a hunting query or detection for that event. But I combed through the schema -- and a machine timeline after deleting some folders -- but I don't see a way to detect folder (or file) deletion events. Am I missing something?3.5KViews0likes3CommentsDetection for clearing the security log
In various publicly shared Defender ATP Queries (like one in this Microsoft posting), detection looks for act of clearing the security event log this way: DeviceAlertEvents // Attempts to clear security event logs. | where Title in("Event log was cleared", <this is just an excerpt so ignore the lack of closure here> But based on my testing, the act of clearing the security log does not generate something classified under "DeviceAlertEvents". Instead, I had to use DeviceEvents and filter for the ActionType "securitylogcleared". While I'm glad that I could figure this out and create my own detection, I'm wondering: Was there a schema change I missed? Or something I didn't configure correctly? I'm just concerned that a lot of community shared detections are not written properly; and some I've already implemented I need to go back and update. Edited to add: So using DeviceEvents worked for one machine (Windows 10, Build 19041.572), but did not for another-- even after bringing it to the same build level. We clear the security event log, but it's not showing up in the timeline *at all*. I can see the mmc being loaded and I even see the screenshot of the event log-- but no event in the timeline for clearing it. What's driving this??4.5KViews0likes0CommentsWhat is the Defender ATP equivalent to "gpupdate /force" (force an update of policies on a host)
Hi there, When troubleshooting, how does one tell Windows "Go check with Defender ATP headquarters and update your policy right now?". I'm looking for the equivalent of gpupdate /force to force a refresh of group policy when on-prem, but for for MDATP. Update (sorry for not zeroing in on this): I'm thinking in terms of indicators - e.g. If I go into Settings, add a File indicator, and set it to Alert and Block. I would hope that this isn't driven solely by the logs on the back-end because the block would come in awfully late. TIA!27KViews1like7CommentsIndicator set to block, but I'm still prompted for approval
Yesterday I added a malicious file indicator and set it to Alert and Block (side note: Block only would be great to have). This morning another user in my environment came across the file, but it did NOT quarantine the file-- I had to approve it. How can I have an indicator automatically quarantined? I created the indicator because I know it's evil. I'm thinking/hoping that this isn't related to the remediation level setting - because the choices there are more broad and don't speak to indicators. Thank you so much for help in advance!722Views1like0CommentsAttack Simulator stopped retaining images
Hello, An issue has arisen this month where if I paste an image to a phishing template, then finish the template and re-open it-- the image is gone. I've verified that this isn't only happening to me, but it's been persisting for a couple of weeks and I've held off on doing a phish attack in the hopes that it would be resolved. Any word from Microsoft? Thanks!1.4KViews0likes1CommentHunting queries for creation of a service
I'd like to create a query to review creation of new services so as to find unique ones in my environment, but I'm not finding a way to do it. Ideally I'd also like to automatically provide some analysis on any binaries launched by those services (e.g. prevalence information in the wild and VT score) - could someone point me in the right direction?1.3KViews0likes1CommentRe: Getting Office 365 Security Events and Incidents in Sentinel
Thijs Lecomte Say you do this: go to security.microsoft.com/advanced-hunting You create a query and then "Create detection rule" Now you've got a Custom Detection; how do you set a notification policy for it? Within the detection you can configure actions, but email notifications/alerts isn't one of them. I ended up giving up and based on feedback I've seen from a couple of sources moved my custom detection rules from Office 365 back to ATP. What I really wanted was to feed it all to Azure Sentinel, but the best combination of flexibility and alerting seems to be at the ATP level.2.7KViews0likes2CommentsRe: Getting Office 365 Security Events and Incidents in Sentinel
Thijs Lecomte How do I configure a policy to enable alerts for custom detections? The category and "Activity is" selectors in the alert policy wizard do not seem to provide a means to setup alerts for Office 365 custom detections. I'm about ready to just move my custom detections back to the ATP level (if anybody knows of an automated way to do that let me know!).2.7KViews0likes4CommentsGetting Office 365 Security Events and Incidents in Sentinel
I’ve created a custom detection in Office 365’s security portal that generated an incident, but that incident is not showing up in Azure Sentinel. I’ve done queries in Sentinel via the following log types to no avail: OfficeActivity (plenty of Office 365 activity shows up here, but not security incidents like the one in question) SecurityAlert (Defender ATP Alerts DO show up, but not Office 365 alerts or incidents) SecurityDetection SecurityEvent (no data of this type at all) Where do I need to look or how do I start feeding O365 security events into Sentinel? If it's not yet possible, my secondary question is how can I get email notifications based on custom detections at the Office 365 Security level? I get wonderful notifications from Defender ATP, but I followed Microsoft's breadcrumbs to creating detections in O365 but can't construct a notification policy based on them. Thanks in advance for any assistance! Be safe...2.8KViews0likes6Comments