User Profile
zubairrahimsoc
Copper Contributor
Joined 5 years ago
User Widgets
Recent Discussions
Roles and Permissions menu is not showing in Microsoft Defender for Endpoint
Hi Community, We migrated a new customer from non-Microsoft EDR to MDE, they have E5 Security licenses and some Microsoft Defender Premium licenses but the Roles and Permissions and device group setting menu is not showing in Microsoft 365 defender portal. We have a Security Administrator role assigned in customer tenant. As shown in attached screenshot. Any suggestion?Tenant AllowBlockList Manager is not mapped in new Microsoft 365 Defender RBAC model
After adapting the New M365D RBAC model, the analyst are unable to block the sender or malicious domain, file and URL from explorer menu because Microsoft not mapped the Tenant AllowBlockList Manager role in the new M365D RBAC model. The roles that we were using for MDO in legacy model Defender for Office (EOP) role group Below are the EOP role group and group contains different roles. These groups cover the our legacy model roles. Microsoft 365 Defender RBAC permission Security Reader Security reader Security operations \ Security data \Security data basics (read) Security operations \ Raw data (Email & collaboration) \ Email message headers (read) Security operations \ Security data \ Response (manage) Authorization and settings \ Security setting (read) Authorization and settings \ System setting (read) View-Only DLP Compliance Management Global reader Security operations \ Security data \ Security data basics (read) Security operations \ Raw data (Email & collaboration) \ Email message headers (read) Security operations \ Security data \ Response (manage) Authorization and settings \ Security setting (read) Authorization and settings \ System setting (read) View-Only Device Management View-Only IB Compliance Management Security administrator Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Security operations \ Raw data (Email & collaboration) \ Email message headers (read) Security operations \ Security data \ Response (manage) Security operations \ Security data \ Email quarantine (manage) Authorization and settings \ Authorization (read) Authorization and settings \ Security setting (All permissions) Authorization and settings \ System setting (All permissions) Tag Contributor Organization Management Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) Security operations \ Raw data (Email & collaboration) \ Email message headers (read) Security operations \ Security data \ Response (manage) Security operations \ Security data \ Email advanced actions (manage) Security operations \ Security data \ Email quarantine (manage) Authorization and settings \ Authorization (All permissions) Authorization and settings \ Security setting (All permissions) Authorization and settings \ System setting (All permissions) View-Only Recipients Security operations \ Security data \ Security data basics (read) Security operations \ Raw data (Email & collaboration) \ Email message headers (read) Preview Preview Security operations\ Security operations \ Raw data (Email & collaboration) \ Email content (read) Search And Purge Search and Purge Security operations \ Security data \ Email advanced actions (manage) View-Only Manage Alerts View-Only Manage Alerts Security operations \ Security data \ Security data basics (read) Manage Alerts Manage Alerts Security operations \ Security data \ Security data basics (read) Security operations \ Security data \ Alerts (manage) View-Only Audit Logs View-only Audit Logs Security operations \ Security data \ Security data basics (read) Audit Logs Security operations \ Security data \ Security data basics (read) Quarantine Quarantine Security operations \ Security data \ Email quarantine (manage) Role Management Authorization and settings \ Authorization (All permissions) Tenant AllowBlockList Manager Security Operator Not mappedB2B user with Security Admin cannot access Defender for Office 365 threat policies
To work on Microsoft 365 Defender we have set up MSSP access as defined in https://urldefense.com/v3/__https:/cloudpartners.transform.microsoft.com/download?assetname=assets*2FAzure-Sentinel-Technical-Playbook-for-MSSPs.pdf&download=1__;JQ!!MmCVSxch1b8!CPxLX1n66zkMX0vgsPaYFBOVOV1fintOwnE75uMduuyGwAKsKVhVF6PzCikW3CGqk5wNKAbWtPzpmNv2QcZzW8JuACRqOs0$. Now we noticed that with the guest users, which have activated the Security Administrator role via the access packages and PIM, we can't access the Threat Policies within the Microsoft 365 Defender tenant. We tested it on our lab tenant, and there the behavior is the same, but for member users the issues does not arise. Is this expected behavior? If so, is there another way that we can manage our client's threat policies without creating member users in their tenant? Is the limited support for guest users documented anywhere by Microsoft? It is stated in the docs that sec admin has these permissions, but there is no mention anywhere that this would be limited for guest users. If anyone has more info on this issue, or even a better way of working, sharing it would be greatly appreciated.Detection capability of Azure Sentinel
There are some built-in Analytics rules based on data sources beside that how you increase the detection capability of Azure Sentinel? What I want to know that do you looking the latest IOCs and create a custom rules , did you map the azure sentinel with MITRE and what are some good platform where i find threat detection queries/rules for Azure Sentinel. ThanksRe: Delay in Azure Sentinel scheduled alerts
Yes I already implemented the test and the rule is not missing the event but its delay to trigger the alert is you see in above table the log ingested at AZ sentinel at 11:16 PM and alert triggered at 12:23 AM after 73 minutes but as I said the the query runs every 5 minutes and lookup for the data of the last 5 minutes.Delay in Azure Sentinel scheduled alerts
Hi Community, Sometimes its very delay to receive the alerts of the Schedule rules of Kaspersky. While the query runs every 5 minutes and lookup for the data of the last 5 minutes. while the log is ingested on AZ sentinel after 7 minutes. The rule is not missing the event but delays in Alert triggering. Picture is attached of Last 7 days alerts about Kaspersky virus detection.
