Ninja Cat Giveaway: Episode 3 | Sentinel integration
Forthis episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash.Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.Resources for Automatic attack disruption
Hi all, because this topic is really HOT, I thought I am sharing a collection of resources with you. Recordings: Microsoft Secure (free registration required): -How XDR defends against ransomware across the entire kill chainwithCorina Feuerstein -Ask the Experts: How XDR defends against ransomware across the entire kill chain Ninja Show episode Attack disruption, withHadar Feldman Ignite announcement:What’s new in SIEM and XDR: Attack disruption and SOC empowerment - Events | Microsoft Learn Blogs: Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender XDR attack disruption in action – Defending against a recent BEC attack Documentation: Configure automatic attack disruption capabilities in Microsoft 365 Defender | Microsoft Learn What do you think about this new and exciting capability? Do you have any questions on how it works that we didn't refer to? If so feel free to start a conversation here! 🙂 Oh and if Imissed another resource, let me know too! HeikeNinja Cat Giveaway: Episode 9 | Attack disruption
For this episode, your opportunity to win a plush ninja cat is the following – Explain what attack disruption means and one reason why it is critical to any organization. This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash.Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
KQL Query to extract list of devices
Hi, I'm trying to automate some things on our environment and now I'm trying to extract a list of devices from our Defender environment, so then to make some comparisons over powershell. So my first query was simply: DeviceInfo | project DeviceId, DeviceName, ClientVersion, OSPlatform, JoinType, AadDeviceId, OnboardingStatus, DeviceCategory, DeviceType, DeviceSubtype, Model, Vendor, OSDistribution, OSVersionInfo, SensorHealthState Then I just saw that it returns several instances of the same "DeviceId", so as a next step I need to remove duplicates to get unique devices. But this is where something is not matching as it should. If I extract a list of devices just adding a | distinct DeviceId, I get a list of 3610 devices. If I go to the Defender portal, over Assets -> Devices, and on the "Computer & Mobile" tab I export that list I got 4358 devices, and all of them have unique DeviceId. So I'm not getting the differences in these numbers. Anyone know which query is behind the Devices view? So that way I could replicate it and try to understand what I'm missing here. Thanks
Defender Confirm User Compromised
Triggering the "Confirm User Compromised" selection on Defender XDR after an Alert and Investigation has limited guidance. Can someone help point me at the documentation of what is triggered, how can I change what is triggered, what automations can I link with that, and is that even possible? I would like to see an alert, review, and once the action is taken the user is notified, and the user's listed next in higher direct report, with the incident information and the ability to add important information. Reset password, force 2FA, Log off of all open sessions, and any other remediations that could be added.Action Center showing a lot of Failed status
So I have assumed responsibility of the MS 365 Defender security role. I was going through the Action Center history and found some alarming things. Almost all of the automated actions have failed for an unknown length of time. I have gone as far back as the past 30 days. Every Automated email action has a Failed status when not specifically listing an status or entity in the 'Decision' or 'Decided by' columns. Of those that failed, i can on them individually and choose to 'Open in Explorer' and there I can then select all and go for the soft delete action. But that is getting tedious to have to do that for every action, we are talking literally thousands. What is the cause of this and how do I fix it?
