Automation
63 TopicsPending actions notification via KQL / Graph API
Hello, I'm looking for a way to get notifications when an investigation is in Pending Approval state. I have tried searching the logs in Defender and Sentinel and have tried finding a graph request that could get this information, but no luck. Is this something that exists? Thank you for any help regarding this topic. Kristof14Views0likes2CommentsAutomating detection engineering for MS 365 Defender
I'm working at a MSSP managing multiple customers. We build a lot of custom detections rules in the MS 365 Defender portal of the customers. We have a library of standard custom detections we use for all our customer. However it is very labor intensive to manage all those detections. I'm thinking of automating it so it is all manageable from one platform. But the MS documentation doesn't speak about API features to create edit and remove custom detections in MS 365. Is there anyway to automate this process?837Views0likes3CommentsIncidents from Custom Detection Rules never have Emails for Evidence
let ignoreAddresses = datatable(address:string) [@'email address removed for privacy reasons',@'email address removed for privacy reasons']; let ignoreSpamSubjects = datatable(address:string) [@'ignored subject 1',@'ignored subject 2']; // Time range needs to be set in the UI dropdown in order for LatestDeliveryLocation filter to work (i.e., live table vs streaming API). EmailEvents | where SenderFromDomain in~ (_getEXOAcceptedDomains) | where DetectionMethods has_any('URL detonation reputation', 'URL malicious reputation') and not(RecipientEmailAddress in~ (ignoreAddresses) or SenderFromAddress in~ (ignoreAddresses)) | where not (Subject has_any (ignoreSpamSubjects)) | where (parse_json( AuthenticationDetails).DMARC =~ 'Pass' and EmailDirection =~ 'Inbound') or (EmailDirection =~ 'Intra-org') | where (LatestDeliveryLocation in~ ('Quarantine', 'Junk folder') and not (LatestDeliveryAction =~ 'Quarantine release')) and parse_json(ConfidenceLevel).Phish in~ ('Normal','High') | join kind=inner ( EmailUrlInfo | summarize Urls = make_list(Url) by NetworkMessageId ) on NetworkMessageId I've got the above query saved as a detection rule, which works fine except for one thing - the emails are never present in the Evidence tab of the generated incidents. Meanwhile the Recipients show up in the Mailbox and User assets as I'm using Entity mapping to mapping the RecipientEmailAddress / RecipientObjectId to those 2 entity types. The only thing I can find about Emails is that for Actions to be possible on the Emails in the query results - "The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages." (ref) - which is being satisfied. The Evidence available is the IP of the sender, and an empty email cluster, like this: In the incident above there are 2 emails, and the 4 assets are the user and mailbox for each of the 2 emails' Recipient. I can successfully just use the query manually to find and manage those emails, but a big part of the goal with these detection rules, at least in my opinion, is to be able to easily manage the evidence. In this exact case, I'm looking for inbound emails coming from our own Accepted Domains in the SenderFromAddress, which pass DMARC, but are in Quarantine, detected as Phish. The idea is to watch out for false positives due to URL detonation reputation since most of the messages fitting this criteria are coming in from various emailing services (e.g., Constant Contact, MailChimp, SendGrid, etc.) and these services tend to end up on the reputation lists a few times per month. Just wondering if there are any tricks anyone knows about to help me populate the emails into my resulting incidents.176Views0likes0CommentsDefender Confirm User Compromised
Triggering the "Confirm User Compromised" selection on Defender XDR after an Alert and Investigation has limited guidance. Can someone help point me at the documentation of what is triggered, how can I change what is triggered, what automations can I link with that, and is that even possible? I would like to see an alert, review, and once the action is taken the user is notified, and the user's listed next in higher direct report, with the incident information and the ability to add important information. Reset password, force 2FA, Log off of all open sessions, and any other remediations that could be added.6KViews0likes4CommentsDefender - Export or capture certificate expiry data
Hi There, I am attempting to pull expired certificate information from Defender. My question is thus two fold: Is it possible to create an email or alert based on certificates due to expire in 30 days. Is it possible to call an API for Defender for Endpoint? Our current solution for alerts on expiring certificates in the domain is no longer sustainable and I am looking at redesigning the solution, however, before we can do a proper solution, we need to do something a little less manual and this will be our start. Alert Rule I can see that the certificate information is under the Inventories of the Vulnerabilities blade in Defender Endpoint which suggests that an expiring certificate should alert as a Vulnerability. Is this correct, if so how would I go about creating an alert to identify this? API or Information passing Is it possible to use API to call the information of certificates from Defender, again I have looked and found nothing. If API's aren't possible I saw that I can ship the data to Event Hub which would be useful but again I need to know if the certificate information is captured and passed on if I do this. Does anyone have this information? Thanks,Solved370Views0likes1CommentClient Analyzer Page - Release notes
It would be helpful if the client analyzer page had release notes to go along with new version releases and update, and also a subscription notification for when the page has been updated. (https://learn.microsoft.com/en-us/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide) Currently the best guess is check last page edited date, but this has not been reliable in the past as the page has been edited without Client Analyzer updates or the ClientAnalyzer has been updated without page edits.249Views0likes0CommentsAssigned to automation?
Hello I have ran into an issue with my defender logs. Since march 13th i stopped seeing incidents being assigned to automation in my log management tool. We are using Splunk to get an overview for how many incidents the AiR is handling, but since march 13th it seems that incidents are no longer getting assigned to automation. In the picture below you can see that a high volume of incidents are getting "null" as the value of assigned to, which i believe to be what should have been assigned to "Automation" Is there anyone with similar issues or knows what the reason could be?246Views0likes0Comments