Learning
46 TopicsIntune device compliance status not evaluated
Has anyone encountered devices taking absolutely forever to evaluate overall compliance after user enrollment ESP? (pre-provisioned devices). They just sit there in "not evaluated" and get blocked by CA policy. Most come good eventually, but some literally are taking employees offline for the whole day. These are all Win11 AAD-joined. Microsoft has only offered me the standard "may take up to 8 hours, goodbye" response but I am pulling my hair out trying to figure out if this is just an Intune thing, or is there a trick I am missing? Some of them take so long that I give up and swap out the device so they can start working. The individual policies are evaluating just fine, but the overall status is way behind. I'd even prefer them to be non-compliant because at least then the grace period would kick in. I have had very limited success with rebooting and kicking off all the syncs / check access buttons, but I have a feeling those buttons have just been a placebo. It happens very sporadically too on about half of devices the user doesn't even notice it's that quick. Thanks for any advice1.4KViews0likes4CommentsService account usage
've been ach is installed on 3 iut 4 DCs and a large percentage sked by a customer to try and identify service accounts operating in their ADDS environment. I have access to both MDI and MDE. Does anything in the Defender stack inventory the services on machines and retrieve which accounts are being used to launch them? I have a list of service accounts based on the clients naming convention but i strongly suspect that that list is incomplete. Any assistance or guidance would be greatly appreciated. I've spent this afternoon experimenting with KQL but not satisfied with th eoutcome.283Views0likes0CommentsDefender - Export or capture certificate expiry data
Hi There, I am attempting to pull expired certificate information from Defender. My question is thus two fold: Is it possible to create an email or alert based on certificates due to expire in 30 days. Is it possible to call an API for Defender for Endpoint? Our current solution for alerts on expiring certificates in the domain is no longer sustainable and I am looking at redesigning the solution, however, before we can do a proper solution, we need to do something a little less manual and this will be our start. Alert Rule I can see that the certificate information is under the Inventories of the Vulnerabilities blade in Defender Endpoint which suggests that an expiring certificate should alert as a Vulnerability. Is this correct, if so how would I go about creating an alert to identify this? API or Information passing Is it possible to use API to call the information of certificates from Defender, again I have looked and found nothing. If API's aren't possible I saw that I can ship the data to Event Hub which would be useful but again I need to know if the certificate information is captured and passed on if I do this. Does anyone have this information? Thanks,Solved368Views0likes1CommentDefender KQL query for Windows firewall status changes?
Hi all, I would like a KQL query that finds when the Windows firewall is stopped or turned off on our servers in the last 7 days, with the aim of creating a custom detection rule to alert. So far, I have this: DeviceEvents | where Timestamp > ago(7d) | where ActionType == "FirewallServiceStopped" | sort by Timestamp However, I tested this by turning off the Windows firewall on a server and there was no alert, not even an obvious entry in the device timeline when I view all ActionTypes/events. What am I doing wrong? Or is there something I'm missing, like this ActionType doesn't do what I think it does, or these alerts go to Windows Event viewer, etc.?2.9KViews0likes4CommentsDeviceNetworkEvents does not refer to any known table.
When attempting to run an advanced hunting query, I'm receiving this error message at more than half of our clients. Most are on business premium licensing which includes Defender for Business. Does anyone have any information regarding this error? Is this a licensing issue or do we need to turn on more audit logs at the device level to include this table in queries?647Views0likes0CommentsE5 Developer license + Defender XDR
Like the title says, i got my self a developer account with E5 developer licenses and were wondering if there is any way to get something similar to Defender XDR? It seams i got access to the Security dashboard and got recommendations to get Microsoft Defender XDR, but i can't seam to activate it anywhere. I have a AD hybrid setup connected to asure with password hash sync and syncback enabled that does work (tested). and are now wondering if im eighlible to run XDR too with the current license? It keeps directing me to the Azure portal where im supposed to create a workspace within the Microsoft Sientel application. How ever i endup not having a subscription and i can't seam to activate the trial either. Any ideas if this is possible in some way? (Here to learn)446Views0likes0CommentsXDR Deception
Hey, so I am currently testing everything that has to do with deception. I can successfully deploy the lures to all my targeted machines. However for testing purposes I want to act as the "hacker". I can find a deceptive host in one of the system files, but I cant seem to find the deceptive usernames. Does anyone know where these deceptive usernames are located on the system? I tried looking in lsass dump, but nothing found here. Thanks in advance!840Views0likes1CommentAttack Simulation Examples
Hi, I was wondering if the attack simulation examples would be updated to include up to date examples and methods of attack like Quishing. Considering this is increasing in popularity, it would be extremely beneficial to educate employees on this.Solved2.7KViews1like6Comments