MDE
5 TopicsCan I check whether an IoC/hash is already monitored by MDE?
The list of IoC is limited to 15k. I imagine some IoCs entries from our "custom list" are already monitored by Microsoft/MDE. So, is there a way to check whether there is a detection rule for a specific IoC (hash)? This would save us some thousand entries and improve our monitoring coverage. *Better to join forces than reinvent the wheel.3.2KViews1like3Commentswhere can I see the "detection build id/number"?
Where can I see the "detection build id/number". For example, at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 it says; "Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments." I would like to know what version do my customer have deployed.Solved2.3KViews0likes1CommentPermission required to import to Indicators page? Error "Failed to Import Indicators"
Hello, Do you need the permission "Manage security settings in Security Center" in order to import xslx to Indicators? User getting error "Failed to import indicators. User is not exposed to all Indicator's machine groups. Contact your administrator for further information." User is in role. Role is setup with a group that has all the permissions expect "Manage security settings in Security Center". Role also has access to device groups that are setup. Create and manage roles for role-based access control | Microsoft Docs -Link above doesn't list "Indicators" in permission options Can not find the answer based on Googling Thanks!2KViews0likes0CommentsDefender for Endpoint - Data Storage Location integrity question (GDPR/EU)
Hi, I have a question specific to Defender for Endpoint and its data storage within EU and the information provided on Microsoft Docs. The english text states customer data in psuedonymized form may also be stored and processed in US. Data storage location Defender for Endpoint operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Defender for Endpoint uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. <https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide> OK, I get that. What I don't get is that on the corresponding Docs site in Swedish, the machine-translation instead presents the word "anonymiserad" which in English is "anonymized" which is a completely different thing. Is this a bug? What is actually correct here and where can I find information about this? The following is in swedish, link/Source at the bottom: Datalagringsplats Defender för Endpoint fungerar Microsoft Azure datacenter i EU, Storbritannien eller USA. Kunddata som samlas in av tjänsten kan lagras i: (a) klientorganisationens geoplats som identifieras under etableringen eller(b) om Defender för Endpoint använder en annan Microsoft-onlinetjänst för att bearbeta sådana data, den geolokalisering som definieras av datalagringsreglerna för den andra onlinetjänsten. Kunddata i anonymiserad form kan också lagras i de centrala lagrings- och bearbetningssystemen i USA. När den har konfigurerats kan du inte ändra platsen där dina data lagras. Det här är ett bekvämt sätt att minimera efterlevnadsrisken genom att aktivt välja de geografiska platser där dina data ska lagras. <https://docs.microsoft.com/sv-se/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide>4.1KViews0likes1CommentDefender for Endpoint - EDR Block Mode
Hi All, Is there anyway to verify that MDE is in block on mode on any given endpoint? Is there a powershell command or similar we can use to verfy that EDR Block Mode is actually enabled? Other than having it turned on in the Security Center's Advance Features section? I have it turned on yet I see some Endpoints still showing security recommendations to turn it on. Freshly onboarded and latest version of windows 10. Defender is in active mode. Any ideas? Thanks in advance.1.1KViews1like0Comments