Microsoft Defender for Cloud Apps
13 TopicsMicrosoft Defender XDR / Defender for Endpoint data connectors inconsistent failures
Hello, We are deploying our SOC (Sentinel) environments via Bicep. Now the Defender XDR ( MicrosoftThreatProtection) and Defender for Endpoint ( MicrosoftDefenderAdvancedThreatProtection) data connectors are failing to deploy inconsistantly. It seems to be a known issue due to the following posts: -https://github.com/Azure/SimuLand/issues/23 -https://techcommunity.microsoft.com/t5/microsoft-sentinel/quot-missing-consent-invalid-license-quot-defender-for-endpoint/m-p/3027212 -https://github.com/Azure/Azure-Sentinel/issues/5007 Next to this issue I see almost no development on the data connectors API, is there some news to be spread how to enable data connectors automated in the future, since it seems to be moving to Content Hub. It is hard to find any docs about how to deploy this for example via Bicep!? Also I have a question regarding 'Tenant-based Microsoft Defender for Cloud (Preview)' data connector. We deploy this now via GenericUI data connector kind, but this has no option to enable it via automation. Same as the question in the previous paragraph, how would this be made possible?976Views0likes0CommentsMicrosoft 365 Defender data connector and error ('AdvancedHunting-CloudAppEvents are not supported')
Hello, I have a client who has set up the Microsoft 365 Defender data connector, and on selecting the 'connect events' forMicrosoft Defender for Cloud Apps and saving the configuration, the following error is generated... The exact error is:'AdvancedHunting-CloudAppEvents are not supported'. I have not checked the configurations in the Microsoft 365 Defender portal under Cloud Apps yet, but hasanyonecome across this error and is it likely to be related to a configuration issue?1.2KViews0likes2CommentsRun Query and List Results operation
I am using the Run Query and List Results operation within Logic Apps to get an Incident Name. The issue I have is it seems to be duplicating the results in the list i.e Incident Name appears twice. Is there some setting I'm missing or is there a concise way to strip the second value away?1.1KViews0likes1CommentTicket Sync between Sentinel and Defender for Cloud Apps
Hello I have defender for Cloud APP syncing with sentinel to open incidents but when I close incidents in Sentinel it doesn't close Defender for Cloud Apps alerts. Is there any MSFT solution, I've already checked official MSFT links and so far I haven't found anything related to what I want. Best regards1.5KViews0likes3CommentsFeature Request: Entity Annotation
So I was investigating an incident where a user had signed in from a TOR exit node on an AAD Joined device. After investigating, I had found that they had a commercial VPN, and their endpoints also served as exit nodes. So they weren't actually using TOR, but their traffic was coming from an exit node. The device is part of a group with more lax controls, so this is absolutely allowed (I can't really explain more, I would love to go to town with this stuff and remove it, but that isn't my call). So I was in a situation where I can't tune, because I need Defender device logs to see if its the VPN (too high ingestion), and I can't just allow the IPs as they are TOR exit nodes. Which gave me the idea of having annotations on the entities in UEBA. So in this case, I could say "known to use a VPN which also acts as TOR exit nodes, check source IP" or something similar. It saves having to create a separate knowledge base and keep it up to date with data from all security products. Would also be useful for users too. I have a user who frequently mass deletes files on a certain time on a certain day which triggers DLP rules. I could add the conditions of that behaviour as an annotation, rather than having to write a crazy analytics rule which has to check the day and time, user and Sharepoint site, plus other exclusions. Something like the comments thread on incidents will suffice.706Views0likes0CommentsDefender Sentinel Sync
The status of an incident in Sentinel does not sync with Microsoft 365 Defender (Alert product name Microsoft Cloud App Security) when the incident is closed. Has anyone else encountered this issue? I expected Microsoft 365 Defender and Sentinel to sync incidents on status, owner, and closing reason bi-directionally. Thanks2.6KViews0likes4CommentsAzure Sentinel Side by Side with QRadar
Hi, quick question: in the "Event Filter" on Qradar we add: vendorInformation/provider eq 'Azure Sentinel' to get Sentinel events but is it possible to include another azure instances such as Cloud App, Identity, etc? I mean, like: provider eq 'Azure Sentinel, MCAS, IPS' thank you1.7KViews0likes2CommentsWhat’s new: Closer integration between Microsoft Sentinel and Microsoft 365 Defender
Over a year ago, we first announced the integration between Microsoft Sentinel and Microsoft 365 Defender as part of the Microsoft SIEM and XDR story. Combining the breadth of a SIEM with the depth of XDR to give security professionals the integrated toolset they need to fight against attacks that take advantage of today’s diverse, distributed, and complex environments. Today, we are happy to share several new preview updates7.7KViews1like1CommentFalse positive alert of defense evasion behavior was blocked on one endpoint
I am receiving a lots of alert from defender saying dense evasion was blocked on one endpoint. Normally when outlook.exe interact with .JPG file and follows by runddll32.exe used by photoviewer.dll, it trigger this alert. Does any one experience similar experience ?1.6KViews0likes1Comment