Microsoft Defender for Endpoint
655 TopicsWhitelisting Pentesting tools
Hello everyone. I'm coming to you with a question that I think is pertinent. We use a pentesting tool in our environment. It generates a lot of incidents and alerts in Microsoft Defender. We have on-prem accounts (one user, one admin) so that the tool can perform this pentesting. Do you have any ideas on how to whitelist incidents linked to this user, these actions or the node machine he uses to initiate connections? So that it no longer generates or the incidents linked to these activities are automatically resolved. Thank you for your help. HKN3Views0likes0CommentsBlocking domain for group of users/or devices
Hi all, I am trying to find a way to block youtube for a group of users. We are using M365 E5 Security so can use Defender for endpoint or Defender for cloud apps. However, cant find a way to implement this. My idea was to create an INDICATOR in Endpoint that will be blocked, however I cannot select any group and "all devices" are included there in default. So not sure if this is a way. Neither Web Content Filtering cannot be used for my scenario Another idea was to use Defender for cloud apps. This looks promising but I am not sure how to target only specific users or devices? I managed to mark an app as "unsanctioned" but it applies for all devices. Any idea ? Thank you.20Views0likes0CommentsNo automatic MDE.Windows installation anymore
We have an Azure subscription to which our on-premises servers are connected via Azure Arc. Actually, only Microsoft Defender for Servers Plan 1 should be used. However, ‘Plan 2’ is billed in the cost analyses, which leads to significantly higher costs than planned. I´ve fixed it but it lead to the Problem of not installing MDE.Windows anymore. The servers are connected to Azure by executing a script, after which some plugins are installed(MDE.Windows, MicrosoftMonitoringAgent, and on some servers "WindowsPatchExtension"). In the environment management of Defender for Cloud we have explicitly selected plan 1, despite this plan 2 is activated for each server. There is no Log-Workspace. Here are the Policies, i think they go automaticly created by Azure. I´ve deleted "ASC provisioning LA agent Windows Arc" and the linux one because this is deploying the two Extensions "MicrosoftMonitoringAgent" and "WindowsPatchExtension", which activate Plan 2. After deleting those to Extensions i should not get billed as Plan 2 anymore. My Problem is now that i don´t have the policy to install the MDE Plugin anymore. How do i get this working again, i need to install only the MDE Plugin on the computers to ensure we only use Plan 1. No other extensions, no Log-Workspace... Appreciate the help.26Views0likes0CommentsAdvanced Hunting Data Schema
Hello everyone, I have a question regarding the use of schema for Advanced Hunting queries. We are an organization with several companies under our holding. I need to recover the USB connections on the machines but only for one company and not the others. I need to sort on Company Name for the user. But in the Advanced Hunting schema there are no fields to filter on this. I looked specifically in UserInfo and DeviceInfo. Here's the query I use to detect USBs. I need to filter by CompanyName to retrieve the list of devices or users for this company only. DeviceEvents | where ActionType == “PnpDeviceConnected” | extend parsed=parse_json(AdditionalFields) | project Timestamp, DeviceName, DeviceId=tostring(parsed.DeviceId), ClassName=tostring(parsed.ClassName) | where ClassName == “DiskDrive” | summarize UsbFirstSeen=min(Timestamp), UsbLastSeen=max(Timestamp) by DeviceId, DeviceName; Is there another solution ? Thanks in advance for your answers, HKNSolved132Views0likes8Comments"Duplicate" alerts in Defender for Cloud from MDE
Hello, I discovered that security alerts generated from Defender for Endpoint are causing "duplicate" security alerts in Defender for Cloud. We have several Azure Arc-enabled servers active with Defender for Server P1 which includes Defender for Endpoint integration. Hence Arc servers are automatically onboarded to Defender for Endpoint. We had a false positive caused by the addition of AV exclusions which generated an alert / incident in Defender XDR which was then synced to Sentinel. Closing the alerts in Defender XDR or Sentinel resulted in synced status between the two. However it seems the same alerts were also created in Defender for Cloud, and their status remained "open" even after being resolved in Defender XDR. The link in the open Defender for Cloud Alert effectively opens up the resolved alert in Defender XDR. So it seems to be the same alert but its status is not being synced. Is this a known issue?Monthly news - January 2025
Microsoft Defender XDR Monthly news January 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel (Preview) The Link to incident feature in advanced hunting now allows linking of Microsoft Sentinel query results. (Preview) You can nowuse the adx() operator to query tables stored in Azure Data Explorer. (GA) In advanced hunting, you can now add your frequently used schema tables, functions, queries, and detection rules in the Favorites sections under each tab for quicker access. Learn more on our docs. Hyperscale ML threat intelligence for early detection & disruption. This blog talks about Threat Intelligence Tracking via Dynamic Networks (TITAN) - a groundbreaking approach that uses the power of machine learning to transform threat intelligence andattack disruption by automatically neutralizing malicious activity at scale. You can now view Microsoft Sentinel Workbooks directly from Unified SOC Operations Platform. Learn more about it here. (Preview) Recommendations based on similar organizations - a first-of-its-kind capability for SOC optimizations. Recommendations based on similar organizations use peer-based insights to guide and accelerate your decision-making process. New documentation library for Microsoft's unified security operations platform. Find centralized documentation aboutMicrosoft's unified SecOps platform in the Microsoft Defender portal. Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment. SOC Optimization and Auxiliary Logs collaboration. We’re excited to announce the release of our updated recommendation, which now incorporates Auxiliary Logs! Previously, our recommendation focused on identifying unused tables and suggesting users either increase their utilization or switch the tables’ commitment tier to Basic Logs. With this update, we now recommend eligible tables be moved to Auxiliary Logs. The following newprivacy documents for Microsoft Sentinel and Microsoft Defender XDR have been added: Data security and retention in Microsoft Defender XDR Geographical availability and data residency in Microsoft Sentinel Ninja Show Episodes: Attack Disruption: Live demo This episode features Threat Hunter and Microsoft MVP Mattias Borg as he explains the anatomy of an attack. Through a live demo of an attack in action, gain exclusive insights into what attackers do behind the scenes, the tools they use and how Microsoft Defender steps up to counter these threats, offering a robust defense to help keep your organization secure. Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments. Threat Analytics - New Tool profile: SectopRAT (You need access to the Defender portal to read this profile.) Microsoft Sentinel (Preview) New AWS WAF connector. Use the Amazon Web Services (AWS) S3-based Web Application Firewall (WAF) connector to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. Learn more on our docs. Agentless deployment for SAP applications. Microsoft Sentinel for SAP’s latest new capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components. Ninja Show Episode Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs. Upcoming webinar Feb 20, 9AM PT: Mastering API Integration with Sentinel & Unified Security Platform Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process. Microsoft Defender Experts for XDR Defender Experts for XDR now offers scoped coverage for customers who wish to define a specific set of devices and/or users, based on geography, subsidiary, or function, for which they'd like Defender Experts to provide support. Experts on demand via Message Center. Select Ask Defender Experts directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face. Microsoft Defender for Identity New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15). Defender for Identity has added the newPrevent Certificate Enrollment with arbitrary Application Policies (ESC15) recommendation in Microsoft Secure Score. Learn more on our docs. Microsoft Security Exposure Management The following predefined classification rules were added to the critical assets list: Classification Description Locked Azure Kubernetes Service cluster This rule applies to Azure Kubernetes Service clusters that are safeguarded by a lock. Premium tier Azure Kubernetes Service cluster This rule applies to premium tier Azure Kubernetes Service clusters. Azure Kubernetes Service cluster with multiple nodes This rule applies to Azure Kubernetes Service clusters with multiple nodes. Azure Arc Kubernetes cluster with multiple nodes This rule applies to Azure Arc clusters with multiple nodes. For more information, see,Predefined classifications Microsoft Defender for Office 365 Considerations for integrating non-Microsoft security services with Microsoft 365: Considerations and recommendations for deploying a defense-in-depth email security strategy using third-party security services. Defender for Office 365 now detects BEC attacks using large language model (LLM)-based filters to analyze an email's language and infer intent.Read this blog to learn more about it. Microsoft Defender for Endpoint Defender for Endpoint on iOS now supports iOS/iPadOS 16.x as the minimum version. Defender for Endpoint is ending support for iOS/iPadOS 15 on January 31, 2025. Moving forward, only devices running iOS/iPadOS 16 and later are supported. Learn more on our docs. Android low-touch onboarding is now General Available. Key benefits Faster setup on Android devices– Simplified Android onboarding supports silent sign-on and autogranting of certain permissions on a user's device. As such, users are required to grant only the necessary permissions to onboard to Defender for Endpoint. Intuitive guidance- A clear and intuitive flow to guide users through each step. Broad coverage with support across multiple Android profiles– Android enterprise BYOD, COPE, and fully managed. Configuring low-touch onboarding Although low-touch onboarding is disabled by default, security administrators can enable it through app configuration policies in Intune. SeeAndroid low-touch onboarding. . Ninja Show Episode: Defender for Endpoint RDP Telemetry In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights.2.9KViews2likes2Comments