Microsoft Defender for Office 365
209 TopicsPending actions notification via KQL / Graph API
Hello, I'm looking for a way to get notifications when an investigation is in Pending Approval state. I have tried searching the logs in Defender and Sentinel and have tried finding a graph request that could get this information, but no luck. Is this something that exists? Thank you for any help regarding this topic. Kristof14Views0likes2CommentsTracking Sent Emails from a Shared Mailbox with Delegated Access
Here is a detailed post to the Microsoft help forum about tracking down who sent emails from a shared mailbox with delegated access and send as rights: Title: Tracking Sent Emails from a Shared Mailbox with Delegated Access Dear Microsoft Community, I'm reaching out for assistance with an issue I'm encountering regarding a shared mailbox in my organization. The shared mailbox has been configured with delegated access and "Send As" rights for certain users. However, I'm finding that emails are being sent from this shared mailbox, and I need to determine which user is responsible for those sent messages. Here's some more context on the setup: We have a shared mailbox that multiple employees within my organization can access and send emails from using their individual user accounts. The shared mailbox has been granted "Delegate Access" and "Send As" rights to these authorized users. Whenever an email is sent from the shared mailbox, it appears to come from the shared mailbox address rather than the individual user's email address. I need to be able to track down and identify which user sent a specific email from the shared mailbox. My main questions are: How can I determine which user account was used to send a specific email from the shared mailbox? Is there logging or audit functionality within Microsoft 365 that would allow me to see the user who sent an email from the shared mailbox? Are there any third-party tools or add-ons that could provide this level of tracking and visibility for emails sent from a shared mailbox? I'm hoping the Microsoft community can provide some guidance and recommendations on the best approach to resolve this issue. Being able to identify the user responsible for emails sent from the shared mailbox is crucial for maintaining security and accountability within our organization. Thank you in advance for your assistance. I look forward to hearing back from the community. Best regards,25Views0likes0CommentsXDR Unified RBAC deadline
Has Microsoft set a date for when the Unified RBAC permission model will become mandatory? All the documents I've read indicate that it's voluntary right now. Eventually it will become the default. Permissions Management: Defender XDR's RBAC Walkthrough for Microsoft Defender for Office 365 | Microsoft Community Hub Chuck42Views1like0CommentsDefender XDR - how to grant "undo action" Permissions on File Quarantine?
Dear Defender XDR Community I have a question regarding the permissions to "undo action" on a file quarantine action in the action center. We have six locations, each location manages their own devices. We have created six device groups so that Accounts from Location 1 can only manage/see devices from Location 1 as well. Then we created a custom "Microsoft Defender XDR" Role with the following permissions. This way the admins from location 1 can manage all Defender for Endpoint Devices / incidents / recommendations etc. without touching devices they aren't managing.. very cool actually! BUT - if a file gets quarantined, it might want to be released again because of false positive etc. I can do that as a global admin, but not as an admin with granularly assigned rights - the option just isnt there.. I don't want to give them admins a more privileged role because of - you know - least privileges. but i don't have the option to allow "undo action" on file quarantine events, besides that being a critical feature for them to manage their own devices and not me having to de-quarantine files i dont care about.. Any thoughts on how to give users this permission?33Views0likes0CommentsAdvance Hunting - SCID
Hi, Where can I find a reference sheet/document for the SCID's used in below query. I have searched pretty much everywhere but haven't been able find anything on this. It would be great if someone can please direct me towards any info or anywhere I can find it. Cheers! / Best practice endpoint configurations for Microsoft Defender for Endpoint deployment. DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ("scid-91", "scid-2000", "scid-2001", "scid-2002", "scid-2003", "scid-2010", "scid-2011", "scid-2012", "scid-2013", "scid-2014", "scid-2016") | summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceName, ConfigurationId, OSPlatform | extend Test = case( ConfigurationId == "scid-2000", "SensorEnabled", ConfigurationId == "scid-2001", "SensorDataCollection", ConfigurationId == "scid-2002", "ImpairedCommunications", ConfigurationId == "scid-2003", "TamperProtection", ConfigurationId == "scid-2010", "AntivirusEnabled", ConfigurationId == "scid-2011", "AntivirusSignatureVersion", ConfigurationId == "scid-2012", "RealtimeProtection", ConfigurationId == "scid-91", "BehaviorMonitoring", ConfigurationId == "scid-2013", "PUAProtection", ConfigurationId == "scid-2014", "AntivirusReporting", ConfigurationId == "scid-2016", "CloudProtection", "N/A"), Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD") | extend packed = pack(Test, Result) | summarize Tests = make_bag(packed) by DeviceName, OSPlatform | evaluate bag_unpack(Tests)15KViews1like2CommentsIssue with Attachment Evaluation in Microsoft Attack Simulator
Hello everyone, When I use the 'Malware Attachment' option in the Microsoft Attack Simulator, I'm not seeing how many people have opened the attachment in the evaluation. We ran a test, where I activated both the attachment and the macro, but unfortunately, for the past 2 days, it hasn't shown 'Attachment opened 1/2'... Then we tried the 'Link in Attachment' option, and it worked there. It's just not working with the malware. Does anyone have an idea why? Best regards!333Views0likes1CommentMSFT 365 Defender - Email & Collaboration email preview not working
Just curious, why the email preview under Email & Collaboration (explorer) is not working any more (All emails) It says "Message details couldn't be found. When a message is soft deleted or hard deleted by the user or the admin, its details no longer exist in the mailbox or server" Is there a setting or permissionthat changed, as a note doing all this activity as a global admin.24KViews0likes6CommentsIncidents from Custom Detection Rules never have Emails for Evidence
let ignoreAddresses = datatable(address:string) [@'email address removed for privacy reasons',@'email address removed for privacy reasons']; let ignoreSpamSubjects = datatable(address:string) [@'ignored subject 1',@'ignored subject 2']; // Time range needs to be set in the UI dropdown in order for LatestDeliveryLocation filter to work (i.e., live table vs streaming API). EmailEvents | where SenderFromDomain in~ (_getEXOAcceptedDomains) | where DetectionMethods has_any('URL detonation reputation', 'URL malicious reputation') and not(RecipientEmailAddress in~ (ignoreAddresses) or SenderFromAddress in~ (ignoreAddresses)) | where not (Subject has_any (ignoreSpamSubjects)) | where (parse_json( AuthenticationDetails).DMARC =~ 'Pass' and EmailDirection =~ 'Inbound') or (EmailDirection =~ 'Intra-org') | where (LatestDeliveryLocation in~ ('Quarantine', 'Junk folder') and not (LatestDeliveryAction =~ 'Quarantine release')) and parse_json(ConfidenceLevel).Phish in~ ('Normal','High') | join kind=inner ( EmailUrlInfo | summarize Urls = make_list(Url) by NetworkMessageId ) on NetworkMessageId I've got the above query saved as a detection rule, which works fine except for one thing - the emails are never present in the Evidence tab of the generated incidents. Meanwhile the Recipients show up in the Mailbox and User assets as I'm using Entity mapping to mapping the RecipientEmailAddress / RecipientObjectId to those 2 entity types. The only thing I can find about Emails is that for Actions to be possible on the Emails in the query results - "The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages." (ref) - which is being satisfied. The Evidence available is the IP of the sender, and an empty email cluster, like this: In the incident above there are 2 emails, and the 4 assets are the user and mailbox for each of the 2 emails' Recipient. I can successfully just use the query manually to find and manage those emails, but a big part of the goal with these detection rules, at least in my opinion, is to be able to easily manage the evidence. In this exact case, I'm looking for inbound emails coming from our own Accepted Domains in the SenderFromAddress, which pass DMARC, but are in Quarantine, detected as Phish. The idea is to watch out for false positives due to URL detonation reputation since most of the messages fitting this criteria are coming in from various emailing services (e.g., Constant Contact, MailChimp, SendGrid, etc.) and these services tend to end up on the reputation lists a few times per month. Just wondering if there are any tricks anyone knows about to help me populate the emails into my resulting incidents.176Views0likes0Comments