Microsoft Defender for Office 365
363 TopicsInvestigation state Queued
I see a number of messages in our Defender XDR Incidents with a status of Queued. What does this status mean? This appears to only be related to Defender for Office 365 incidents, usually email reported as junk/phish/notjunk etc type of incidents. Regardless of whether I investigate or change the status of the incident, in remains in the Incidents list as queued. I cannot find clear documentation on what this state means or what action is required to resolve/close the incident. Can anyone shed any light on the what the queued state means and how to resolve a queued incident.1.4KViews0likes3CommentsMDO query of EmailEvents is not accepted in the flow which is why causing the badgateway error
When used the following MDO query of EmailEvents it is working in the Defender control panel but when applied through 'Advanced Hunting' action in Power automate application given bad gateway error. Is this query supported in this application?10Views0likes0CommentsMonthly news - January 2025
Microsoft Defender XDR Monthly news January 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from December 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel (Preview) The Link to incident feature in advanced hunting now allows linking of Microsoft Sentinel query results. (Preview) You can nowuse the adx() operator to query tables stored in Azure Data Explorer. (GA) In advanced hunting, you can now add your frequently used schema tables, functions, queries, and detection rules in the Favorites sections under each tab for quicker access. Learn more on our docs. Hyperscale ML threat intelligence for early detection & disruption. This blog talks about Threat Intelligence Tracking via Dynamic Networks (TITAN) - a groundbreaking approach that uses the power of machine learning to transform threat intelligence andattack disruption by automatically neutralizing malicious activity at scale. You can now view Microsoft Sentinel Workbooks directly from Unified SOC Operations Platform. Learn more about it here. (Preview) Recommendations based on similar organizations - a first-of-its-kind capability for SOC optimizations. Recommendations based on similar organizations use peer-based insights to guide and accelerate your decision-making process. New documentation library for Microsoft's unified security operations platform. Find centralized documentation aboutMicrosoft's unified SecOps platform in the Microsoft Defender portal. Microsoft's unified SecOps platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, Microsoft Security Exposure Management, and generative AI into the Defender portal. Learn about the features and functionality available with Microsoft's unified SecOps platform, then start to plan your deployment. SOC Optimization and Auxiliary Logs collaboration. We’re excited to announce the release of our updated recommendation, which now incorporates Auxiliary Logs! Previously, our recommendation focused on identifying unused tables and suggesting users either increase their utilization or switch the tables’ commitment tier to Basic Logs. With this update, we now recommend eligible tables be moved to Auxiliary Logs. The following newprivacy documents for Microsoft Sentinel and Microsoft Defender XDR have been added: Data security and retention in Microsoft Defender XDR Geographical availability and data residency in Microsoft Sentinel Ninja Show Episodes: Attack Disruption: Live demo This episode features Threat Hunter and Microsoft MVP Mattias Borg as he explains the anatomy of an attack. Through a live demo of an attack in action, gain exclusive insights into what attackers do behind the scenes, the tools they use and how Microsoft Defender steps up to counter these threats, offering a robust defense to help keep your organization secure. Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments. Threat Analytics - New Tool profile: SectopRAT (You need access to the Defender portal to read this profile.) Microsoft Sentinel (Preview) New AWS WAF connector. Use the Amazon Web Services (AWS) S3-based Web Application Firewall (WAF) connector to ingest AWS WAF logs, collected in AWS S3 buckets, to Microsoft Sentinel. Learn more on our docs. Agentless deployment for SAP applications. Microsoft Sentinel for SAP’s latest new capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components. Ninja Show Episode Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs. Upcoming webinar Feb 20, 9AM PT: Mastering API Integration with Sentinel & Unified Security Platform Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process. Microsoft Defender Experts for XDR Defender Experts for XDR now offers scoped coverage for customers who wish to define a specific set of devices and/or users, based on geography, subsidiary, or function, for which they'd like Defender Experts to provide support. Experts on demand via Message Center. Select Ask Defender Experts directly inside the Microsoft 365 security portal to get swift and accurate responses to all your threat hunting questions. Experts can provide insight to better understand the complex threats your organization might face. Microsoft Defender for Identity New security posture assessment: Prevent Certificate Enrollment with arbitrary Application Policies (ESC15). Defender for Identity has added the newPrevent Certificate Enrollment with arbitrary Application Policies (ESC15) recommendation in Microsoft Secure Score. Learn more on our docs. Microsoft Security Exposure Management The following predefined classification rules were added to the critical assets list: Classification Description Locked Azure Kubernetes Service cluster This rule applies to Azure Kubernetes Service clusters that are safeguarded by a lock. Premium tier Azure Kubernetes Service cluster This rule applies to premium tier Azure Kubernetes Service clusters. Azure Kubernetes Service cluster with multiple nodes This rule applies to Azure Kubernetes Service clusters with multiple nodes. Azure Arc Kubernetes cluster with multiple nodes This rule applies to Azure Arc clusters with multiple nodes. For more information, see,Predefined classifications Microsoft Defender for Office 365 Considerations for integrating non-Microsoft security services with Microsoft 365: Considerations and recommendations for deploying a defense-in-depth email security strategy using third-party security services. Defender for Office 365 now detects BEC attacks using large language model (LLM)-based filters to analyze an email's language and infer intent.Read this blog to learn more about it. Microsoft Defender for Endpoint Defender for Endpoint on iOS now supports iOS/iPadOS 16.x as the minimum version. Defender for Endpoint is ending support for iOS/iPadOS 15 on January 31, 2025. Moving forward, only devices running iOS/iPadOS 16 and later are supported. Learn more on our docs. Android low-touch onboarding is now General Available. Key benefits Faster setup on Android devices– Simplified Android onboarding supports silent sign-on and autogranting of certain permissions on a user's device. As such, users are required to grant only the necessary permissions to onboard to Defender for Endpoint. Intuitive guidance- A clear and intuitive flow to guide users through each step. Broad coverage with support across multiple Android profiles– Android enterprise BYOD, COPE, and fully managed. Configuring low-touch onboarding Although low-touch onboarding is disabled by default, security administrators can enable it through app configuration policies in Intune. SeeAndroid low-touch onboarding. . Ninja Show Episode: Defender for Endpoint RDP Telemetry In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights.2.9KViews2likes2CommentsWhere and how is AI used in Defender XDR?
Hi everyone, i was searching for an overview of where and AI is used in Defender XDR. Do you have a quick oversight of this? That would be great. Also how this data is used for training and decisions. I know it is used in Attack disruption and Copilot for Security ( ;) ) - but i need a complete list. BR Stephan30Views1like0CommentsMonitoring copied files on External drive - USB
Hello Guys, i struggle to find a way in Defender for EPP or other solutions to monitor when a user copied files on an external peripheral such as hard drive and USB. Some one have the procedure or documentation ? NOTE : Defender timeline could see when a user is plugging a USB stick. but that's... Thanks !Solved11KViews0likes2CommentsTracking Sent Emails from a Shared Mailbox with Delegated Access
Here is a detailed post to the Microsoft help forum about tracking down who sent emails from a shared mailbox with delegated access and send as rights: Title: Tracking Sent Emails from a Shared Mailbox with Delegated Access Dear Microsoft Community, I'm reaching out for assistance with an issue I'm encountering regarding a shared mailbox in my organization. The shared mailbox has been configured with delegated access and "Send As" rights for certain users. However, I'm finding that emails are being sent from this shared mailbox, and I need to determine which user is responsible for those sent messages. Here's some more context on the setup: We have a shared mailbox that multiple employees within my organization can access and send emails from using their individual user accounts. The shared mailbox has been granted "Delegate Access" and "Send As" rights to these authorized users. Whenever an email is sent from the shared mailbox, it appears to come from the shared mailbox address rather than the individual user's email address. I need to be able to track down and identify which user sent a specific email from the shared mailbox. My main questions are: How can I determine which user account was used to send a specific email from the shared mailbox? Is there logging or audit functionality within Microsoft 365 that would allow me to see the user who sent an email from the shared mailbox? Are there any third-party tools or add-ons that could provide this level of tracking and visibility for emails sent from a shared mailbox? I'm hoping the Microsoft community can provide some guidance and recommendations on the best approach to resolve this issue. Being able to identify the user responsible for emails sent from the shared mailbox is crucial for maintaining security and accountability within our organization. Thank you in advance for your assistance. I look forward to hearing back from the community. Best regards,Solved113Views0likes1CommentMonthly news - December 2024
Microsoft Defender XDR Monthly news December 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from November 2024. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel Ignite news: What's new in Microsoft Defender XDR? This blog summarizes Ignite news related to Defender XDR. Security Copilot: A game changer for modern SOC We have enhanced numerous features and introduced new skills that significantly improve the efficiency and effectiveness of SOC teams. (Preview)Attack pathsin the incident graph are now available in the Microsoft Defender portal. The attack story now includes potential attack paths that show the paths that attackers can potentially take after compromising a device. This feature helps you prioritize your response efforts. For more information, seeattack paths in the attack story. (Preview) Microsoft Defender XDR customers can now export incident data to PDF. Use the exported data to easily capture and share incident data to other stakeholders. For details, seeExport incident data to PDF. (GA) Thelast update timecolumn in theincident queue is now generally available. (Preview) Cloud-native investigation and response actions are now available for container-related alerts in the Microsoft Defender portal. Security operations center (SOC) analysts can now investigate and respond to container-related alerts in near real-time with cloud-native response actions and investigation logs to hunt for related activities. For more information, seeInvestigate and respond to container threats in the Microsoft Defender portal. (GA) Thearg()operator inadvanced huntingin Microsoft Defender portal is now generally available. Users can now use thearg() operator for Azure Resource Graph queries to search over Azure resources, and no longer need to go to Log Analytics in Microsoft Sentinel to use this operator if already in Microsoft Defender. (Preview) TheCloudProcessEvents table is now available for preview in advanced hunting. It contains information about process events in multicloud hosted environments. You can use it to discover threats that can be observed through process details, like malicious processes or command-line signatures. (Preview) Migrating custom detection queries toContinuous (near real-time or NRT) frequencyis now available for preview in advanced hunting. Using the Continuous (NRT) frequency increases your organization's ability to identify threats faster. It has minimal to no impact to your resource usage, and should thus be considered for any qualified custom detection rule in your organization. You can migrate compatible KQL queries by following the steps inContinuous (NRT) frequency. Ninja Show Episodes: Defender XDR’s Data Security Context with Insider Risk Management Join us as product experts Maayan Magenheim and Sravan Kumar Mera showcase the Public Preview of Microsoft Purview Insider Risk Management (IRM) integration into Defender XDR. Learn how Insider Risk and SOC analysts can now distinguish internal and external threats and gain critical insights, including exfiltration context and user activity tracking. Through a valuable demo, we explore the benefits for incident investigation, threat hunting, the correlation of IRM alerts with other DLP and identity protection alerts and more. Follow up LIVE AMA session Unlocking Advanced Cloud Detection & Response capabilities for containers Learn how the Microsoft Cloud Detection & Response solution empowers SOCs with faster, deeper investigations through near real-time detections, new cloud-native responses, and rich log collection. In this episode Product Managers Maayan Magenheim and Daniel Davrayev demo a real container related incident to show how these new capabilities enhance the entire incident response process, bridging knowledge gaps and proactively securing containerized workloads across multi-cloud environments. Microsoft Sentinel Microsoft Sentinel availability in Microsoft Defender portal! (Preview) Now Microsoft Sentinel is also available in the Defender portal even without Microsoft Defender XDR or a Microsoft 365 E5 license. For more information, see: Microsoft Sentinel in the Microsoft Defender portal Connect Microsoft Sentinel to the Microsoft Defender portal Upcoming Ninja Show Episode Dec 10, 9AM PT: Microsoft Sentinel Data tiering best practices In this episode product experts Yael Bergman and Maria de Sousa-Valadas introduce the powerful new Auxiliary Logs tier, now in Public Preview and explain how to use Summary rules to aggregate data from any log tier in Microsoft Sentinel and Log Analytics. Tune in to learn the full potential of these features, as well as practical tips and use cases to help you reduce ingestion costs and gain more insights from your verbose logs. Upcoming webinar Feb 20, 9AM PT:Mastering API Integration with Sentinel & Unified Security Platform Learn how to effectively integrate APIs with Sentinel and Unified Security Platform. This webinar will cover when to use APIs, how to set them up, potential challenges, and feature live demos to guide you through the process. Microsoft Defender Vulnerability Management Upcoming webinar Jan 14, 9AM PT: How to Get the Most Out of Microsoft Defender for Vulnerability Management Join us to learn about the Defender Vulnerability Management capabilities, business use cases and best practices to develop and implement posture & risk management in your organization. During this session, the engineering team will guide you through the recent released features and capabilities as well as product vision and roadmap. The deprecation process of the Windows authenticated scan will begin on November 2024 and concludes on November 30, 2025. For more information, seeWindows authenticated scan deprecation FAQs. We are aware of issues affecting data collection in several versions of CIS, STIG, and Microsoft benchmarks. We are actively working on a fix and will provide an update when the issue is resolved. For more information, seeKnown issues with data collection. Microsoft Defender for Identity Seamless protection for your on-prem identities with Defender for Identity. This blog summarizes various exciting announcements made at Ignite that simplify how customers deploy and manage their identity threat landscape: One platform, one agent:Streamline your deployment and protection with a single agent across endpoint, OT, identity, and DLP Easily manage your sensors via API:Automate deployment, configuration and monitoring of sensors in your environment Integrate Privileged Access Management solutions:Microsoft Entra Privileged Identity Management, BeyondTrust, CyberArk, and Delinea Ninja Show episode: Microsoft Defender for Identity for Entra Connect In this episode, product experts Lior Shapira and Ayala Ziv explain how Microsoft Defender for Identity sensor for Entra Connect servers enables comprehensive monitoring of synchronization activities between Entra Connect and Active Directory, providing critical insights into potential security threats. Tune in to explore the latest detections and posture recommendations for Entra Connect by learning the importance of protecting hybrid identities and exploring real-world scenarios. Microsoft Security Exposure Management Announcing the General Availability of Microsoft Security Exposure Management! We are excited to announce the general availability of Microsoft Security Exposure Management. This powerful tool helps organizations focus on their most critical exposures and act swiftly. We made enhancements to the Attack path Hybrid attack paths: On-Prem to Cloud DACL-based path analysis to learn more about those, please visit our documentation. External data connectors We have introduced new external data connectors to enhance data integration capabilities, allowing seamless ingestion of security data from other security vendors. Learn more on our docs. Discovery sources available in the inventory and attack surface map The Device Inventory and Attack Surface Map now display the data sources for each discovered asset. This feature provides an overview of which tools or products reported each asset, including Microsoft and external connectors like Tenable or ServiceNow CMDB. Learn more on our docs. Microsoft Security Exposure Management is now supported in Microsoft Defender XDR Unified role-based access control (RBAC). Access control to Microsoft Security Exposure Management can now be managed using Microsoft Defender XDR Unified Role-Based Access Control (RBAC) permissions model with dedicated and granular permissions. Learn more on our docs. OT security initiative The new Operational Technology (OT) security initiative equips practitioners with a powerful tool to identify, monitor, and mitigate risks across the OT environment, ensuring both operational reliability and safety. This initiative aims to identify devices across physical sites, assess their associated risks, and provide faster, more effective protection for OT systems. For more information, see,Review security initiatives Content versioning notifications The new versioning feature in Microsoft Security Exposure Management offers proactive notifications about upcoming version updates, giving users advanced visibility into anticipated metric changes and their impact on their related initiatives. A dedicated side panel provides comprehensive details about each update, including the expected release date, release notes, current and new metric values, and any changes to related initiative scores. Additionally, users can share direct feedback on the updates within the platform, fostering continuous improvement and responsiveness to user needs. For more information on exposure insights, seeOverview - Exposure insights Exposure history for metrics User can investigate metric changes by reviewing the asset exposure change details. From the initiative'sHistorytab, by selecting a specific metric, you can now see the list of assets where exposure has been either added or removed, providing clearer insight into exposure shifts over time. For more information, see,Reviewing initiative history SaaS security initiative The SaaS Security initiative delivers a clear view of your SaaS security coverage, health, configuration, and performance. Through metrics spanning multiple domains, it gives security managers a high-level understanding of their SaaS security posture. For more information, see,SaaS security initiative Microsoft Defender for Cloud Apps Secure your SaaS landscape with the latest Defender for Cloud Apps innovations. This blog summarizes the following innovations in Defender for Cloud Apps announced at Ignite to help address these challenges: SaaS security initiative: Microsoft Security Exposure Management empowers security teams to reduce risks and limit exposure of the most critical assets with unified exposure management. We are introducing a new SaaS security initiative within Exposure Management to provide best practice SaaS posture recommendations, along with an easy way for security teams to prioritize the most important controls. Enhanced visibility into OAuth apps: Get expanded visibility into OAuth apps to give security teams deeper insights into app origins, privilege levels, and permissions, while allowing them to set controls to mitigate risks more effectively. Streamlined SaaS security operations: To further enhance operational efficiency for SaaS security management, Defender for Cloud Apps now uses the unified role-based access control (RBAC) model in Defender XDR to enable central permission management, alongside a new discovered apps Graph API, and the ability to customize the block page experience. (Preview) Defender for Cloud Apps support for Graph API Defender for Cloud Apps customers can now query data about discovered apps via the Graph API. Use the Graph API to customize views and automate flows on theDiscovered appspage, such as applying filters to view specific data. The API supportsGETcapabilities only. For more information, see: Work with discovered apps via Graph API Microsoft Graph API reference for Microsoft Defender for Cloud Apps SaaS Security initiative in Exposure Management Microsoft Security Exposure Managementoffers a focused, metric-driven way of tracking exposure in specific security areas using securityinitiatives. The "SaaS security initiative" provides a centralized location for all best practices related to SaaS security, categorized into 12 measurable metrics. These metrics are designed to assist in effectively managing and prioritizing the large number of security recommendations. This capability is General Availability (Worldwide) - Note Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High and DoD For more information, seeSaaS security initiative. Internal Session Controls application notice The Enterprise application “Microsoft Defender for Cloud Apps – Session Controls” is used internally by the Conditional Access App Control service. Please ensure there is no CA policy restricting access to this application. For policies that restrict all or certain applications, please ensure this application is listed as an exception or confirm that the blocking policy is deliberate. For more information, seeSample: Create Microsoft Entra ID Conditional Access policies for use with Defender for Cloud Apps. (Preview) Visibility into app origin Defender for Cloud Apps users who use app governance will be able to gain visibility into the origin of OAuth apps connected to Microsoft 365. You can filter and monitor apps that have external origins, to proactively review such apps and improve the security posture of the organization. For more information, seedetailed insights into OAuth apps. (Preview) Permissions filter and export capabilities Defender for Cloud Apps users who use app governance can utilize the newPermissionsfilter and export capabilities to quickly identify apps with specific permissions to access Microsoft 365. For more information, seefilters on app governance. (Preview) Visibility into privilege level for popular Microsoft first-party APIs Defender for Cloud Apps users who use app governance can now gain visibility into privilege level for all popular Microsoft first-party API permissions. The enhanced coverage of privilege level classification will enable you to view and monitor apps with powerful permissions into legacy and other non-Graph APIs that have access to Microsoft 365. For more information, seeOAuth app permission related details on app governance. (Preview) Granular data usage insights into EWS API access Defender for Cloud Apps users who use app governance can now get granular insights into data accessed by apps using legacy EWS API alongside Microsoft Graph. The enhanced coverage of data usage insights will enable you to get deeper visibility into apps accessing emails using legacy EWS API. For more information, seeOAuth app data usage insights on app governance. Microsoft Defender for Endpoint Ninja Show Episode: Defender for Endpoint RDP Telemetry In this episode Cyber Security Researcher Danielle Kuznets Nohi and Senior Product Manager Saar Cohen join us to discuss the importance of Remote Desktop Protocol in Human Operated Attacks considering the current threat landscape. Through a demo, witness critical visibility enhancements made to this important layer of telemetry and learn the powerful capabilities of this tool to identify vulnerable assets and provide deeper threat insights. Intune ending support for Android device administrator on devices with GMS in December 2024. Microsoft Intune and Defender for Endpoint are ending support for Device Administrator enrolled devices with access toGoogle Mobile Services(GMS), beginning December 31, 2024. For devices with access to GMS After Intune and Defender for Endpoint ends support for Android device administrator, devices with access to GMS will be impacted in the following ways: Intune and Defender for Endpoint won’t make changes or updates to Android device administrator management, such as bug fixes, security fixes, or fixes to address changes in new Android versions. Intune and Defender for Endpoint technical support will no longer support these devices. For more information, seeTech Community blog: Intune ending support for Android device administrator on devices with GMS in December 2024.1.8KViews1like1CommentRE: Microsoft Defender for Office 365 data connector
Hello, I have an issue enabling the Microsoft Defender for Office 365 settings in the Defender XDR connector for Microsoft Sentinel. The error is attached. It seems related to: Categories AdvancedHunting-EmailAttachmentInfo, AdvancedHunting-EmailEvents, AdvancedHunting-EmailUrlInfo, AdvancedHunting-EmailPostDeliveryEvents are not supported... I am not sure what it relates to, but could it be licensing concerns? Jason51Views0likes3CommentsPending actions notification via KQL / Graph API
Hello, I'm looking for a way to get notifications when an investigation is in Pending Approval state. I have tried searching the logs in Defender and Sentinel and have tried finding a graph request that could get this information, but no luck. Is this something that exists? Thank you for any help regarding this topic. Kristof44Views1like2CommentsXDR Unified RBAC deadline
Has Microsoft set a date for when the Unified RBAC permission model will become mandatory? All the documents I've read indicate that it's voluntary right now. Eventually it will become the default. Permissions Management: Defender XDR's RBAC Walkthrough for Microsoft Defender for Office 365 | Microsoft Community Hub Chuck65Views1like0Comments