Defender - Cloud Activity Logs suspicious
Hi, I just noticed this logs from Defender - Cloud Apps > Activity Logs, seems all our Microsoft Cloud PC has these logs, looks suspicious for me as it is querying our Domain Admins account it seems, but would like to confirm. If this is suspicious, can help how to mitigate this please, thank you.12Views0likes0CommentsUpdate OpenSSL recommendation
Hi all, I've been trying to find out how to deal with "openssl" recommendation that I get on almost all end user computers in Defender. I'm just not sure how to deal with it... It doesn't seem to be a particular app or so.... From what I see when I check the "software inventory" page of the devices, there are many references to different files/dll?? See some few examples below: c:\program files\windowsapps\e046963f.aimeetingmanager_3.1.18.0_x64__k1h2ywk1493x8\aimeetingmanager\libcrypto-3-x64.dll c:\program files\zoom\bin\libcrypto-3-zm.dll c:\program files\dell\dell peripheral manager\libcrypto-1_1-x64.dll c:\windows\system32\driverstore\filerepository\udcdriver.inf_amd64_d70e6df8e9ed1889\x64\service\libssl-1_1-x64.dll How you deal with it? .. is that something that can be pushed via Intune..?30KViews1like10CommentsHelp to Defender XDR - KQL to Detection rule for Vulnerability Notification
The query essentially functions as part of a monitoring, designed to identify and summarize list of vulnerable applications within a set time frame—particularly, events recorded in the current month. When I try to convert this rule to run as detection rule, I get the error "Can't save detection rule". Can someone help to me understand how I can fix the issues? // Date - 05-05-2024 - Helps to automate daily vulnerability notification alerts to be logged to servicedesk via emails (untill Defender Product gets native feature) let Timestamp = now(); let ReportId = toint(rand() * 100000000); DeviceTvmSoftwareVulnerabilities | extend OSFamily = case( OSPlatform in ("Windows10", "Windows11", "Windows10wVD"), "Desktop", OSPlatform in ("WindowsServer2012R2", "WindowsServer2016", "WindowsServer2019", "WindowsServer2022"), "Server", "Other") | where OSFamily != "Other" // Only processing Desktops and Servers | where DeviceName !="" and DeviceName != " " // Exclude blank and space-only DeviceNames | summarize DesktopDeviceNameList = make_list(iif(OSFamily == "Desktop", DeviceName, "")), ServerDeviceNameList = make_list(iif(OSFamily == "Server", DeviceName, "")), DetailedDeviceList = make_list(bag_pack("DeviceName", DeviceName, "DeviceId", DeviceId, "OSPlatform", OSPlatform)), take_any(SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate) by CveId | lookup DeviceTvmSoftwareVulnerabilitiesKB on CveId | where startofmonth(PublishedDate) == startofmonth(now()) | project Timestamp, ReportId, CveId, VulnerabilitySeverityLevel, CvssScore, IsExploitAvailable, DesktopDeviceNameList, ServerDeviceNameList, DetailedDeviceList, PublishedDate, LastModifiedTime, VulnerabilityDescription, AffectedSoftware811Views0likes5CommentsMicrosoft Classic Teams Still Showing as exposed Devices on M365Defender Admin Center After Updating
Hi Everyone, Good day.. Teams classic is showing as exposed in the Microsoft 365 defender Admin portal. But we have already updated to New teams in our environment.Intune report says its updated to latest version. Pls let us know how to fix this issue. Does this New teams is showing in defender. Pls suggest... Or is this a known issue Can you anybody suggest how we can fix the devicesvulnerabilitylist Thanks in Advance... Karimulla565Views0likes1CommentCan't find correct RBAC permissions to approve AIR actions
I've been configuring custom RBAC roles, and even though the "Response (manage)" permission in the Security Operations permissions group includes "approve or dismiss pending remediation actions," it doesn't work. I've tried it with pending "soft delete emails" actions in the Action Center, and I get an error. The only way we can approve or reject these actions is with the Entra Security Administrator role checked out. Does anyone know which RBAC permission is supposed to grant the rights to approve these remediation actions?947Views1like5CommentsDefender for Servers Alerts in XDR portal
Hello MSFT, Currently we are a CSP and aren't able to view alerts over GDAP that pertain to Defender for Cloud. We can see that they are in the Incidents/Alerts queue, however we cannot go into the alert/incident. Currently our analyst have Security Operator, and Security reader. Additionally our clients use URBAC and have the MDE tab enabled. Any insights into this would be beneficial as we are hampered by this lack of visibility and cannot respond to client alerts.268Views0likes0CommentsDefender - Export or capture certificate expiry data
Hi There, I am attempting to pull expired certificate information from Defender. My question is thus two fold: Is it possible to create an email or alert based on certificates due to expire in 30 days. Is it possible to call an API for Defender for Endpoint? Our current solution for alerts on expiring certificates in the domain is no longer sustainable and I am looking at redesigning the solution, however, before we can do a proper solution, we need to do something a little less manual and this will be our start. Alert Rule I can see that the certificate information is under the Inventories of the Vulnerabilities blade in Defender Endpoint which suggests that an expiring certificate should alert as a Vulnerability. Is this correct, if so how would I go about creating an alert to identify this? API or Information passing Is it possible to use API to call the information of certificates from Defender, again I have looked and found nothing. If API's aren't possible I saw that I can ship the data to Event Hub which would be useful but again I need to know if the certificate information is captured and passed on if I do this. Does anyone have this information? Thanks,Solved368Views0likes1CommentOpenSSL
We have the recommendation to update OpenSSL. However, we can not figure out how to actually do this. There seems to be no installed location of OpenSSL so how can we update this? I have found a few posts/comments that have led me to this pageNew OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud - Microsoft Community Hubbut this doesn't actually help you at all. Going to OpenSSL's site for download just gives you a repository of files that don't actually update anything. So what are we supposed to do to get this remediated?9.6KViews1like4CommentsChange service account to avoid cached password in windows registry
Hi , In Microsoft 365 defender > secure score there's a recommendation for me saying "Change service account to avoid cached password in windows registry" , and I can see multiple MSSQL services falling into this recommendations . But the remediation is not very clear , what should I need to do in here ? Thanks ,3.8KViews2likes2Comments