Remediation
57 TopicsMS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?35Views0likes1CommentReplacement for Windows Authenticated Scanning
For cost saving, we were looking at replacing our existing vulnerability scanner with Defender and using device scanning. Due to the nature of some of our systems, we can't enroll all of them in Defender and had hoped to use Windows Authenticated Scanning for the unmanaged devices. It looks like that is being deprecated, and the FAQ page indicates that there is currently no direct replacement. While the number of systems we have that can't be enrolled in relatively minimal, is there any kind of scanning I'm missing as part of the product that would allow remote scans of Windows devices as opposed to enrolling? It doesn't look like it. Seems like taking away a component that gives some kind of feature parity without another option is a bad idea, but maybe I'm just missing something.44Views0likes1CommentCustom critical filter for EDR/XDR
Hello everyone, i would like to ask if somebody is trying to make a unique "critical" filter for alerts/incidents that need to be done as fast as possible? We have many high alerts and we are trying to figure one to have prio list with important notifications. Have you any ideas? Thank you.57Views0likes4CommentsDefender MDO permissions broken (again)
Defender wasn't letting me approve pending AIR remediation options, something I do every day, with my usual custom RBAC role checked out. Nor could I move or delete emails. I also had Security Operator checked out. I checked out Security Admin and tried again, no dice. It wasn't until I checked out Global Admin until I got the permissions I needed.26Views0likes0Commentshelp with remediation
Hi, i'm trying to create detection and remediation scripts for intune to detect the presence of a template in the users word startup folder **My detection is as follows** $path = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Word\Startup\ACS Template 2010 2013 2016 (2) (1).dotm" if (Test-Path $path) { Write-Output "File exists: $path" exit 1 # Success, file exists } else { Write-Output "File not found: $path" exit 0 # Failure, file does not exist **My remediation** $path = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Word\Startup\ACS Template 2010 2013 2016 (2) (1).dotm" if (Test-Path $path) { Remove-Item -Path $path -Force It seems like the detection works as the detection status is "without issues" but the remediation doesn't run. Any advice on how to correct this very much welcomed32Views0likes2Commentshelp with remediation
Hi, i'm trying to create detection and remediation scripts for intune to detect the presence of a template in the users word startup folder **My detection is as follows** $path = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Word\Startup\ACS Template 2010 2013 2016 (2) (1).dotm" if (Test-Path $path) { Write-Output "File exists: $path" exit 1 # Success, file exists } else { Write-Output "File not found: $path" exit 0 # Failure, file does not exist **My remediation** $path = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Word\Startup\ACS Template 2010 2013 2016 (2) (1).dotm" if (Test-Path $path) { Remove-Item -Path $path -Force It seems like the detection works as the detection status is "without issues" but the remediation doesn't run. Any advice on how to correct this very much welcomed18Views0likes1CommentAudit logs for Vulnerability Management Remediations
Hello all, Are there any audit logs that can be queried for the creation of Remediations under Endpoint Vulnerability Management (https://security.microsoft.com/remediation/remediation-activities)? I know that there are API endpoints that can be queried for this information, but we are looking for additional options. The endgame is to have a ticket created in our external help desk ticketing system when someone creates a Remediation from a Recommendation. Any advice is appreciated! Thanks, - Steve14Views0likes0CommentsDefender - Cloud Activity Logs suspicious
Hi, I just noticed this logs from Defender - Cloud Apps > Activity Logs, seems all our Microsoft Cloud PC has these logs, looks suspicious for me as it is querying our Domain Admins account it seems, but would like to confirm. If this is suspicious, can help how to mitigate this please, thank you.85Views0likes1CommentUpdate OpenSSL recommendation
Hi all, I've been trying to find out how to deal with "openssl" recommendation that I get on almost all end user computers in Defender. I'm just not sure how to deal with it... It doesn't seem to be a particular app or so.... From what I see when I check the "software inventory" page of the devices, there are many references to different files/dll?? See some few examples below: c:\program files\windowsapps\e046963f.aimeetingmanager_3.1.18.0_x64__k1h2ywk1493x8\aimeetingmanager\libcrypto-3-x64.dll c:\program files\zoom\bin\libcrypto-3-zm.dll c:\program files\dell\dell peripheral manager\libcrypto-1_1-x64.dll c:\windows\system32\driverstore\filerepository\udcdriver.inf_amd64_d70e6df8e9ed1889\x64\service\libssl-1_1-x64.dll How you deal with it? .. is that something that can be pushed via Intune..?33KViews1like10Comments