Defender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,Incidents from Custom Detection Rules never have Emails for Evidence
let ignoreAddresses = datatable(address:string) [@'email address removed for privacy reasons',@'email address removed for privacy reasons']; let ignoreSpamSubjects = datatable(address:string) [@'ignored subject 1',@'ignored subject 2']; // Time range needs to be set in the UI dropdown in order for LatestDeliveryLocation filter to work (i.e., live table vs streaming API). EmailEvents | where SenderFromDomain in~ (_getEXOAcceptedDomains) | where DetectionMethods has_any('URL detonation reputation', 'URL malicious reputation') and not(RecipientEmailAddress in~ (ignoreAddresses) or SenderFromAddress in~ (ignoreAddresses)) | where not (Subject has_any (ignoreSpamSubjects)) | where (parse_json( AuthenticationDetails).DMARC =~ 'Pass' and EmailDirection =~ 'Inbound') or (EmailDirection =~ 'Intra-org') | where (LatestDeliveryLocation in~ ('Quarantine', 'Junk folder') and not (LatestDeliveryAction =~ 'Quarantine release')) and parse_json(ConfidenceLevel).Phish in~ ('Normal','High') | join kind=inner ( EmailUrlInfo | summarize Urls = make_list(Url) by NetworkMessageId ) on NetworkMessageId I've got the above query saved as a detection rule, which works fine except for one thing - the emails are never present in the Evidence tab of the generated incidents. Meanwhile the Recipients show up in the Mailbox and User assets as I'm using Entity mapping to mapping the RecipientEmailAddress / RecipientObjectId to those 2 entity types. The only thing I can find about Emails is that for Actions to be possible on the Emails in the query results - "The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages." (ref) - which is being satisfied. The Evidence available is the IP of the sender, and an empty email cluster, like this: In the incident above there are 2 emails, and the 4 assets are the user and mailbox for each of the 2 emails' Recipient. I can successfully just use the query manually to find and manage those emails, but a big part of the goal with these detection rules, at least in my opinion, is to be able to easily manage the evidence. In this exact case, I'm looking for inbound emails coming from our own Accepted Domains in the SenderFromAddress, which pass DMARC, but are in Quarantine, detected as Phish. The idea is to watch out for false positives due to URL detonation reputation since most of the messages fitting this criteria are coming in from various emailing services (e.g., Constant Contact, MailChimp, SendGrid, etc.) and these services tend to end up on the reputation lists a few times per month. Just wondering if there are any tricks anyone knows about to help me populate the emails into my resulting incidents.
Help with custom role for Service desk staff
I've been tasked with granting members of our Service desk the ability to perform 2 specific actions against user accounts within the Defender portal. Please see attached screenshot. Suspend user in Entra ID Require user to sign in again Does anyone know if this is possible? I can't find any Microsoft documentation explaining what level of permission is required to perform these actions. Regards, Graham
Defender for Servers Alerts in XDR portal
Hello MSFT, Currently we are a CSP and aren't able to view alerts over GDAP that pertain to Defender for Cloud. We can see that they are in the Incidents/Alerts queue, however we cannot go into the alert/incident. Currently our analyst have Security Operator, and Security reader. Additionally our clients use URBAC and have the MDE tab enabled. Any insights into this would be beneficial as we are hampered by this lack of visibility and cannot respond to client alerts.
How to get alerted on pending items in the Action Center
Good morning all! Part of my daily duties is to ensure that items in the Action Center are acted upon in a timely manner. I have been trying to find ways to be able to be alerted on new items, but there is nothing in Microsoft documentation, or anything that is obvious. I have scoured the internet, where I stumbled upon an old post about having to use a PS script, but there has to be some sort of notification Microsoft can send out on these items?! Since these items are time sensitive, I am having to check constantly for any new soft/hard delete emails.
User Reported Spam/Phishing Messages Not Showing in Submission Portal
This happens every so often, where users using the report message option in Outlook don't have their submissions ever show up on the User Reported Tab in the Submissions Portal. (or often time there are large delays of an hour or more before messages will show up). I have the report message button set to copy an internal mailbox as well, and I see submissions go there. I see in the message trace logs, messages are being sent to the equivalentoffice365.microsoft.com address (email address removed for privacy reasons for example). Last time I opened a case for this, and it was a very frustrating experience because we only have standard support, so they never would really look into the issue to far. Well, it's happening again since yesterday afternoon, and while it's not a total security issue, it's annoying because our end users have come to expect the responses on their submission, and it's easier to submit these to Microsoft if they show up in the submission portal than having to manually upload them from the internal mailbox these get sent to as well. No service health issues posted in our tenant, but last time we had this support said they don't post issues for things like this typically even if it's a known service side issue processing these. I don't know if that's true or not. Anyone else seeing this issue?
Defender for endpoint
-Does Defender for endpoint work if AV is in passive mode i.e. will it show pop ups, etc... -Does it view content in labelled items (using unified labelling) to intercept Sensitive info types? or should they be un-labelled. -In order for block printing to work, What are the conditions, Does it require a set of printers identified in DLP settings in compliance portal? or if not specified, Does it not work?
New Sentinel Integration Causing a Single Large Incident
I migrated Sentinel to the new Defender XDR connector, giving it access to the SecurityAlerts and SecurityIncident table. Defender's entity matching is now creating one large incident of pretty much every Sentinel incident raised, meaning if we close it, it is just going to re-raise as the entity graph grows. Has this happened to anyone else? How can we stop this from happening?Microsoft Defender e-mail notification for user reported messages
Hi, I've configured, on Settings -> Email and Collaboration, on User Reported Settings, and Email notifications, some predefined message to be sent when we classify the reported emails, as Phishing, SPAM or No Threats Found. The problem is that even though I use empty lines to create the message, the email has all the text in the same paragraph, which has an horrible look when reaches a user inbox. According to MS support, this is by default like this, which I could not really believe, as from a User Experience point of view is really odd. Anyone using this feature that has the same pain and found some option to overcome this issue? Thanks
