Remove access rights on suspicious accounts with the Admin SDHolder permission
Hi, Can the Defender Team please add more information regarding the improvement action "Remove access rights on suspicious accounts with the Admin SDHolder permission"? All sites appear to have this action triggered as "TO ADDRESS" but it displays "Users affected - No data to show" and under "Exposed Entities" it is blank with a line at the bottom displaying: {ISPM_REPORT_SUSPICIOUS_ADMIN_SD_HOLDER_USERS_TABLE_EMPTY_PLACEHOLDER} Just over 24 hours of initial detection the "Exposed Entities" section of "Remove access rights on suspicious accounts with the Admin SDHolder permission" now shows "No non-sensitive Admin SDHolder users" but it is still marked as "To address". Also please note the "More Information" links do not point to any useful or specific information for this improvement action. Thanks, Gary
Secure Score per Device Group
Hello All, I want to ask if it's possible to add Secure Score calculation per Device Group/Tag in the Defender Secure Score Overview. We manage multiple devices, some of which are handled by local IT and in different domains. We need a separate secure score calculation since it gives us an initial metric of where we are compared to other domains/device groups. You already have the option in Vulnerability Management> Security Recommendations (per device group),can we have it for Secure Score also? Best Regards, Nick
Accessing edge protection data from advanced hunting API
I am creating a Power BI report for visualizing Defender 365 data to external users that don't have access to the security portal using the advanced hunting API. The client would be interested in seeing the "edge protection" figures that are in the email & collaboration reports included in the Defender reports. But I can't seem to find the particular data anywhere in the Advanced Hunting data schema. Can I access the edge protection data from the API?
An actor on NULL - ATP
I’m getting a lot of these messages below, I’m not sure what to do with them, tracing via my siem the process involved is lsass.exe, my suspicion is that it is Rapid7 performing vulnerability scans but just wanted to check if anyone else had similar issues? An actor on NULL performed suspicious account enumeration, exposing Guest, while trying to access <computer> clicking on null, as expected produces an error.
