Defender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,
New Email Response Actions in Microsoft Defender XDR
Hi, Can Microsoft please allow the use of punctuation when adding a new Rule Name or in the description for this functionality. Example below is when adding a new rule name, but using a hyphen (so that on first look, a user can see that the rule was created for a manual action) In the description, it doesn't allow you to use any commas, or any full stops (periods)Ninja Cat Giveaway: Episode 5 | Mobile Threat Defense
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: After assessing this discussion with Yuji, tell us what are at least 3 common attack vectors on mobile devices? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
Ability to suppress alerts from detection sources other than MDE
Hello, The "Create Suppression Rule" is only available for MDE Alerts. Does anyone know if there are any plans to extend this functionality to other types of alert (MDI, MDO, MDCA, ...)? We have a lot of noise and looking for a way to auto-resolve alerts/incidents. Is there another option (other than API and Sentinel) without completely turning off alerts? Thanks
Pending actions notification via KQL / Graph API
Hello, I'm looking for a way to get notifications when an investigation is in Pending Approval state. I have tried searching the logs in Defender and Sentinel and have tried finding a graph request that could get this information, but no luck. Is this something that exists? Thank you for any help regarding this topic. KristofHow to get alerted on pending items in the Action Center
Good morning all! Part of my daily duties is to ensure that items in the Action Center are acted upon in a timely manner. I have been trying to find ways to be able to be alerted on new items, but there is nothing in Microsoft documentation, or anything that is obvious. I have scoured the internet, where I stumbled upon an old post about having to use a PS script, but there has to be some sort of notification Microsoft can send out on these items?! Since these items are time sensitive, I am having to check constantly for any new soft/hard delete emails.
An actor on NULL - ATP
I’m getting a lot of these messages below, I’m not sure what to do with them, tracing via my siem the process involved is lsass.exe, my suspicion is that it is Rapid7 performing vulnerability scans but just wanted to check if anyone else had similar issues? An actor on NULL performed suspicious account enumeration, exposing Guest, while trying to access <computer> clicking on null, as expected produces an error.
