Lack of alerts in Sentinel
Hello, I am troubleshooting a lack of alerts and incidents in my Sentinel deployment. When I look at the Micrsoft Defender XDR connector, I see plenty of events like DeviceEvents, DeviceInfo, IdentityLogonEvents, etc. However, the entries for: SecurityIncident-- SecurityAlert-- AlertInfo-- AlertEvidence-- all show grey with a disconnected connector showing. I've been over the onboarding documentation several times and can't find what I'm missing. Has anyone else experienced this who can point me in the right direction of what to check? Thanks!
Defender not detecting test Kali Linux devices connected to network
Hello, first time posting here. Our organization is trying to get more familiar with MS 365 Defender. Just to see what it would discover, we connected a device running Kali Linux (not domain joined) to our internal LAN network then did some NMAP scans from it against the subnet and one of our servers. We were thinking we would see Defender trigger some kind of alert but that did not happen. We are also not seeing this Kali Linux device in the Defender Device Inventory anywhere. We have our device discovery set to Standard and have the appropriate networks enabled for Monitoring. Should we be getting some kind of alert of a non-onboarded device doing port scans against other devices in our network?Cannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?
I tried to create custom detection rule from KQL query in Defender XDR: Advance Hunting by custom various variable to be able to submit, but for this query to be able to go through remediation setting of detection rule, I need the entity identifiable columns like AccountUpn, that I need to union with IdentityInfo schema. But detection rule seems not support the union * thing as the attached pic: I searched for the same problems that seems to be occurred in all system using KQL including in Microsoft Sentinel Logs but has no workaround to bypass. So, is there any way to get through this objective without strucking with union * problem?How to use KQL to associate alerts with incidents?
There is no method I'm aware of to use KQL to query from an alertID to an incident or vice versa. Please provide kql examples for querying between XDR incidents and alerts. These queries should be independent of the SecurityIncident table which is only available when Sentinel is connected to XDR. Thank you.
Microsoft Defender for cloud and XDR integration
🚨 Need Help! 🚨 I’m currently facing a challenge with Microsoft Defender for Cloud. I’ve created sample alerts, but when I check in Microsoft Defender XDR, the alerts aren’t showing up. 😕 I’ve already checked all possible configurations, permissions, and integration settings but haven’t been able to pinpoint the cause. Has anyone experienced something similar? Any suggestions on additional things to check or troubleshooting steps that might help resolve this? I was following a Udemy instructor’s video tutorial from 2024, where it worked fine for him, but unfortunately, it didn’t work for me.
How does Defender detect file version limit default changes?
Hi all, I am currently reviewing a historic article that mentions a Cloud Ransomware attack where attackers can change the default number of file versions saved by default. They change this from the default 500 to 1 and then save over your files to make them unrecoverable. Apparently this doesn't need admin credentials, a standard user can do this themselves. All of the Microsoft guidance says that Microsoft is protected against cloud ransomware attacks of this type because of the file versioning feature, as well as being able to contact Microsoft for 14 days after such an incident and they can retrieve your data. My questions are: Where do I find what the current settings are for file version limit defaults? Is it in the OneDrive/SharePoint admin centres? How do I find out whether such a change has been made? Is there an alert already configured in Defender to detect such a change? If not, does anyone know how to set one up, e.g., KQL and a custom detection? I tried asking Copilot, but it just sends me to the official Microsoft documentation, so any help is greatly appreciated.
Missing auditability on use of Explorer and Advanced Hunting
Considering Defender for Office's Explorer and Advanced Hunting can be used to get insight into very sensitive data we assumed this activity is auditable, but unfortunately not. A Microsoft Support request confirmed it's not, and we're confused as to why and would highly request Microsoft to implement audit tracking for any user, including queries used. Explorer gives access to email subjects and Advanced Hunting can be used to view users files etc so from a GDPR and tracking point of view we need to be able to audit our SOC team and other admins on when they access potential personal information.MS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?Stop Defender isolating Domain Controllers
Recently we have experienced Defender isolating our Domain Controllers. It is always the same rule which causes the isolation "Suspected AD FS DKM key read". I edited the rule and set it to auto resolve if triggered by the DCs. I assumed this would then release the DCs from isolation but this doesn't seem to be the case. Manual intervention is still required. I either need to stop Defender alerting this particular rule against my DCs (not ideal) or i need to stop the rule isolating the DCs. Any help would be appreciated.
