Ninja Cat Giveaway: Episode 3 | Sentinel integration
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
KQL script report last reboot/reset endpoint devices (Workstations/Laptops)
Hello everyone, I'm reaching out for assistance with a challenge I'm facing in Microsoft Defender. In my organization, we have numerous endpoint devices with vulnerabilities, and I suspect that the issues may stem from either inadequate patching or misconfigured Group Policy Object (GPO) settings preventing updates or reboots. To investigate further, I need a KQL script that can generate a report showing when each endpoint device was last rebooted or reset, along with the computer name and the last user who logged in to that device. I've attempted to use the following KQL script in different ways without success: DeviceEvents | where ActionType == "Restarted" or ActionType == "Shutdown" | summarize LastReboot = max(EventTime) by DeviceName Despite trying various approaches and searching through online forums, I haven't been able to obtain the desired results. I'm unsure if this information can be retrieved through Defender or if there's an alternative method I should explore. Any guidance or suggestions would be greatly appreciated as I work to identify and resolve these issues. Thank you for your assistance! Best regards, Sergio
How to stop incidents merging under new incident (MultiStage) in defender.
Dear All We are experiencing a challenge with the integration between Microsoft Sentinel and the Defender portal where multiple custom rule alerts and analytic rule incidents are being automatically merged into a single incident named "Multistage." This automatic incident merging affects the granularity and context of our investigations, especially for important custom use cases such as specific admin activities and differentiated analytic logic. Key concerns include: Custom rule alerts from Sentinel merging undesirably into a single "Multistage" incident in Defender, causing loss of incident-specific investigation value. Analytic rules arising from different data sources and detection logic are merged, although they represent distinct security events needing separate attention. Customers require and depend on distinct, non-merged incidents for custom use cases, and the current incident correlation and merging behavior undermines this requirement. We understand that Defender’s incident correlation engine merges incidents based on overlapping entities, timelines, and behaviors but would like guidance or configuration best practices to disable or minimize this automatic merging behavior for our custom and analytic rule incidents. Our goal is to maintain independent incidents corresponding exactly to our custom alerts so that hunting, triage, and response workflows remain precise and actionable. Any recommendations or advanced configuration options to achieve this separation would be greatly appreciated. Thank you for your assistance. Best regards
Full Automation Capabilities in Linux OS
Hello eveyone, We have configured Defender to detect viruses, and our goal is that if one of our assets downloads or encounters a virus, it is automatically hidden or removed. Based on the documentation regarding the automation levels in Automated Investigation and Remediation capabilities, we have set it to "Full - remediate threats automatically." While this works correctly on Windows devices, we have noticed that on Linux devices, the defender still detect the virus but it was not prevented. I was wondering if anyone has encountered this issue and, if so, how it was resolved? Additionally, as I am new to the Defender platform, I wanted to ask if could this issue potentially be resolved through specific Linux policies or functionalities? Best regards Mathiew
Pending actions notification via KQL / Graph API
Hello, I'm looking for a way to get notifications when an investigation is in Pending Approval state. I have tried searching the logs in Defender and Sentinel and have tried finding a graph request that could get this information, but no luck. Is this something that exists? Thank you for any help regarding this topic. Kristof
M365 Defender custom queries host in Azure Devops repo
Hello community! I'm looking for possible solution to have custom detection rules host in Azure DevOps repo with possibility to push them directly into Defender - something like Community queries works (if it works like that). I tried to search across internet and MS documentation but haven't find anything like that. Is it even possible? Could you please guide me or point into some documentation/articles ? Thanks in advance!
