Microsoft Defender XDR / Defender for Endpoint data connectors inconsistent failures
Hello, We are deploying our SOC (Sentinel) environments via Bicep. Now the Defender XDR ( MicrosoftThreatProtection) and Defender for Endpoint ( MicrosoftDefenderAdvancedThreatProtection) data connectors are failing to deploy inconsistantly. It seems to be a known issue due to the following posts: - https://github.com/Azure/SimuLand/issues/23 - https://techcommunity.microsoft.com/t5/microsoft-sentinel/quot-missing-consent-invalid-license-quot-defender-for-endpoint/m-p/3027212 - https://github.com/Azure/Azure-Sentinel/issues/5007 Next to this issue I see almost no development on the data connectors API, is there some news to be spread how to enable data connectors automated in the future, since it seems to be moving to Content Hub. It is hard to find any docs about how to deploy this for example via Bicep!? Also I have a question regarding 'Tenant-based Microsoft Defender for Cloud (Preview)' data connector. We deploy this now via GenericUI data connector kind, but this has no option to enable it via automation. Same as the question in the previous paragraph, how would this be made possible?Microsoft 365 Defender data connector and error ('AdvancedHunting-CloudAppEvents are not supported')
Hello, I have a client who has set up the Microsoft 365 Defender data connector, and on selecting the 'connect events' for Microsoft Defender for Cloud Apps and saving the configuration, the following error is generated... The exact error is: 'AdvancedHunting-CloudAppEvents are not supported'. I have not checked the configurations in the Microsoft 365 Defender portal under Cloud Apps yet, but has anyone come across this error and is it likely to be related to a configuration issue?
Run Query and List Results operation
I am using the Run Query and List Results operation within Logic Apps to get an Incident Name. The issue I have is it seems to be duplicating the results in the list i.e Incident Name appears twice. Is there some setting I'm missing or is there a concise way to strip the second value away?
Ticket Sync between Sentinel and Defender for Cloud Apps
Hello I have defender for Cloud APP syncing with sentinel to open incidents but when I close incidents in Sentinel it doesn't close Defender for Cloud Apps alerts. Is there any MSFT solution, I've already checked official MSFT links and so far I haven't found anything related to what I want. Best regardsFeature Request: Entity Annotation
So I was investigating an incident where a user had signed in from a TOR exit node on an AAD Joined device. After investigating, I had found that they had a commercial VPN, and their endpoints also served as exit nodes. So they weren't actually using TOR, but their traffic was coming from an exit node. The device is part of a group with more lax controls, so this is absolutely allowed (I can't really explain more, I would love to go to town with this stuff and remove it, but that isn't my call). So I was in a situation where I can't tune, because I need Defender device logs to see if its the VPN (too high ingestion), and I can't just allow the IPs as they are TOR exit nodes. Which gave me the idea of having annotations on the entities in UEBA. So in this case, I could say "known to use a VPN which also acts as TOR exit nodes, check source IP" or something similar. It saves having to create a separate knowledge base and keep it up to date with data from all security products. Would also be useful for users too. I have a user who frequently mass deletes files on a certain time on a certain day which triggers DLP rules. I could add the conditions of that behaviour as an annotation, rather than having to write a crazy analytics rule which has to check the day and time, user and Sharepoint site, plus other exclusions. Something like the comments thread on incidents will suffice.
Defender Sentinel Sync
The status of an incident in Sentinel does not sync with Microsoft 365 Defender (Alert product name Microsoft Cloud App Security) when the incident is closed. Has anyone else encountered this issue? I expected Microsoft 365 Defender and Sentinel to sync incidents on status, owner, and closing reason bi-directionally. Thanks
Azure Sentinel Side by Side with QRadar
Hi, quick question: in the "Event Filter" on Qradar we add: vendorInformation/provider eq 'Azure Sentinel' to get Sentinel events but is it possible to include another azure instances such as Cloud App, Identity, etc? I mean, like: provider eq 'Azure Sentinel, MCAS, IPS' thank you
False positive alert of defense evasion behavior was blocked on one endpoint
I am receiving a lots of alert from defender saying dense evasion was blocked on one endpoint. Normally when outlook.exe interact with .JPG file and follows by runddll32.exe used by photoviewer.dll, it trigger this alert. Does any one experience similar experience ?Linux Connectors - MCAS & Sentinel
Just checking – as we are looking at trying to get more info feeding in to the solution and there is a Bluecoat Proxy + Cisco ASA transferring to Palo Alto. As there is no “connector” listed for Bluecoat in Sentinel, but there is one listed in MCAS, would it make sense to simply ingest the Bluecoat into MCAS and then have MCAS alerts feed into Sentinel? While this might not be ideal that Sentinel does not have the raw data, at least it will have the Alerts, and by aggregating the data it will reduce the storage needs in Sentinel? Would I be correct in thinking that it’s not possible to run a single Linux Connector that can run various tasks in a PoC scenario? So for the Cisco ASA & the Palo Alto we’d likely need two separate Linux Connectors, one for each task?
Requesting a bit more integration between MCAS, AATP, MDATP, O365ATP with Sentinel
Some alarms coming from MDATP to Sentinel, for example: "Suspicious URL clicked", do not provide the actual URL. To discover the actual URL you must to access MDATP. This specific alarm is usually triggered based on O365ATP. Similarly, some alarms coming from AATP to Sentinel, for example: "Remote code execution attempt" are usually triggered after someone clicked in a URL. However, to access the actual URL you must to access the AATP. This specific alarm is usually triggered by MCAS and forwarded to AATP. It means that in this case you need to access MCAS. Problem/request 0: it would be nice if MS-sec-boxes share all information from their alarms (ex. URLs) with Sentinel. Is there any timeline to add more information? when? which information? Problem/request 1: MCAS, AATP, MDATP, O365ATP are not 'integrateable' via Azure Lighthouse. Then, MSSPs can not access/manage those MS-sec-solutions. Perhaps the RBAC 'security reader' and/or 'security contributor' could eventually enable access to those solutions. Is there any intention in this direction? Thanks
