microsoft defender for endpoint
307 TopicsDeviceLogonEvents "LogonSuccess", "LogoffSuccess", "ScreenLock", "ScreenUnlock"
I'm trying to get "LogonSuccess", "LogoffSuccess", "ScreenLock", "ScreenUnlock" from the DeviceLogonEvent table but I am only seeing LogonSuccess. I'm wondering if I need to configure something in my tenant for those events to show up in the DeviceLogonEvents table. I have both event ID's 8400 and 8401 showing in the local security event log.Solved44Views0likes3CommentsCustom critical filter for EDR/XDR
Hello everyone, i would like to ask if somebody is trying to make a unique "critical" filter for alerts/incidents that need to be done as fast as possible? We have many high alerts and we are trying to figure one to have prio list with important notifications. Have you any ideas? Thank you.23Views0likes1CommentWhitelisting Pentesting tools
Hello everyone. I'm coming to you with a question that I think is pertinent. We use a pentesting tool in our environment. It generates a lot of incidents and alerts in Microsoft Defender. We have on-prem accounts (one user, one admin) so that the tool can perform this pentesting. Do you have any ideas on how to whitelist incidents linked to this user, these actions or the node machine he uses to initiate connections? So that it no longer generates or the incidents linked to these activities are automatically resolved. Thank you for your help. HKN25Views0likes0CommentsBlocking domain for group of users/or devices
Hi all, I am trying to find a way to block youtube for a group of users. We are using M365 E5 Security so can use Defender for endpoint or Defender for cloud apps. However, cant find a way to implement this. My idea was to create an INDICATOR in Endpoint that will be blocked, however I cannot select any group and "all devices" are included there in default. So not sure if this is a way. Neither Web Content Filtering cannot be used for my scenario Another idea was to use Defender for cloud apps. This looks promising but I am not sure how to target only specific users or devices? I managed to mark an app as "unsanctioned" but it applies for all devices. Any idea ? Thank you.31Views0likes0CommentsAdvanced Hunting Data Schema
Hello everyone, I have a question regarding the use of schema for Advanced Hunting queries. We are an organization with several companies under our holding. I need to recover the USB connections on the machines but only for one company and not the others. I need to sort on Company Name for the user. But in the Advanced Hunting schema there are no fields to filter on this. I looked specifically in UserInfo and DeviceInfo. Here's the query I use to detect USBs. I need to filter by CompanyName to retrieve the list of devices or users for this company only. DeviceEvents | where ActionType == “PnpDeviceConnected” | extend parsed=parse_json(AdditionalFields) | project Timestamp, DeviceName, DeviceId=tostring(parsed.DeviceId), ClassName=tostring(parsed.ClassName) | where ClassName == “DiskDrive” | summarize UsbFirstSeen=min(Timestamp), UsbLastSeen=max(Timestamp) by DeviceId, DeviceName; Is there another solution ? Thanks in advance for your answers, HKNSolved150Views0likes8CommentsWhere and how is AI used in Defender XDR?
Hi everyone, i was searching for an overview of where and AI is used in Defender XDR. Do you have a quick oversight of this? That would be great. Also how this data is used for training and decisions. I know it is used in Attack disruption and Copilot for Security ( ;) ) - but i need a complete list. BR Stephan37Views1like0CommentsAudit logs for Vulnerability Management Remediations
Hello all, Are there any audit logs that can be queried for the creation of Remediations under Endpoint Vulnerability Management (https://security.microsoft.com/remediation/remediation-activities)? I know that there are API endpoints that can be queried for this information, but we are looking for additional options. The endgame is to have a ticket created in our external help desk ticketing system when someone creates a Remediation from a Recommendation. Any advice is appreciated! Thanks, - Steve5Views0likes0CommentsList Unified RBAC role assignments?
I can look in the XDR portal to see the current role assignments, but I would like to have a script to list the current assignments. Perhaps with PowerShell and/or Graph API. I tried to find anything, but it all seems to refer to Entra ID (custom) role assignments, not Defender XDR (or is that the same?). Anyway, my current issue is 1. that I have to go trough each and every role assignment one by one and 2. that when I have only read acces, the group names in the assignment are truncated as these are too long to fit in the box23Views0likes0Comments