api-uk.securitycenter.microsoft.com - Vulnerability dates missing
Hi. We've started to see the following fields with inacurate data (red text below) coming via the Defender API. Example call: https://api-uk.securitycenter.microsoft.com/api/recommendations/va-_-microsoft-_-windows_11/vulnerabilities Response: { "@odata.context": "https://api-uk.securitycenter.microsoft.com/api/$metadata#PublicVulnerabilityDto", "@odata.count": 97, "value": [ { "id": "CVE-2024-43543", "name": "CVE-2024-43543", "description": null, "severity": "Medium", "cvssV3": 0.0, "cvssVector": null, "exposedMachines": 1, "publishedOn": "0001-01-01T00:00:00Z", "updatedOn": "0001-01-01T00:00:00Z", "firstDetected": "2024-10-17T09:14:19Z", "publicExploit": false, "exploitVerified": false, "exploitInKit": false, "exploitTypes": [], "exploitUris": [], "cveSupportability": null, "tags": [ "PartiallyPatchable" ], "epss": null }, **** single object extracted. The data appears to display in the portal without issue as you can see below: Has anyone else using the Defender API seen this on their environment at all? Cheers. Nigel
Defender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,
Assign Microsoft Defender for Endpoint Server
Hi Everyone, We are considering purchasing Microsoft Defender for Endpoint Server on our server, but I know that these licenses should be assigned, but I am not sure why we should assign these to users and how we could configure these on the on-prem servers. Is there a specific guideline that we could follow in that regard? ThanksLearn more about Microsoft Security Communities.
In the last five years, Microsoft has increased the emphasis on community programs – specifically within the security, compliance, and management space. These communities fall into two categories: Public and Private (or NDA only). In this blog, we will share a breakdown of each community and how to join.Automating detection engineering for MS 365 Defender
I'm working at a MSSP managing multiple customers. We build a lot of custom detections rules in the MS 365 Defender portal of the customers. We have a library of standard custom detections we use for all our customer. However it is very labor intensive to manage all those detections. I'm thinking of automating it so it is all manageable from one platform. But the MS documentation doesn't speak about API features to create edit and remove custom detections in MS 365. Is there anyway to automate this process?Support for LDAPS Auth events in XDR IdentityLogonEvents table?
We have a requirement to implement LDAPS auth for an appliance against AD DCs in a legacy environment. The DCs are running Defender for Identity. While testing, using LDAP, I can trace login events in the IdentityLoginEvents table, however when switching to LDAPS, I can't see any related events logged here. Interactive logins using LDAPS are working successfully, as expected, and appear in the Windows event log as EventID:4776 on the DC (but don't appear in the defender portal). It was then that I discovered that this expected behaviour according to the list of supported logon types listed here. IdentityLogonEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn I'm puzzled that XDR would support a cleartext legacy authentication method like LDAP, but would not support the more secure LDAPS protocol. Is there any rationale for this, or intention to introduce support ?Monthly news - November 2024
Microsoft Defender XDRMonthly newsNovember 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from October2024.
