Microsoft 365 defender alerts not capturing fields (entities) in azure sentinel
We got an alert from 365 defenders to azure sentinel ( A potentially malicious URL click was detected). To investigate this alert we have to check in the 365 defender portal. We noticed that entities are not capturing (user, host, IP). How can we resolve this issue? Note: This is not a custom rule.
RE: Microsoft Defender for Office 365 data connector
Hello, I have an issue enabling the Microsoft Defender for Office 365 settings in the Defender XDR connector for Microsoft Sentinel. The error is attached. It seems related to: Categories AdvancedHunting-EmailAttachmentInfo, AdvancedHunting-EmailEvents, AdvancedHunting-EmailUrlInfo, AdvancedHunting-EmailPostDeliveryEvents are not supported... I am not sure what it relates to, but could it be licensing concerns? JasonLocal IPs ( 10.60.0.0/24 ) in ClientIP field in OfficeActivity logs?
Started seeing this more often recently and it started to cause some uptick in alerts across multiple customers (we are an MSP). It seems to me like a backend workflow is failing to write true source IPs to OfficeActivity logs, resulting in some 10.60.0.0/24 IPs being recorded as the ClientIP. Could this be some backend IP belonging to a Microsoft services? This can't be related to the customer since we see the same thing across up to 37 tenants/customers. This includes FileDownloaded operations which is what caused alerts and brought the issue to our attention. To make sure this also wasn't some kind of correlation to device, I checked the logs further and it's happening where IsManagedDevice == false and even anonymous file access. Is anyone else seeing this and can anyone from Microsoft confirm whether this is a mistake or bug somewhere upstream? Sample KQL: // Query 1 OfficeActivity | where TimeGenerated >=ago(30d) | where ipv4_is_private( ClientIP ) | where IsManagedDevice == false | summarize min(TimeGenerated), max(TimeGenerated), Operations=make_set(Operation), NumberUsers=dcount(UserId), make_set(UserId), UserAgents=make_set(UserAgent) by ClientIP // Query 2 OfficeActivity | where TimeGenerated >=ago(60d) | where isnotempty( ClientIP ) and ipv4_is_private( ClientIP ) | summarize count() by bin(TimeGenerated, 1d)Microsoft Defender XDR / Defender for Endpoint data connectors inconsistent failures
Hello, We are deploying our SOC (Sentinel) environments via Bicep. Now the Defender XDR ( MicrosoftThreatProtection) and Defender for Endpoint ( MicrosoftDefenderAdvancedThreatProtection) data connectors are failing to deploy inconsistantly. It seems to be a known issue due to the following posts: - https://github.com/Azure/SimuLand/issues/23 - https://techcommunity.microsoft.com/t5/microsoft-sentinel/quot-missing-consent-invalid-license-quot-defender-for-endpoint/m-p/3027212 - https://github.com/Azure/Azure-Sentinel/issues/5007 Next to this issue I see almost no development on the data connectors API, is there some news to be spread how to enable data connectors automated in the future, since it seems to be moving to Content Hub. It is hard to find any docs about how to deploy this for example via Bicep!? Also I have a question regarding 'Tenant-based Microsoft Defender for Cloud (Preview)' data connector. We deploy this now via GenericUI data connector kind, but this has no option to enable it via automation. Same as the question in the previous paragraph, how would this be made possible?Create playbook to release requested quarantined emails?
I can't find any information on possibility of releasing quarantined emails of the alert created by Microsoft Defender XDR. Such as "User requested to release a quarantined message" and "User requested to release a quarantined message involving one user". I see there are playbooks created with Microsoft Defender Connector. Have conditions in such as non-high confidence only and not reported by more than one user. Would Azure logic app be able to do this, if so, some guide is appreciated?
KQL QR Code Phishing
let trustedDomains = dynamic(["microsoft.com"]); let imageFileTypes = dynamic(["png", "jpeg", "svg"]); EmailEvents | where EmailDirection == "Inbound" | where AttachmentCount > 0 | where not(SenderFromDomain has_any (trustedDomains)) | join EmailAttachmentInfo on NetworkMessageId | where FileType has_any (imageFileTypes) | summarize max(RecipientEmailAddress) by Subject,FileName,SenderDisplayName,SenderFromAddress how to group by unique sender and how many count, can someone help with the query?Could someone advise me if it's possible to create my own small lab?
Hi, for some time now I've been learning about Sentinel and Defender. Could someone advise me if it's possible to create my own small lab? I had everything set up because I have an 'MSDN Platforms Subscription' license. I have started trial version of Sentinel and Defender + Microsoft 365 E5 Enterprise Mobility + Security E5 I was able to create everything as in a real environment until the Microsoft 365 E5 trial ended after 30days * not 100% sure if is just because of license ended?* After that, I lost access to Email logs (threat hunting in Defender or running custom rules etc..) - Goal: Creating a lab environment where I can have 1x Outlook, 1x Teams, Defender, and Sentinel (there won't be many logs as it will be just for testing purposes, with only one virtual machine). I'm wondering if it's possible for me to create such a lab. What could be the cost? Office 365 Enterprise E5 is $57, and it seems that I can't use the resources from MSDN, so I would need to purchase it using my own funds. E5 trail for 30 days 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub Sentinel works fine after 31 days and status is Active and pricing tier is - pay as you go
Securitycenter long delays for incidents to show up
good day, getting started using M365 Defender and Sentinel I noticed that some incidents/alerts seem to take ages to appear in the Securitycenter Portal and then some to show up in Sentinel. although there's no SLA I found statistics claiming 95% of events would pop up within 10' or so. my experience here is a rather different one and I wonder why. Yesterday I just watched the most curious iteration happening: - MDE on a MAC reported successful remediation of a ransomware on unpacking a ZIP file 3 months ago. incident was closed as confirmed activity (colleague was doing blue team training). - today at 2pm and months later MDE suddenly kicks into gear and reports removal of the same malware again. interpretation of info presented in Securitycenter: while above remediation tackled the unpacked contents it left the ZIP which popped up in a regular filesystem scan yesterday. - not wanting to miss alerts I configured notification e-mails for new alerts. 2.30pm yesterday I received an e-mail notifying incident ID111, containing a link to the security center which successfully opens and shows yesterday's remediation action. - opening security center on its own, ie. WITHOUT above link, even today I don't get to see incident 111. 110 is the last one (no filters set). needless to say that there's nothing to be seen yet in Sentinel either. MDE/MDI incidents do arrive. just checked with an EICAR test file Any hints how to troubleshoot this? Thanks! UrsSOAR - Automatically closing incidents from Microsoft Defender for Office
Hi All, I am trying to leverage Microsoft Sentinel's SOAR capabilities to automatically close false positive alerts from Microsoft Defender for Office. The particular policy I want to address now is the "Phish delivered due to IP allow policy", so we get a lot of false positive alerts whenever MDO misclassifies an email, so I want to suppress these in Sentinel. My thought process was to create a playbook (using Logic App), to get the incident and capture the 'message ID' entity. So, for every Message ID, I want to write a KQL query to search that ID from Sentinel logs, see if predefined fields are matched, then close the incident if matched, else notify the team. Right now, this is what I have: I am honestly stuck here. The Microsoft Sentinel Instance does not have a Cluster URL, I need to query it directly not via Azure Data Explorer. May you please assist me. Is there an easier way to get this automated response in place? Thank you.
