Defender is missing logs for files copied to USB device on Mac devices
Hello, I am currently facing an issue with Defender not logging files copied to USBs. Using the KQL below, I can only see .exe files copied, but nothing when it comes to .pdf, .docx. .zip and other standard file extensions. Has someone come across this issue before? Any help is greatly appreciated let UsbDriveMount = DeviceEvents | where ActionType=="UsbDriveMounted" | extend ParsedFields=parse_json(AdditionalFields) | project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=TimeGenerated, ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer | order by DeviceId asc, MountTime desc; let FileCreation = DeviceFileEvents | where InitiatingProcessAccountName != "system" | where ActionType == "FileCreated" | where FolderPath !startswith "C:\\" | where FolderPath !startswith "\\" | project ReportId,DeviceId,InitiatingProcessAccountDomain, InitiatingProcessAccountName,InitiatingProcessAccountUpn, FileName, FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied | order by DeviceId asc, TimeGenerated desc; FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId | where FolderPath startswith DriveLetter | where TimeGenerated >= MountTime | partition hint.strategy=native by ReportId ( top 1 by MountTime ) | order by DeviceId asc, TimeGenerated desc | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName) | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "") | extend FileHashAlgorithm = 'SHA256'
Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?
Incident response: investigating a ransomware attack - Ninja Show
If you have any questions after watching this episode, please don't hesitate to ask them! Part 1: https://youtu.be/eLCrGe4-Zzc Part 2: https://youtu.be/q1s7lm3O9Sc Currently we have playbooks for ransomware, BEC attacks and for phishing incidents. Question for you all: what additional types of incidents would you like us to provide playbooks for?
