Defender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,
New Email Response Actions in Microsoft Defender XDR
Hi, Can Microsoft please allow the use of punctuation when adding a new Rule Name or in the description for this functionality. Example below is when adding a new rule name, but using a hyphen (so that on first look, a user can see that the rule was created for a manual action) In the description, it doesn't allow you to use any commas, or any full stops (periods)
Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?
How to get alerted on pending items in the Action Center
Good morning all! Part of my daily duties is to ensure that items in the Action Center are acted upon in a timely manner. I have been trying to find ways to be able to be alerted on new items, but there is nothing in Microsoft documentation, or anything that is obvious. I have scoured the internet, where I stumbled upon an old post about having to use a PS script, but there has to be some sort of notification Microsoft can send out on these items?! Since these items are time sensitive, I am having to check constantly for any new soft/hard delete emails.
Delete computer application - Defender 365
Hey, I'm trying to fix weaknesses that are marked on our Microsoft 365 Defender. I'm created an Intune package to install the new version of Firefox - however it didn't remove the old versions. Is there a way for me using: Defender/Intune/GPO to remove multiple old versions of Firefox for example, that are installed on the users computers? I can see the list of devices that are affected but how can I fix it as quickly as possible? Thanks!THE VIRTUAL NINJA SHOW SEASON 4 RECAP
Did you miss any of the Ninja Show this season? Not to worry! We have assembled a synopsis of each episode highlighting the central focus points established in our discussions. (However, reading the main points are never as good as the real thing... Watch any episode on demand here!) Overview: Episodes 1-5 of this season were part of our first mini-series! Focused on incident response cases, experts from several teams across the Microsoft 365 Defender suite shared their knowledge regarding incident investigations as well as the critical tools and capabilities available to help improve defense in any organization. Episodes 6-8 shifted gears and included content about Microsoft Defender for Cloud Apps, Near real-time custom detection rules in M365D, and new Microsoft Teams protections! Ep 1: Oren Saban kicked off our Incident Response series by sharing IR investigation capabilities in Microsoft 365 Defender. We introduce how to best use the attack story view in the Defender portal, dive into the benefits of alert insights, and provide a guided walkthrough of a specific incident investigation that demonstrates how to pivot on affected entities to confirm nothing is being missed – with a special segment unveiling the updated File Content page (coming soon)! Ep 2: Michael Melone shifts us into an IR investigation of malware. Here we learn the ABC’s (and D!) of IR – a simplistic approach to manage malware incidents effectively. Through Michael’s demo you will also find updated advanced hunting capabilities in Microsoft 365 Defender and get to know the process of connecting alerts to primary incidents, creating a comprehensive view of an attack. Ep 3: Pawel Partyka unveils the impacts of business email compromise incidents (cyberattacks with financial fraud motivation) through an in-depth attack investigation. Takeaways we found critical were: Understanding the complexities of AiTM (adversary in the middle) phishing and Identifying the various connections of an attack story through the threat factors uncovered in Microsoft 365 Defender portal Recommended actions tab in Microsoft 365 Defender to help prevent damage to your assets Pawel’s demo walks through each step of the process extremely diligently. Ep 4 & 5: Corina Feuerstein wraps up our IR focus with a two-part investigation of a ransomware incident. Part 1 defines human-operated ransomware and the numerous phases of impact on an organization. Using a multi-stage incident generated by Microsoft 365 Defender, she shares how attackers use automation and exhibits how automated attack disruption defends at an even faster speed - enabling isolation tactics that prevent them from gaining a larger foothold within the enterprise. We also follow a ransomware playbook to assist during the containment and incident response phase of the attack, showing how to investigate step-by-step, verifying the attack is disrupted and prevent future risks. Part 2 continues our ransomware investigation using advanced hunting KQL queries. We dig into the behaviors and processes of the attack, learn the benefit of adding indicator markers, and make note of the tagging capability to review and connect future incidents. Key takeaways also include learning about remediation procedures, prevention tactics, and professional recommendations to improve security posture. Ep 6: Keith Fleming brings us out of incident investigations and explains the latest updates in Microsoft Defender for Cloud Apps! He first shares the 4 simple steps to deploy this product in your environment to confidently secure your applications and protect your data. Then, our conversation leads into a demonstration of: Connecting SaaS applications to Defender for Cloud Apps and receiving additional insights from these connections Explaining the Activity Log where you can take part in advanced hunting without KQL expertise! Enabling Defender for Endpoint connection and gain rich insights without the use of a proxy. There are so many more valuable resources shared throughout this episode, only matching the constant progress happening in the Defender for Cloud Apps world. Ep 7: Microsoft 365 Defender launched near real-time (NRT) custom detection rules and Christos Ventouris expertly dives into the benefits of this public preview feature. Watch this episode to learn: What custom detection rules are How you can create and modify them to your needs using advanced hunting queries And recognize the positive impact these near real-time rulesets make when it comes to mitigating threats in your organization as quickly as possible Ep 8: Closing out our fourth season are Senior Product Managers Malvika Balaraj and Daniel Mozes! They unveil an added layer of security within the Defender for Office suite, the collaboration and security within Microsoft Teams. Topics of focus are the new features Defender for Office 365 brings to Microsoft Teams. We learn how Microsoft 365 Defender blocks and removes malicious links or files from Teams or SharePoint and the self-reporting capability of files that may be a security risk - allowing a more proactive approach to prevent phishing attacks by educating users on basic security measures. Et voilà! The end of another great season We are extremely grateful to have the opportunity to help minimize learning gaps in the Microsoft Security community through the Virtual Ninja Show – but please help us keep it relevant to your needs! Add a comment including any topics you would like to see us bring forth next season so we can deliver what is helpful to you. Until next time, ninjas!Incident response: investigating a ransomware attack - Ninja Show
If you have any questions after watching this episode, please don't hesitate to ask them! Part 1: https://youtu.be/eLCrGe4-Zzc Part 2: https://youtu.be/q1s7lm3O9Sc Currently we have playbooks for ransomware, BEC attacks and for phishing incidents. Question for you all: what additional types of incidents would you like us to provide playbooks for?
