Blocked by organization policy : Antimalware policy block by file type
Hi Can someone please shed some light on this. I am trying to identify if a DLP or Anti-malware policy is blocking an email. The real-time detection has this: Primary Override : Source Blocked by organization policy : Antimalware policy block by file type Would this be one of the policies in policies & rules>threat policies> anti-malware ? I was hoping there would be a setting that can pin-point the policy name or rule. Please advise
How to Connect MS Secure Scores to Power Query?
The Microsoft 365 Defender Portal (https://security.microsoft.com/) has a 'Secure Score' page, which contains the following: An overall secure score which is then broken down by Identity, Data, Device, and Application secure scores. I would like to be able to pull these four scores into a Power BI report; however, I have had some difficulty in putting together a solution. This data seems like it could be found in the Microsoft Graph API, but https://learn.microsoft.com/en-us/power-query/connecting-to-graph. I've tried other Defender APIs, but they all seem either outdated or out of scope for what I'm trying to pull. Can anyone advise? Thanks for reading.
Expiring server certificates
Hello. I have a question defender 365 displays information about expired and future certificates on given servers in a given localization. Why does defender display certificates that no longer exist on a given server? Is there any way to make this monitor work properly? clearing the cache on given servers or restarting the defender service on a given server also does not help and defender catches some certificate. Has anyone encountered something like this?
Secure Score per Device Group
Hello All, I want to ask if it's possible to add Secure Score calculation per Device Group/Tag in the Defender Secure Score Overview. We manage multiple devices, some of which are handled by local IT and in different domains. We need a separate secure score calculation since it gives us an initial metric of where we are compared to other domains/device groups. You already have the option in Vulnerability Management> Security Recommendations (per device group),can we have it for Secure Score also? Best Regards, NickAdvanced Threat Hunting - Exclusion by two (or more) conditions
Hello, I am searching for a possibility of excluding entries based on two conditions been met. For now I was excluding things with (examples): let InitiatingProcessCommandLineExclude = dynamic(['\"blalbabllbaa.blablaa\"']); #and let cmd_list = pack_array('/"microsoft.com/"'); let cmd_regex = strcat("(^", strcat_array(cmd_list, ")|("), ")"); #then doing for example let cmdExclusion = RemoteUrlExclusion | where InitiatingProcessCommandLine matches regex cmd_regex; Table | join kind=leftanti cmdExclusion on InitiatingProcessCommandLine | project blablalba | order blalbalbbala Though now I've run into entries that would be most easily excluded if I could set two conditions that exclude them (one is not enough because it would exclude too much - don't wanna lose precious data) Do you have any ideas what could I do? I think I'm having narrow vision problems here #Edit1 Since there are still no replies, I though about that and it is possible to: 1. Create new table based on events we want to filter 2. Create 2 new arrays, store conditions that we need inside, optionally uses 'matches regex' 3. Filter like that table 1 | where Column1 matches 1st array | where Column2 matches 2nd array 4. filter out events by leftanti join from your 'main' table by joining this new table or filter by one condition, put that out into new table, filter by second condition simple enough, my mind was clouded for a while, gonna try it and tell anyone who could look for it how it works #Edit2 Well, the problem is still how to be able to do it en-masse, without creating lots of new tables. Or it has no effect on query efficiency/cpu load? Then maybe creating lots of tables and then doing anti-joins is the way... Though it complicates the query a lot - creating tables for every item that I want to exclude based on 2 conditions...
