Ninja Cat Giveaway: Episode 3 | Sentinel integration
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?XDR deception - decoy working - lures not deploying
Hi everyone, i am trying to create some custom deceptions with the help of this blog post: Stack Your Deception: Stacking MDE Deception Rules with Thinkst Canarytokens · Attack the SOC The decoys are working (if i ping a host i specified - alerts are raised). But i cannot find the lures. I created some special lures for high privilege personas and placed them into {HOME}\ and a filepath beneath that. But i cannot find the files (show hidden is on). Are the folders also created by deception? It's 5 days now - so time should also not be the problem. How to troubleshoot? BR StephanIdentityLogonEvents table Roadmap
Is there a roadmap for this: consolidate all sign-in schema information into the IdentityLogonEvents table. This is with respect to AADSignInEventsBeta & AADSpnSignInEventsBeta being offered on a short-term basis to allow you to hunt through Microsoft Entra sign-in events. AADSpnSignInEventsBeta table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn AADSignInEventsBeta table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn
Advanced Hunting Opens Briefly, then goes blank
Hi, I have an issue in Advanced Hunting where the portal will open up briefly, but then go blank. This has been happening since Wednesday for me and raised a ticket (#2405090050000419) with Microsoft for this on Thursday AM, but have yet to get a response and just sits at, 'A support agent is being assigned to your request'. I have tried accessing the AH area in Private Mode, via Chrome (Edge is my main browser) and clearing cache, but still no joy. I also disabled Dark Mode to see if that was the issue, as I know that Dark Mode does cause visibility issues in the XDR portal (especially when attempting to preview emails when investigating emails) This has also been https://twitter.com/crash0ver1d3/status/1789000106571649333 This isn't affecting other users in my tenant (based in UK) as they are still able to access the AH area without issue. We also haven't yet enabled the Unified SIEM/XDR as yet, so that isn't the issue. If if it was, the issue is still only affecting my account, and no one else who has access to that area. Should be noted that they rarely use AH, so wouldn't have as many previously open AH tabs as I normally always do. I believe that I had approx. 10 or so tabs open for various queries I was looking up or creating. I am still able to access the Custom Detection Rules section which sits underneath that link without issue. This means that I am completely unable to run any AH queries currently, which is an issue.
Automated Investigation on endpoint
Long story short, we got an alert about a file being malicious. I searched our environment using both the filename and SHA1 hash and located the file on one endpoint. I initiated an investigation and the investigation status shows as "Failed" providing no causality for the failure. Is there someplace I can look to see why it failed and what I can do to correct it?
