Ninja Cat Giveaway: Episode 3 | Sentinel integration
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.XDR deception - decoy working - lures not deploying
Hi everyone, i am trying to create some custom deceptions with the help of this blog post: Stack Your Deception: Stacking MDE Deception Rules with Thinkst Canarytokens · Attack the SOC The decoys are working (if i ping a host i specified - alerts are raised). But i cannot find the lures. I created some special lures for high privilege personas and placed them into {HOME}\ and a filepath beneath that. But i cannot find the files (show hidden is on). Are the folders also created by deception? It's 5 days now - so time should also not be the problem. How to troubleshoot? BR Stephan
IdentityLogonEvents table Roadmap
Is there a roadmap for this: consolidate all sign-in schema information into the IdentityLogonEvents table. This is with respect to AADSignInEventsBeta & AADSpnSignInEventsBeta being offered on a short-term basis to allow you to hunt through Microsoft Entra sign-in events. AADSpnSignInEventsBeta table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn AADSignInEventsBeta table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn
Advanced Hunting Opens Briefly, then goes blank
Hi, I have an issue in Advanced Hunting where the portal will open up briefly, but then go blank. This has been happening since Wednesday for me and raised a ticket (#2405090050000419) with Microsoft for this on Thursday AM, but have yet to get a response and just sits at, 'A support agent is being assigned to your request'. I have tried accessing the AH area in Private Mode, via Chrome (Edge is my main browser) and clearing cache, but still no joy. I also disabled Dark Mode to see if that was the issue, as I know that Dark Mode does cause visibility issues in the XDR portal (especially when attempting to preview emails when investigating emails) This has also been https://twitter.com/crash0ver1d3/status/1789000106571649333 This isn't affecting other users in my tenant (based in UK) as they are still able to access the AH area without issue. We also haven't yet enabled the Unified SIEM/XDR as yet, so that isn't the issue. If if it was, the issue is still only affecting my account, and no one else who has access to that area. Should be noted that they rarely use AH, so wouldn't have as many previously open AH tabs as I normally always do. I believe that I had approx. 10 or so tabs open for various queries I was looking up or creating. I am still able to access the Custom Detection Rules section which sits underneath that link without issue. This means that I am completely unable to run any AH queries currently, which is an issue.
Automated Investigation on endpoint
Long story short, we got an alert about a file being malicious. I searched our environment using both the filename and SHA1 hash and located the file on one endpoint. I initiated an investigation and the investigation status shows as "Failed" providing no causality for the failure. Is there someplace I can look to see why it failed and what I can do to correct it?
Accessing edge protection data from advanced hunting API
I am creating a Power BI report for visualizing Defender 365 data to external users that don't have access to the security portal using the advanced hunting API. The client would be interested in seeing the "edge protection" figures that are in the email & collaboration reports included in the Defender reports. But I can't seem to find the particular data anywhere in the Advanced Hunting data schema. Can I access the edge protection data from the API?
