DeviceNetworkEvents table, UDP and IGMP events
Does DeviceNetworkEvents table get all network events or are there any caveats. Want to know if Defender Agents on the Machines collect all the TCP/UDP/ICMP/IGMP events or there are any specific events which are collected or not collected. We don't see most of UDP events. For example, we have a server listening on UDP, and when a client makes UDP connection to the server, we expect to see UDP connection events in the DeviceNetworkEvents table. We only see mostly DNS UDP events. Same thing with ICMP and IGMP. We don't see IGMP events at all. Can somebody throw light on how these things work.Cannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?
I tried to create custom detection rule from KQL query in Defender XDR: Advance Hunting by custom various variable to be able to submit, but for this query to be able to go through remediation setting of detection rule, I need the entity identifiable columns like AccountUpn, that I need to union with IdentityInfo schema. But detection rule seems not support the union * thing as the attached pic: I searched for the same problems that seems to be occurred in all system using KQL including in Microsoft Sentinel Logs but has no workaround to bypass. So, is there any way to get through this objective without strucking with union * problem?How to use KQL to associate alerts with incidents?
There is no method I'm aware of to use KQL to query from an alertID to an incident or vice versa. Please provide kql examples for querying between XDR incidents and alerts. These queries should be independent of the SecurityIncident table which is only available when Sentinel is connected to XDR. Thank you.DeviceLogonEvents & IdentityLogonEvents
Hey, I'm trying to fetch login events via these 2 tables DeviceLogonEvents & IdentityLogonEvents, Advanced Hunting. which events will appear in the DeviceLogonEvents vs IdentityLogonEvents? are there events that will appear in DeviceLogonEvents and not in IdentityLogonEvents? or wise versa? as I understood, these table are based on Windows logon events? If yes, what is the mapping from the windows event to these tables? On DeviceLogonEvents, when Upn appears on the event? because sometimes it appears on Additional Info map and sometimes on AccountName, and sometimes it doesn't appear at all (some times weird username appear on the AccountName column) Thank you for your assistance
Copilot on-prem?
Hi all, I am doing a bit of research about Copilot in Microsoft Defender XDR. I was looking at how this could benefit different companies with their day-to-day tasks and in-depth analysis. It looks promising, but how about companies that deal with sensitive information? Yes, all companies have sensitive data, but what about medical facilities and government agencies? I’ve seen that Copilot adheres to several standards like ISO 27001, 27017, 27018, and a few more, but the data is still shared with Microsoft. I have looked at the possibility of hosting an AI tool on-prem, but Copilot only enables on-prem integration with data sources of M365 services. The reason why this isn’t available on-prem is because it would require significant computational resources. Another reason (I assume) is the daily updates that Copilot would need to keep its database of known threats up-to-date. So what I’m interested in is: What would it take to host Copilot on-prem? Is on-prem hosting for Copilot going to be enabled in the near future? For companies that work in a Microsoft environment and want to help their security analysts but don’t want to share sensitive information, what options does Microsoft offer (besides courses and training)?
Whitelisting Pentesting tools
Hello everyone. I'm coming to you with a question that I think is pertinent. We use a pentesting tool in our environment. It generates a lot of incidents and alerts in Microsoft Defender. We have on-prem accounts (one user, one admin) so that the tool can perform this pentesting. Do you have any ideas on how to whitelist incidents linked to this user, these actions or the node machine he uses to initiate connections? So that it no longer generates or the incidents linked to these activities are automatically resolved. Thank you for your help. HKNDefender Deception Advance Lures - verification
Hello everyone, I'm looking to deploy defender deception in our environment. I've successfully tested and verified the basic lures, but I'm having trouble with the advanced lures/decoys. Specifically, I can't find a way to verify the account-planted cached credentials. Initially, I thought dumping LSASS would show some reference, but I found nothing. Has anyone tried this, and what were the results? Additionally, from an attacker's perspective, how would these account decoys be discovered? Thank you in advance.
How does Defender XDR work?
It´s not easy to compose the right question to get the answers you are looking for. Defender XDR is getting me crazy. I used a simple kql query to figure out which Windows machines in my network perform LDAP queries via Powershell. The result was: empty. DeviceEvents | where InitiatingProcessFileName == "powershell.exe" or InitiatingProcessFileName == "pwsh.exe" | where RemotePort == "389" or RemotePort == "636" | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId Then I queried LDAP via Powershell from three machines and after that the hunting was successfull. Not instantly, it took some time until "not security relevant information" found it´s way to the timelines of the machines. No chance for "near realtime detection". Last week I created a series of firewall rules in intune to block Powershell.exe from communication on remote ports 389 and 636 and applied this rules to a group of machines. I fired the earlier mentioned kql query again today. I didn´t expect to get another result than last week, but exactly those machines that have the new firewall rules applied shine up in my results for querying LDAP via Powershell. I had also built a custom detection rule for starting an automatted investigation and it says: It looks a little bit weird for me. Any ideas?
