Defender - Cloud Activity Logs suspicious
Hi, I just noticed this logs from Defender - Cloud Apps > Activity Logs, seems all our Microsoft Cloud PC has these logs, looks suspicious for me as it is querying our Domain Admins account it seems, but would like to confirm. If this is suspicious, can help how to mitigate this please, thank you.
Administrative activity from a non-corporate IP address
Hi, Defender XDR raises incidents almost every day regarding OneDrive for Business sharing policies. Event description is: Change sharing policy: OneDrive Site Collection <b>https://xxxx-my.sharepoint.com/personal/user_domain_fi</b>; Parameters: property <b>Share Using Anonymous Links</b> <b>True</b>, property <b>Share With Guests</b>, property <b>ShareUsingAnonymousLinks</b> <b>From False To True</b>, property <b>ShareUsingAnonymousLinks - New Value</b> <b>True</b> Anonymous links are not allowed and when checking users onedrive site collection settings after alert it is still not allowed. Are these only false positives? Matched policy is Administrative activity from a non-corporate IP address and Alert Product is Microsoft Defender for Cloud Apps ~ Jukka ~Defender XDR - how to grant "undo action" Permissions on File Quarantine?
Dear Defender XDR Community I have a question regarding the permissions to "undo action" on a file quarantine action in the action center. We have six locations, each location manages their own devices. We have created six device groups so that Accounts from Location 1 can only manage/see devices from Location 1 as well. Then we created a custom "Microsoft Defender XDR" Role with the following permissions. This way the admins from location 1 can manage all Defender for Endpoint Devices / incidents / recommendations etc. without touching devices they aren't managing.. very cool actually! BUT - if a file gets quarantined, it might want to be released again because of false positive etc. I can do that as a global admin, but not as an admin with granularly assigned rights - the option just isnt there.. I don't want to give them admins a more privileged role because of - you know - least privileges. but i don't have the option to allow "undo action" on file quarantine events, besides that being a critical feature for them to manage their own devices and not me having to de-quarantine files i dont care about.. Any thoughts on how to give users this permission?
Defender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,Incidents from Custom Detection Rules never have Emails for Evidence
let ignoreAddresses = datatable(address:string) [@'email address removed for privacy reasons',@'email address removed for privacy reasons']; let ignoreSpamSubjects = datatable(address:string) [@'ignored subject 1',@'ignored subject 2']; // Time range needs to be set in the UI dropdown in order for LatestDeliveryLocation filter to work (i.e., live table vs streaming API). EmailEvents | where SenderFromDomain in~ (_getEXOAcceptedDomains) | where DetectionMethods has_any('URL detonation reputation', 'URL malicious reputation') and not(RecipientEmailAddress in~ (ignoreAddresses) or SenderFromAddress in~ (ignoreAddresses)) | where not (Subject has_any (ignoreSpamSubjects)) | where (parse_json( AuthenticationDetails).DMARC =~ 'Pass' and EmailDirection =~ 'Inbound') or (EmailDirection =~ 'Intra-org') | where (LatestDeliveryLocation in~ ('Quarantine', 'Junk folder') and not (LatestDeliveryAction =~ 'Quarantine release')) and parse_json(ConfidenceLevel).Phish in~ ('Normal','High') | join kind=inner ( EmailUrlInfo | summarize Urls = make_list(Url) by NetworkMessageId ) on NetworkMessageId I've got the above query saved as a detection rule, which works fine except for one thing - the emails are never present in the Evidence tab of the generated incidents. Meanwhile the Recipients show up in the Mailbox and User assets as I'm using Entity mapping to mapping the RecipientEmailAddress / RecipientObjectId to those 2 entity types. The only thing I can find about Emails is that for Actions to be possible on the Emails in the query results - "The columns NetworkMessageId and RecipientEmailAddress must be present in the output results of the query to apply actions to email messages." (ref) - which is being satisfied. The Evidence available is the IP of the sender, and an empty email cluster, like this: In the incident above there are 2 emails, and the 4 assets are the user and mailbox for each of the 2 emails' Recipient. I can successfully just use the query manually to find and manage those emails, but a big part of the goal with these detection rules, at least in my opinion, is to be able to easily manage the evidence. In this exact case, I'm looking for inbound emails coming from our own Accepted Domains in the SenderFromAddress, which pass DMARC, but are in Quarantine, detected as Phish. The idea is to watch out for false positives due to URL detonation reputation since most of the messages fitting this criteria are coming in from various emailing services (e.g., Constant Contact, MailChimp, SendGrid, etc.) and these services tend to end up on the reputation lists a few times per month. Just wondering if there are any tricks anyone knows about to help me populate the emails into my resulting incidents.
Help with custom role for Service desk staff
I've been tasked with granting members of our Service desk the ability to perform 2 specific actions against user accounts within the Defender portal. Please see attached screenshot. Suspend user in Entra ID Require user to sign in again Does anyone know if this is possible? I can't find any Microsoft documentation explaining what level of permission is required to perform these actions. Regards, Graham
Defender for Servers Alerts in XDR portal
Hello MSFT, Currently we are a CSP and aren't able to view alerts over GDAP that pertain to Defender for Cloud. We can see that they are in the Incidents/Alerts queue, however we cannot go into the alert/incident. Currently our analyst have Security Operator, and Security reader. Additionally our clients use URBAC and have the MDE tab enabled. Any insights into this would be beneficial as we are hampered by this lack of visibility and cannot respond to client alerts.
How to get alerted on pending items in the Action Center
Good morning all! Part of my daily duties is to ensure that items in the Action Center are acted upon in a timely manner. I have been trying to find ways to be able to be alerted on new items, but there is nothing in Microsoft documentation, or anything that is obvious. I have scoured the internet, where I stumbled upon an old post about having to use a PS script, but there has to be some sort of notification Microsoft can send out on these items?! Since these items are time sensitive, I am having to check constantly for any new soft/hard delete emails.
