System and organization controls in XDR?
A recent Service Health post in the Office 365 Admin Center, regarding a problem with Defender XDR, says "This issue impacts tenant admins and users with system and organization controls (SOC) permissions." Is this a mistake? Do they mean "security operations center permissions" (i.e., Entra ID roles or RBAC roles) rather than "system and organization controls?" The former would make sense. Looking for any clarity anyone can provide on this post. Thanks in advance!
Help with KQL / Advanced Hunting - Antivirus Scan
Hi, Trying to come up with a solution to find all devices via Advanced Hunting where a full scan was never successful. The report that can be downloaded via `Defender XDR > Reports > Device Health > Microsoft Defender Antivirus Health` as well as the device health page only provide the result of the last antivirus scan. If a device ran a full scan successfully in the past but the most recent full scan was cancelled the report shows that the full scan failed. Here's an example of what I mean: The device health status shows "Full scan failed" with a failed scan on March 28, 2024 at 3:35:57PM. When querying the device via Advanced Hunting (see query below) I receive the information that a full scan successfully ran on March 28, 2024 at 3:35:36PM. Here's the query I am currently using and I already played around with it a little bit (distinct, summarize). I could export it to Excel and then remove duplicate entries but was hoping that can be done with KQL: DeviceEvents | where ActionType has_any ("AntivirusScanCompleted", "AntivirusScanCancelled") | extend AdditionalFields = parse_json(AdditionalFields) | extend ScanType = AdditionalFields.["ScanTypeIndex"] | where ScanType == "Full" | project Timestamp, DeviceName, ActionType This is the result I would like the query to return. If any device has had an entry for `ActionType == AntivirusScanCompleted` and `ScanType == Full` then all rows for that device should be removed.
DeviceNetworkEvents does not refer to any known table.
When attempting to run an advanced hunting query, I'm receiving this error message at more than half of our clients. Most are on business premium licensing which includes Defender for Business. Does anyone have any information regarding this error? Is this a licensing issue or do we need to turn on more audit logs at the device level to include this table in queries?
Dark Mode in Defender and Email Preview Issues in Explorer
Hi, When you are investigating an email for Phishing or for another reason, via Email & Collaboration>Explorer and you then select the email to investigate and use the Email Preview option, you are unable to clearly look at the email itself due to Dark Mode making the text really hard to read. Is this something that can be fixed, but without the end use having to disable Dark Mode?
KQL script report last reboot/reset endpoint devices (Workstations/Laptops)
Hello everyone, I'm reaching out for assistance with a challenge I'm facing in Microsoft Defender. In my organization, we have numerous endpoint devices with vulnerabilities, and I suspect that the issues may stem from either inadequate patching or misconfigured Group Policy Object (GPO) settings preventing updates or reboots. To investigate further, I need a KQL script that can generate a report showing when each endpoint device was last rebooted or reset, along with the computer name and the last user who logged in to that device. I've attempted to use the following KQL script in different ways without success: DeviceEvents | where ActionType == "Restarted" or ActionType == "Shutdown" | summarize LastReboot = max(EventTime) by DeviceName Despite trying various approaches and searching through online forums, I haven't been able to obtain the desired results. I'm unsure if this information can be retrieved through Defender or if there's an alternative method I should explore. Any guidance or suggestions would be greatly appreciated as I work to identify and resolve these issues. Thank you for your assistance! Best regards, Sergio
Hunting API error: Query execution has exceeded the allowed limits.
I encounter an intermittent error when running a hunting query on https://security.microsoft.com/advanced-hunting. Although the query sometimes executes successfully, it occasionally produces the following error: "Query execution has exceeded the allowed limits. The query execution was preempted. This could possibly be due to high CPU and/or memory resource consumption. Optimize your query by following best practices and try again." I'm curious if there are any other restrictions on the number of requests other than mentioned in Doc? Upon reviewing the Query resource, it indicates 0 instances of excessive usage in the last 30 days for both API and portal.
