Defender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,
Support for LDAPS Auth events in XDR IdentityLogonEvents table?
We have a requirement to implement LDAPS auth for an appliance against AD DCs in a legacy environment. The DCs are running Defender for Identity. While testing, using LDAP, I can trace login events in the IdentityLoginEvents table, however when switching to LDAPS, I can't see any related events logged here. Interactive logins using LDAPS are working successfully, as expected, and appear in the Windows event log as EventID:4776 on the DC (but don't appear in the defender portal). It was then that I discovered that this expected behaviour according to the list of supported logon types listed here. IdentityLogonEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn I'm puzzled that XDR would support a cleartext legacy authentication method like LDAP, but would not support the more secure LDAPS protocol. Is there any rationale for this, or intention to introduce support ?
GDAP Permissions in XDR Unified Security Experience
Hi folks, hope someone might know how to sort this one... Here's a screenshot of the same tenant. On the left is our CSP GDAP'd to Global Admin. On the right is a proper GA in the tenant. Not only is the interface different (see the options in the left column), certain incidents and alerts aren't visible to the GDAP'd GA nor are certain tables (DeviceEvents, SigninLogs) using Advanced hunting. I know there are new RBAC roles available for Defender, but everything I've read states that if the GDAP'd role has GA we should be good. What gives? Thanks, Ross.
New Sentinel Integration Causing a Single Large Incident
I migrated Sentinel to the new Defender XDR connector, giving it access to the SecurityAlerts and SecurityIncident table. Defender's entity matching is now creating one large incident of pretty much every Sentinel incident raised, meaning if we close it, it is just going to re-raise as the entity graph grows. Has this happened to anyone else? How can we stop this from happening?Microsoft XDR and defender endpoint to Sentinel
Hi everyone I have a lab environment 01 CDX tenant MDE trial 90-dayhttps://cdx.transform.microsoft.com/ - MDE licensed and devices onboarded 01 Azure subscription ($200/month) from my MCT subscription -Sentinel enabled here -Azure arc enabled here I'm trying to forward/connect01 CDX tenant MDE XDR and endpoint to Sentinel (MCT subscription) Tried the following articles https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration Where at this one IExplorer breaks Fetch Microsoft Defender XDR incidents | Microsoft Learn Error Code: INET_E_CANNOT_CONNECT any thoughts? thanks in advance. Thiago B.Include missing ActionTypes in DeviceEvents
Hi all, There is a discrepancy between those events with certain ActionTypes that are viewable in the timeline view of a device, and those able to be searched in Advanced Hunting in KQL - this means no custom detections can be made, and threatening based on them is not possible. This article lists 61 events that are missing in the DeviceEvent table: https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x04-timeline-3f01282839e4 Please can this data be included? Kind regards, Felix
