Forum Widgets
Latest Discussions
Are critical asset management rules incompatible with Entra ID?
I am trying to create some custom asset management rules based on filters like logged on username, user criticality, and user groups. No matter what I try no assets show up. Even if I use the format azuread\<username>, no assets are returned by the filter. Are these filters incompatible with Entra ID? Do they only work with on-premise AD?
Defender XDR Unified Audit Logs
Hi, There used to be Unified Audit Logs -option in Defender XDR Settings under "Endpoints". This option has now disappeared. Trying to search for Defender XDR events, such as isolating devices etc. using the Purview Audit search, I don't get any results. From the XDR Action center history I can see that isolation actions have been performed. I have Security Administrator permissions. Is there a way to enable/disable the XDR auditing from Defender XDR or Purview portals?
Disabling Security Copilot Embedded Experience in Microsoft Defender XDR
We are currently trialing Microsoft Security Copilot for specific use cases within our organization. However, due to our RBAC setup, many of our security administrators have default access to the embedded Copilot experience in Microsoft Defender XDR. This is consuming SCUs unnecessarily. Is it possible to disable or limit the embedded Security Copilot experience in XDR for certain users or roles while still maintaining access to other XDR features? We would like to optimize SCU usage while ensuring that only authorized personnel can utilize Copilot's capabilities.Issue with log collection from Microsoft XDR to Azure storage
Hello, We are currently facing an issue with collecting logs from Microsoft XDR and forwarding them to Azure Storage. We are aware of below two methods for forwarding logs from Microsoft XDR to Azure: Forward events to Azure Storage Forward events to Azure Event Hub Issue Details: Method 1: When using the "Forward events to Azure Storage" approach, we end up with different containers being created for each event, but we would prefer to have all the events stored in a single container. Method 2: When using the "Forward events to Azure Event Hub" approach, we are able to store all the events in a single container, but in this case, the logs are stored in Avro format instead of JSON, which is not our desired format. Our goal is to store all event logs in one single container in JSON format. Has anyone faced this issue or found a way to achieve this setup? Any guidance or solution would be greatly appreciated. Thank you!Defender Deception Advance Lures - verification
Hello everyone, I'm looking to deploy defender deception in our environment. I've successfully tested and verified the basic lures, but I'm having trouble with the advanced lures/decoys. Specifically, I can't find a way to verify the account-planted cached credentials. Initially, I thought dumping LSASS would show some reference, but I found nothing. Has anyone tried this, and what were the results? Additionally, from an attacker's perspective, how would these account decoys be discovered? Thank you in advance.
How does Defender XDR work?
It´s not easy to compose the right question to get the answers you are looking for. Defender XDR is getting me crazy. I used a simple kql query to figure out which Windows machines in my network perform LDAP queries via Powershell. The result was: empty. DeviceEvents | where InitiatingProcessFileName == "powershell.exe" or InitiatingProcessFileName == "pwsh.exe" | where RemotePort == "389" or RemotePort == "636" | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId Then I queried LDAP via Powershell from three machines and after that the hunting was successfull. Not instantly, it took some time until "not security relevant information" found it´s way to the timelines of the machines. No chance for "near realtime detection". Last week I created a series of firewall rules in intune to block Powershell.exe from communication on remote ports 389 and 636 and applied this rules to a group of machines. I fired the earlier mentioned kql query again today. I didn´t expect to get another result than last week, but exactly those machines that have the new firewall rules applied shine up in my results for querying LDAP via Powershell. I had also built a custom detection rule for starting an automatted investigation and it says: It looks a little bit weird for me. Any ideas?How does Defender detect file version limit default changes?
Hi all, I am currently reviewing a historic article that mentions a Cloud Ransomware attack where attackers can change the default number of file versions saved by default. They change this from the default 500 to 1 and then save over your files to make them unrecoverable. Apparently this doesn't need admin credentials, a standard user can do this themselves. All of the Microsoft guidance says that Microsoft is protected against cloud ransomware attacks of this type because of the file versioning feature, as well as being able to contact Microsoft for 14 days after such an incident and they can retrieve your data. My questions are: Where do I find what the current settings are for file version limit defaults? Is it in the OneDrive/SharePoint admin centres? How do I find out whether such a change has been made? Is there an alert already configured in Defender to detect such a change? If not, does anyone know how to set one up, e.g., KQL and a custom detection? I tried asking Copilot, but it just sends me to the official Microsoft documentation, so any help is greatly appreciated.Scanning of Archive files
When scanning of archive files, we find that depending on the amount of archive files present (say on SQL server backups) the system disk space is used to unpack and scan the file. This can cause the system drive to run out of disk space, and cause the scanning to fail or system to fail. At the moment there does not seem to be any configuration on where to extract the temporary files for scanning. Can we add an option for this?
Missing auditability on use of Explorer and Advanced Hunting
Considering Defender for Office's Explorer and Advanced Hunting can be used to get insight into very sensitive data we assumed this activity is auditable, but unfortunately not. A Microsoft Support request confirmed it's not, and we're confused as to why and would highly request Microsoft to implement audit tracking for any user, including queries used. Explorer gives access to email subjects and Advanced Hunting can be used to view users files etc so from a GDPR and tracking point of view we need to be able to audit our SOC team and other admins on when they access potential personal information.
