Forum Widgets
Latest Discussions
Advanced Hunting Data Schema
Hello everyone, I have a question regarding the use of schema for Advanced Hunting queries. We are an organization with several companies under our holding. I need to recover the USB connections on the machines but only for one company and not the others. I need to sort on Company Name for the user. But in the Advanced Hunting schema there are no fields to filter on this. I looked specifically in UserInfo and DeviceInfo. Here's the query I use to detect USBs. I need to filter by CompanyName to retrieve the list of devices or users for this company only. DeviceEvents | where ActionType == “PnpDeviceConnected” | extend parsed=parse_json(AdditionalFields) | project Timestamp, DeviceName, DeviceId=tostring(parsed.DeviceId), ClassName=tostring(parsed.ClassName) | where ClassName == “DiskDrive” | summarize UsbFirstSeen=min(Timestamp), UsbLastSeen=max(Timestamp) by DeviceId, DeviceName; Is there another solution ? Thanks in advance for your answers, HKNHKNDec 23, 2024Copper Contributor13Views0likes0CommentsDeploying Defender for Business without o365 accounts
Hi, I have few SMB customers, who due to nature of their buiness do not want/need o365 accounts. Beside, their company policy does not allow them to store any business data in clouds abroad. However, they all have their local AD domain and Windows-only environment. Now, I would like to setup Defender for Business + Huntress MDR as a good and affordable threat protection combo, but here my questions begin. Please, shed some light on this: Does Defender for Business actually need endpoint users to be actually signed-in into their o365 accounts for full protection to work properly? What if they aren't - would full protection still be in place, or would Defender for business functionality drop down to basic antivirus, like regular Defender? Is Defender for Business in my case really so complicated and hard to install and setup? I've read some instructions and there is a ton of documentation, Ps scripts and tools, like Intune and such and despite being 40+ years in computer engineering, I got lost. Mostly because I do not use a ton of Microsoft products daily. Does Defender for Business have some easy to manage Cloud management tool, where I would see and manage all installed Defenders for Business? Or must I learn those Intunes, Azure, o365 Security and Defender portals, which are total overkill for those SMB which I manage? Thank you!Labsy007Dec 21, 2024Copper Contributor41Views0likes1CommentMonitoring copied files on External drive - USB
Hello Guys, i struggle to find a way in Defender for EPP or other solutions to monitor when a user copied files on an external peripheral such as hard drive and USB. Some one have the procedure or documentation ? NOTE : Defender timeline could see when a user is plugging a USB stick. but that's... Thanks !SolvedEtienneFisetDec 18, 2024Brass Contributor11KViews0likes2CommentsHow to get the Protection History from a device
Hello, I would like to get the Protection History without the user intervention. I don't understand why is not in the device page in Microsoft 365 Defender initially... I tried to find a way to doing it in the Advanced hunting, but it's new for me, if some one have the command, thanks in advance. I tried with the Live response, but you can only use the CMD(Is it a way to initiate the Live response with Powershell ?) run a powershell script and tried to get the output file, but i got every time the error : Empty file, even if i doing a -outfile with my PP script and tried to get this specific file... Someone can help me please 🙂 ? ThanksEtienneFisetDec 18, 2024Brass Contributor1.9KViews0likes3CommentsTracking Sent Emails from a Shared Mailbox with Delegated Access
Here is a detailed post to the Microsoft help forum about tracking down who sent emails from a shared mailbox with delegated access and send as rights: Title: Tracking Sent Emails from a Shared Mailbox with Delegated Access Dear Microsoft Community, I'm reaching out for assistance with an issue I'm encountering regarding a shared mailbox in my organization. The shared mailbox has been configured with delegated access and "Send As" rights for certain users. However, I'm finding that emails are being sent from this shared mailbox, and I need to determine which user is responsible for those sent messages. Here's some more context on the setup: We have a shared mailbox that multiple employees within my organization can access and send emails from using their individual user accounts. The shared mailbox has been granted "Delegate Access" and "Send As" rights to these authorized users. Whenever an email is sent from the shared mailbox, it appears to come from the shared mailbox address rather than the individual user's email address. I need to be able to track down and identify which user sent a specific email from the shared mailbox. My main questions are: How can I determine which user account was used to send a specific email from the shared mailbox? Is there logging or audit functionality within Microsoft 365 that would allow me to see the user who sent an email from the shared mailbox? Are there any third-party tools or add-ons that could provide this level of tracking and visibility for emails sent from a shared mailbox? I'm hoping the Microsoft community can provide some guidance and recommendations on the best approach to resolve this issue. Being able to identify the user responsible for emails sent from the shared mailbox is crucial for maintaining security and accountability within our organization. Thank you in advance for your assistance. I look forward to hearing back from the community. Best regards,SolvedFish_TacosDec 18, 2024Brass Contributor75Views0likes1CommentDefender XDR - Resolved incidents still show up
In Security Center I have multiple incidents that I changed to status resolved. However, they still appear in the Incidents view. What could be the issue? I don't have this issue with resolving incidents in Sentinel.SolvedHendrikDec 16, 2024Copper Contributor35Views0likes1CommentSecurity Baselines section disappears
I arrived here from this page... https://learn.microsoft.com/en-us/defender-xdr/entity-page-device ... which details all the possible sections of a given device when located within the Assets->Devices section of the Defender portal. When I click on a machine, I see most of the sections along the top (Overview, Incidents & alerts, Timeline, etc) and I can click on each one but as soon as I click on a device, the 'Security Baseline' section momentarily appears then disappears. The link to Security Baselines is also broken in the link I pasted above. can anyone else access this section? Regards, GrahamG_ManDec 12, 2024Copper Contributor20Views0likes0CommentsMS Defender XDR API missing Alerts
The Microsoft Defender XDR API is missing Alerts that are visible in the console (https://security.microsoft.com). The number of Alerts returned by the Incident API is limits to 150. This information is no where in the documentation. If you have an Incident with greater than 150 Alerts, the API will not provide all the Alerts for a given Incident. https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents My team has confirmed this behavior across hundreds of tenants and thousands of Incidents. MS Premier Support has not been helpful in understanding if this is a known issue or a bug. Has anyone encountered this issue and have any information? Obviously closing the Incident will solve the problem, but for ongoing investigations this is not alway an option.mpalumbo7Dec 10, 2024Copper Contributor16Views0likes0CommentsPending actions notification via KQL / Graph API
Hello, I'm looking for a way to get notifications when an investigation is in Pending Approval state. I have tried searching the logs in Defender and Sentinel and have tried finding a graph request that could get this information, but no luck. Is this something that exists? Thank you for any help regarding this topic. KristofKristofDec 05, 2024Copper Contributor33Views1like2CommentsDefender - Cloud Activity Logs suspicious
Hi, I just noticed this logs from Defender - Cloud Apps > Activity Logs, seems all our Microsoft Cloud PC has these logs, looks suspicious for me as it is querying our Domain Admins account it seems, but would like to confirm. If this is suspicious, can help how to mitigate this please, thank you.Champ14-1020Dec 04, 2024Copper Contributor59Views0likes1Comment
Resources
Tags
- microsoft defender for endpoint298 Topics
- Microsoft Defender for Office 365209 Topics
- threat hunting100 Topics
- Alerts93 Topics
- investigation82 Topics
- Incident Management68 Topics
- automation64 Topics
- learning46 Topics
- threat intelligence37 Topics
- Response Actions36 Topics