User Profile
Jonhed
Iron Contributor
Joined 5 years ago
I work primarily with design and implementation of MDE and Sentinel.
User Widgets
Recent Discussions
Re: How to get Sharepoint online into Conditional Access app Control
gutharius Sharepoint online should be automatically onboarded if you just create a conditional access policy that covers it, as mentioned in the docs below. https://learn.microsoft.com/en-us/defender-cloud-apps/session-policy-aad#sample-create-microsoft-entra-id-conditional-access-policies-for-use-with-defender-for-cloud-apps Also introduced here. https://youtu.be/L-EKqbse2cs?si=L0me1sc0txMoHU5d&t=257Re: MDE-Management
Fhilp So these servers.. a. are not domain controllers b. they have the may-2023 update of the EDR package https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/windows-whatsnew?view=o365-worldwide#may-2023-release-version-108295226211023 c. they are not running core editions d. do not have the PowerShell restrict mode configured as below https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration?pivots=mdssc-preview is this correct?Re: Windefender AV Signature Updates Cannot be Scheduled
there are some additional settings regarding updates, such as updating before a scheduled scan or update on startup and so forth. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus?view=o365-worldwide I suppose these could be the reason for the out of band updates. The ad-hoc updates listed happen dynamically when deemed necessary by cloud protection, but this will not affect the signature version. So assuming you mean the signature version goes up, the ad-hoc updates are not related. Other than that regular OS windows update checks will download signatures as well, in case those run regularly.Re: KQL query
akshay250692 My bad, was missing a bit. let threshold=1; let authenticationWindow = 5m; let Logs = SigninLogs | where UserPrincipalName == "email address removed for privacy reasons" | where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password"); Logs | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), UserPrincipalName, ResultDescription, AppDisplayName | join kind=inner ( Logs | summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName | where FailedAttempt >= ["threshold"] ) on UserPrincipalName,AppDisplayName,ResultDescription | project-away UserPrincipalName1,AppDisplayName1,ResultDescription1Re: KQL query
akshay250692 | summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName The summarize above does not contain TimeGenerated, so the TimeGenerated field is removed from the results past that. Therefore, you cannot use it at the final line. Try the code below. let threshold=1; let authenticationWindow = 5m; let Logs = SigninLogs | where UserPrincipalName == "email address removed for privacy reasons" | where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password"); Logs | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), UserPrincipalName, AppDisplayName | join kind=inner ( Logs | summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName | where FailedAttempt >= ["threshold"] ) on UserPrincipalName,AppDisplayName,ResultDescription | project-away UserPrincipalName1,AppDisplayName1,ResultDescription1Re: Updating the MDE.Windows extension
>When deleting the MDE.Windows/MDE.Linux extension, there is no impact to the Sensor software on the server The point about deletion not having any effect on the sensor is covered below, but yes I do agree the relation between the extension and the MDE software in general is not covered much. https://learn.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint >If integration with Microsoft Defender for Endpoint is enabled, and the extension is deleted, it will be promptly installed again. If you check that box for MDE integration, this is indeed true. The defender for servers plan will charge you for any server present anyways though. Onboarding scope can be managed with Azure Policy if you uncheck that box, but you would still be charged. Hoping to see some scoping for the actual Defender for Servers plan some time.Re: Updating the MDE.Windows extension
I am not quite sure if updating the MDE.windows extension itself actually has any use, since it only deploys MDE and does nothing past that. As far as I know, any integration between MDE and defender for cloud past that happens through the APIs directly between the services, rather than through the extension.Re: Updating the MDE.Windows extension
Yes, the extension is pretty much there just to push the MDE onboarding package to the server. Past that, it is just a regular MDE and MDAV installation. Pattern updates, engine updates as well as platform updates are managed by MDAV. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus?view=o365-worldwide As for MDE itself, it depends on the version. Windows Server 2019 and above come with the MDE sensor integrated in the OS, so MDE sensor updates are included in the OS security updates. Windows 2012 R2 and 2016 get the MDE sensor through a separate installation (MDE unified package), and requires updates via Windows Update, WSUS etc. https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284acRe: Microsoft Defender for Server- Endpoint Protection Disable
There is reporting available for virus definition files in Microsoft 365 Defender. As for update sources, the default will be Microsoft Update, however there are options there, and using Microsoft Update requires the Windows Update service to run etc so may not be available in all environments depending on the OS configuration. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus?view=o365-worldwide
