User Profile
MikeP751860
Brass Contributor
Joined 4 years ago
User Widgets
Recent Discussions
Sentinel - Analytic template - MFA Rejected by User
Hi, we are having a few issues with the Sentinel templated analytic rule - MFA Rejected by User (version 2.0.3) - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MFARejectedbyUser.yaml Over the last 30 days this analytic rule has generated 98 incidents which are all false positives. The analytic rule works on looking at Entra ID signinlogs against result type 500121 with one or more of the following additional details reported "MFA denied; user declined the authentication" or "fraud". It maps UEBA identity information then join the behavior analytics data summarised by IP Address. It's the summarising of the IP address data which has me questioning the code. When we get an event in the signin logs it also generates an event in the UEBA behavior analytic table along with a IP investigation score. If you have multiple events in the time period of the rules query period then the summarizing does a SUM() against the IP investigation data which can turn into a high which breaches the threshold. The default threshold is 20 but I have seen IP investigation scores summed again being between 60 and 100+ but the individual event record for the MFA rejection gives a score of 3 or 4. Anyone an expert with UEBA and KQL be able to tell me if the original code looks ok? - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MFARejectedbyUser.yaml Would to be better served by the following code? let riskScoreCutoff = 20; //Adjust this based on volume of results SigninLogs | where ResultType == 500121 | extend additionalDetails_ = tostring(Status.additionalDetails) | extend UserPrincipalName = tolower(UserPrincipalName) | where additionalDetails_ =~ "MFA denied; user declined the authentication" or additionalDetails_ has "fraud" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), UserId = any(UserId), AADTenantId=any(AADTenantId), DeviceName=any(DeviceDetail.displayName), IsManaged=any(DeviceDetail.isManaged), OS = any(DeviceDetail.operatingSystem) by UserPrincipalName, IPAddress, AppDisplayName | extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0]) | join kind=leftouter ( IdentityInfo | summarize LatestReportTime = arg_max(TimeGenerated, *) by AccountUPN | project AccountUPN, Tags, JobTitle, GroupMembership, AssignedRoles, UserType, IsAccountEnabled | summarize Tags = make_set(Tags, 1000), GroupMembership = make_set(GroupMembership, 1000), AssignedRoles = make_set(AssignedRoles, 1000), UserType = make_set(UserType, 1000), UserAccountControl = make_set(UserType, 1000) by AccountUPN | extend UserPrincipalName=tolower(AccountUPN) ) on UserPrincipalName | join kind=leftouter ( BehaviorAnalytics | where ActivityType in ("FailedLogOn", "LogOn") | where isnotempty(SourceIPAddress) | project UsersInsights, DevicesInsights, ActivityInsights, InvestigationPriority, SourceIPAddress | project-rename IPAddress = SourceIPAddress | summarize UsersInsights = make_set(UsersInsights, 1000), DevicesInsights = make_set(DevicesInsights, 1000) //IPInvestigationPriority = tostring(InvestigationPriority) by IPAddress, IPInvestigationPriority=InvestigationPriority) on IPAddress | extend UEBARiskScore = IPInvestigationPriority | where UEBARiskScore > riskScoreCutoff | sort by UEBARiskScore descMassive reduction in Threat Intelligence IP data since Monday 10th June
Hi, Anyone else see a massive reduction in Threat Intelligence IP data since Monday 10th June into Sentinel platforms? I operate two Sentinel environments and they both seen the same change. The screenshot below is the past 30 days. The past 48 hours still reports some IP information being sent but at a very reduced rate. What's changed with the feed?Entra ID and Sign in Logs with Sentinel - Shared mailbox with sign-in blocked
Morning all, We are presently investigation how Entra ID Sign-in logs are used within our Sentinel environment but need some help with some of the following scenario to understand the logs we are collecting. If a shared mailbox is configured for 'sign-in is blocked' and a malicious actor attempted to sign into that account what would we see in the Sign-in logs? Regards MikeRe: OpenSSL
fatherosam_1 - The February version of Power BI Desktop has updated the OpenSSL from 3.0.9 to 3.0.11 but that is still vulnerable. The latest secure version is 3.0.13. Have you reported the Microsoft applications to MSRC? I was able to get them to accept a report for CURL last year but they didn't accept for Power BI when I tried.Creating a playbook with actionable message for end users
Hi, Has anyone tried to create a playbook in Sentinel with workflow to send an actionable message to the end user to get them to confirm if they completed an action which triggered an alert/incident? We would like to see if we can reduce the SIEM events to our service desk by asking the end user to confirm actions undertaken. If they do not reply within 1 hour or if they reply as No then the incident will be raised. The nice thing about actionable message is the requirement for the end-user to authenticate plus we can add MFA validate it is the user and not someone else. Regards MikeMicrosoft Store Apps not detected by Defender TVM
Hi, Anyone know why Microsoft Store Apps are not detected by Defender TVM? We recently undertook an external pen-test of some clients and we multiple CVEs in the Microsoft Store Apps. Turns out that Defender TVM doesn't inventory those applications or detected the CVEs which surprised me. The Nessus agent provided greater depth of vulnerability information on the devices under assessment than the data being reported in Microsoft. Makes me wonder what else is being missed.OfficeActivity - Rare and potentially high-risk Office operations and automation
Hi, We are receiving a number of "OfficeActivity - Rare and potentially high-risk Office operations" alerts for users who are setting up mailbox GrantSendOnBehaveOf and creating mail moving rules. Wondered what modifications to the analytic rule people have made to reduce the noise or any automation to ask the end user if they made the reported change (maybe with some verification to confirm the end user). Regards MikeAccessing a device scan results in Defender portal
Hi, I have been asked by our service desk if they start a scan using the Defender portal against an onboarded device can they see the final scan results. I believe all we can see is when the last scan completed. Have I missed something? Regards MikeRe: Future support for Azure Virtual Desktop client?
Morning Andrew, We are using the Azure Virtual Desktop client within enterprise but the automatic update only works if you have admin rights. The MS store version is no good as it has not been updated in several years. It would be nice to have a single common approach to MS applications being updated in an enterprise. Regards MikeAdvice on how to re-enrol Windows 10 devices to Intune
I have an issue where we have a number of hybrid devices which were successfully enrolled to Intune but the Intune record has disappeared for the device and in some case the same to the AAD/on-premise account. We can rejoin the device to the on-premise domain and AAD Connect can sync the account back to AAD but how do I get the device to correctly re-enrol with Intune without a rebuild? Regards MikeMicrosoft Edge Roadmap and support for Adobe PDF Fill & Sign
Hi, Does anyone know of the Microsoft Edge Roadmap has been updated as the last one I can find is dated March 2021. Roadmap for PDF reader in Microsoft Edge - Microsoft Community Hub I'm interested to know if Adobe PDF Fill & Sign support will be added as it would allow me to remove the requirement for Adobe Acrobat Reader DC from my estate and improve my security. Regards MikeDefender 365 - SmartAlerts: User exfiltrating sensitive information via Removable Media
Hi, In the past few days we have started seeing incidents/alerts for "SmartAlerts: User exfiltrating sensitive information via Removable Media". We do not believe we have enabled any features or created policies which would start generating these incidents/alerts. Is this something new from Microsoft as I cannot find any information on it? Anyone able to help please? Regards MikeDefender 365 portal and email investigations seeing device tab
Hi, I have a case open with MS support regarding not being able to see which devices have opened an email when you investigating a threat. Confirmed the MDE setting switch in Explorer is enabled and the same for the Office 365 threat integration to Defender. My engineer is telling me the PG team is going to remove the explorer 'MDE Setting' toggle button but also indicating the whole integration of not being able to see where a device has opened an email is not going to be available. I have asked him to go back and confirm that point as it does not sound right. Anyone from MS or PG team be able to comment on this please? Regards MikeRe: Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event
I think you might of missed the point. The 'shortcuts' let query is filtered to the timestamp range (2023-01-13 to 2023-01-14) so how can you have a signature of 1.381.2325.0 which was released on the 1/17/2023 11:11:14 AM?Re: Microsoft Defender KQL query for deletion lnk files - Following Friday 13th Event
yongrheemsft Tried the AH query but the returned data records is too small. When you exclude '| where AvSignatureVersion in (badsignatures)' from the query and in my case see most of the machines have an AV signature version of 1.381.2325.0.
