User Profile
EtienneFiset
Brass Contributor
Joined 3 years ago
User Widgets
Recent Discussions
How to get the Protection History from a device
Hello, I would like to get the Protection History without the user intervention. I don't understand why is not in the device page in Microsoft 365 Defender initially... I tried to find a way to doing it in the Advanced hunting, but it's new for me, if some one have the command, thanks in advance. I tried with the Live response, but you can only use the CMD(Is it a way to initiate the Live response with Powershell ?) run a powershell script and tried to get the output file, but i got every time the error : Empty file, even if i doing a -outfile with my PP script and tried to get this specific file... Someone can help me please 🙂 ? ThanksDefender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,Zapped - AIR investigation failed
Hello, We had some AIR related to zapped malicious email, but all the steps in the investigation log are failed. And I don't find any way to restarting it or what I can do to fix it ? Note : I know i can go in threat explorer and create a manual remediation/investigation. But after 10 AIR failed like that, i suppose that this functionality has an issue and need to be fixed. The automated zero-hour purge is important. ThanksRe: Enable RDP to take remote of Intune managed devices, Firewall blocking the connection
GerardoHernandez Hey guys, we fixed our issue with the create of a new group to apply for a new Defender firewall policy accepted this : "The firewall allows RDP connection only with the private network or with the same domain via NTLMv2 authentication." So need to turn on 2 profile through firewall as private network and domain accepting the outbound connection through NTLMv2 or your own config.
