User Profile

marktait19

Copper Contributor

Joined 3 years ago

13 Posts3 Likes

View All Badges

User Widgets

Recent Discussions

Re: FirstDetected Field - where can I find it in the Defender schema?
Hi - my client hasn't opened up the API for me yet. I only have access to Hunting -> Advanced Hunting. Is the cveFirstSeenTimestamp - only available via the API? Is there an equivalent field I can find in Advanced Hunting? Thanks again, Mark
Apr 29, 2024 Place Microsoft Defender XDR
1.3KViews
0likes
0Comments
List of End of Life OS and Software in MS Defender
Hi. In MS Defender, is it possible to get a report of devices which are End of Life (eg. Windows Server 2003) along with any end of line/out of support software (eg. .net 1.1, or specific apps) , which may be running on any device? I'm aware we can get security recommendations - but are there any more granular reports available, either through the Defender GUI, or via KQL? Thanks for any help, Mark
Solved
Mar 21, 2024 Place Microsoft Defender for Endpoint
1.7KViews
0likes
1Comment
Re: Security Recommendation - is it available in any table in KQL query editor
Thank you so much - all the best!
Mar 01, 2023 Place Microsoft Defender XDR
5.3KViews
1like
0Comments
Re: Security Recommendation - is it available in any table in KQL query editor
Hi - sorry, I wasn't clear - it's just not returning the number of results I'd expect. It should be listing 100's of devices, but I'm only seein 1 device listed in all 118 results. Thanks again, Mark
Mar 01, 2023 Place Microsoft Defender XDR
5.4KViews
0likes
11Comments
Re: Security Recommendation - is it available in any table in KQL query editor
Thank you for your suggestion. When I run this, I'm only getting 1 device returned (with 118 results - I'm looking over the last 30 days), but I can't see anything in the query which would limit the results. I'll keep working with the query you've provided though -it must be a restriction on my end thats limiting it. Cheers, Mark
Mar 01, 2023 Place Microsoft Defender XDR
5.6KViews
0likes
14Comments
FirstDetected Field - where can I find it in the Defender schema?
Hi - in Microsoft 365 Defender, when running Kusto queries - which table will I find the "First Detected" field against a device? I can see it in the Device Summary page, but can't find it in any of the available tables in the schema. Thanks for any advice, Mark
Feb 17, 2023 Place Microsoft Defender XDR
microsoft defender for endpoint
microsoft defender for office 365
threat hunting
1.9KViews
0likes
7Comments
Re: Microsoft 365 Defender - where to create a custom list of devices
Thank you - I suspect that may be the issue. What I'm trying to do seems pretty simple (create a list of devices I can update once and use across multiple queries). I'll reach out to the platform support to see if they can recommend the specific permissions required. All the best, Mark
Feb 10, 2023 Place Microsoft Defender XDR
2.1KViews
2likes
0Comments
Re: Microsoft 365 Defender - where to create a custom list of devices
Robina Hi Robina - thank you for your reply. When I select devices on the Devices page, I do not see "Add to custom list", I only see: Manage Tags Initiate Automated Investigation Device Value Exclude Report Inaccuracy I've attached a screenshot. Have I missed something, or is it perhaps that I don't have specific permissions to create custom lists? Thanks again, Mark
Feb 10, 2023 Place Microsoft Defender XDR
2.1KViews
0likes
3Comments
Microsoft 365 Defender - where to create a custom list of devices
Hi - where in MS 365 Defender can I create a custom list of devices, that I can just update once and reference in multiple KQL queries? I have looked in Settings - there is no option for Microsoft Defender for Endpoint lists. Thanks for any help, Mark
Solved
Feb 10, 2023 Place Microsoft Defender XDR
microsoft defender for endpoint
microsoft defender for office 365
threat hunting
threat intelligence
2.3KViews
0likes
5Comments
Security Recommendation - is it available in any table in KQL query editor
Hi. When in Security Recommendations, I can enter a CVE reference, and there is a column in the display for "Security Recommendation" (please see attached screenshot). So for example, for: CVE-2020-1938 The Security Recommendations advises: Update Apache Tomcat Is there any table available within the KQL editor, that will display that recommendation for a given CVE? I've checked in DeviceTvmSoftwareVulnerabilitiesKB and DeviceTvmSoftwareVulnerabilities - however the Security Recommendations field is not available in either of those. Any help would be much appreciated, Thanks, Mark
Solved
Feb 08, 2023 Place Microsoft Defender XDR
microsoft defender for endpoint
microsoft defender for office 365
threat hunting
6.2KViews
0likes
19Comments
Re: KQL to filter by Tags - is it possible?
Thanks for your help. In our instance, MachineGroup is blank for all devices - so the "Tag" must be stored somewhere else in our case. Thank you for trying to help though, Cheers, Mark
Feb 01, 2023 Place Microsoft Defender XDR
2.7KViews
0likes
0Comments
Re: KQL to filter by Tags - is it possible?
Hi KarlMZA - I can't see MachineGroup as a table. Do I need specific permissions to view it? Thank you, Mark
Feb 01, 2023 Place Microsoft Defender XDR
2.8KViews
0likes
2Comments
KQL to filter by Tags - is it possible?
Hi - is it possible within Advanced Hunting, to filter based on an associated Tag? I have added a "where Tag..." in the KQL below, but I can't actually see where the Tags are held and how to filter. Any help would be appreciated, Thanks, Mark DeviceNetworkInfo | join DeviceTvmSoftwareVulnerabilities on DeviceId | join DeviceTvmSoftwareVulnerabilitiesKB on CveId | where Tag has_any ( "tag1", "tag2" )
Jan 25, 2023 Place Microsoft Defender XDR
automation
microsoft defender for endpoint
microsoft defender for office 365
threat hunting
2.9KViews
0likes
4Comments

Recent Blog Articles

No content to show