User Profile

Craig_Ob

Copper Contributor

Joined 6 years ago

6 Posts

View All Badges

User Widgets

Recent Discussions

Hunting queries and automated output delivery
Looking for a way to automate a daily report to show any machines that can be onboarded. I can pull the data manually via the inventory and the use of filters. I looked at PowerBi and scripting it in advance hunting but am having no luck. Does any one know outside of Gitbub, a resource for powerbi queries for defender Thanks
Apr 25, 2022 Place Microsoft Defender XDR
automation
investigation
microsoft defender for endpoint
threat intelligence
468Views
0likes
0Comments
365 Defender missing Alert Content
Strange one this one... We recently performed some pentesting via a VM and workstation, in one of the tests, The Bloodhound tool was used and defender caught it and dealt with it HackTool:PowerShell/BloodHound.G!MSR Remediation action :quarantine so the next step was to disable defender on the endpoint with the simple regedit so we could continue. Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force I saw all this the 365 Alerts window, and I Ieven took a copy and pasted into notepad of what I saw from the Alerts. 1 week later I get back into this Alert to close it out and , I see the "Defender detected and quarantined" etc but the regedit used to disable defender is no longer showing in the Alert?? I checked the time line, no sign of it but I saw it as part of the alert as it was coming in.. Any idea?
Dec 30, 2021 Place Microsoft Defender for Endpoint
1.7KViews
0likes
0Comments
AV Status shows disabled on end point
Morning, When I run a filtered report on machines via the security center I see around 23 (out of 800+) machines that are active but show as AV Disabled. Remoting to a few of these machines, I see that Defender is indeed running and doing its thing. Normally I get a warning that an endpoint is disabled but none on these Any idea?
Aug 05, 2021 Place Microsoft Defender for Endpoint
970Views
0likes
0Comments
Defender definition updates
Hi All. Been using Defender ATP for a few weeks now, I have two questions. 1) Do definitions updates still need to be pushed to the PC's via my SCCM patching system or does ATP take care of those and distribute them to registered clients? 2) Are there any recommended books, courses, or resources available to learn more about ATP? Thanks
May 06, 2020 Place Microsoft Defender for Endpoint
3.6KViews
0likes
3Comments
Re: Defender ATP SIEM alien vault
Thijs Lecomte OK Thanks for that input, are you refering to Azure Sentinel and have them parse into the SIEM? Would you happen to haveany info this process as this is a major part of our PCI requirements. Our old system (Sophos Cloud) we manually exported the logs and they were imnported into the Vault device.
Dec 04, 2019 Place Microsoft Defender for Endpoint
2.8KViews
0likes
1Comment
Defender ATP SIEM alien vault
Anyone integrated an Alienvault SIEM Connection with defender ATP and the security center? Our last solution we had to export the data from Sophos and manually load it into the SIEM
Dec 02, 2019 Place Microsoft Defender for Endpoint
2.8KViews
0likes
3Comments

Groups

Recent Blog Articles

No content to show