User Profile
MattBurrows
Brass Contributor
Joined 6 years ago
User Widgets
Recent Discussions
New Device Health Reporting showing incorrect status
Hi, Just been looking into the new reporting and ive come across the below: On the new AV health reports, it shows in the "Antivirus Mode" that I have a bunch of Devices that are in "Other Modes". when you run get-mpcomputerstatus, on the devices in question, everything is up to date, and matches that of a device that is in "Active" Mode. When you check on the Defender portal, on the device itself, in the new section "Device health Status" everything is unknown and the AV mode is "Other" along with the Title "Defender Antivirus Not active", which I can confirm it is active and updated. The Devices are able to communicate out to Defender so its not a networking issue, so im a little lost why some I'm getting irregular reporting Has anyone noticed the same thing from their side?Re: Azure Sentinel how to clear Threat Intelligence Indicator table
Funny enough I have this exact problem, DShield throws so many FP when mapping to signin events etc. I couldn’t find a way to bulk delete sadly, after searching high and low. I ended up editing the query to basically != DShield and then wait for the retention to kick in and remove. Will be interested if someone comes with an answer to bill delete though!Limitations with Watchlists in logic apps
Has anyone tried using the action within Logic Apps " Watchlist - Get all watchlist items for a giver watchlist" and come across the below issue? Currently I have a Watchlist with around 500 entries, when I try and get all the results, it will only pick the first 100 from the Watchlist. Assuming there is a limitation that only gets the first 100, does anyone know how to increase this?Re: how to get the URL requested by the user in a browser?
Also to add ontop of this, and not knowing your set up, you could also link this with your firewall logs if you have connected them. Link below for basic reference. https://azurecloudai.blog/2021/03/15/how-to-azure-sentinel-watchlist-kql-basics/Re: Delete devices from Inventory in Defender Security Portal
Microsoft doesn't provide the ability to remove devices because it's extremely dangerous. If an attacker would get permissions on your cloud instances, he could remove all his tracks. The devices are retained for forensic purposes. Best option is to tag an offboarded machine and create an 'Inactive' machine group for it Or run the offboarding script on the device if possible.API GET for Defender TVM
Hi Guys, I am running GET on "https://api-eu.securitycenter.windows.com/api/vulnerabilities" to pull all my vulnerabilities. What I am noticing is there is a lot of results with Exposed Machines that equal 0, while I only want to show Vulns that is equal to or greater than 1 (so shows all vulns on any of my machines). In theory I should be able to do this via the below ("ge" = ">=") https://api-eu.securitycenter.windows.com/api/vulnerabilities?$filter=exposedMachines ge 1 But I am getting the below error: "error": { "code": "BadRequest", "message": "Filter parameter is invalid", I have tried various other ways that is mentioned online but nothing seems to work. No doubt its something so simple. Cheers.Re: Defender for 365 Ingestion: Duplicate values
I have the same issue, I never raised with Microsoft as the connector is still in preview and the EmailEvents have only recently been added, so assume some teething problems. I did ping my contact in MS a message, who said the Engineer teams are aware. So I would say keep an eye out as the problem should be resolved in the near future.Unknown User!
Hi Everyone, A bit of a strange one, had a user who requested a colleague to join a team. The owner who approves members has reported that a request came in for both The User and an Unknown User at the same time. Has anyone seen anything similar? Apparently its not the first time this has happened! Cheers.
