User Profile
GaryCutri
Copper Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Re: Remove access rights on suspicious accounts with the Admin SDHolder permission
Thanks for the feedback. It's been a week now and our tenants are still listed as "To address". We now have other "Defender for Identity" improvement actions that are completed but listed as "To address" (e.g. Remove dormant accounts from sensitive groups). It's clear that the Identity actions are not being updated and\reported correctly.1.2KViews0likes2CommentsRemove access rights on suspicious accounts with the Admin SDHolder permission
Hi, Can the Defender Team please add more information regarding the improvement action "Remove access rights on suspicious accounts with the Admin SDHolder permission"? All sites appear to have this action triggered as "TO ADDRESS" but it displays "Users affected - No data to show" and under "Exposed Entities" it is blank with a line at the bottom displaying: {ISPM_REPORT_SUSPICIOUS_ADMIN_SD_HOLDER_USERS_TABLE_EMPTY_PLACEHOLDER} Just over 24 hours of initial detection the "Exposed Entities" section of "Remove access rights on suspicious accounts with the Admin SDHolder permission" now shows "No non-sensitive Admin SDHolder users" but it is still marked as "To address". Also please note the "More Information" links do not point to any useful or specific information for this improvement action. Thanks, Gary1.3KViews2likes4CommentsRe: Secure Score
RioHindle - They need to add more information regarding the improvement action "Remove access rights on suspicious accounts with the Admin SDHolder permission? All sites appear to have this action triggered as NOT COMPLETED but it displays "Users affected - No data to show" and under "Exposed Entities" it is blank with a line at the bottom displaying: {ISPM_REPORT_SUSPICIOUS_ADMIN_SD_HOLDER_USERS_TABLE_EMPTY_PLACEHOLDER}1.9KViews0likes1CommentRe: Microsoft Defender for Endpoint Device group question
I found some updated guides and step one is outlined below, step two it recommends to setup device groups. Turn on automated investigation and remediation 1. As a global administrator or security administrator, go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in. 2. In the navigation pane, choose Settings. 3. In the General section, select Advanced features. 4. Turn on both Automated Investigation and Automatically resolve alerts.7.9KViews0likes1CommentRe: Microsoft Defender for Endpoint Device group question
Based on your feedback the default now is to auto remediate for all. Historically many investigations were stuck at "pending action" and the groups were setup to ensure automation (or partial is required). I would still consider groups for servers and desktops as we have had bad experiences with modern protection services on Windows Server. Even recently the Attack Surface Reduction rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" killed an Azure AD Connect upgrade (Azure AD Connect health service uses an old installer) and the same happened during an Exchange 2019 upgrade. (As an FYI you really need ASRs rules to help protect against modern threats).7.8KViews0likes0CommentsRe: Microsoft Defender for Endpoint Device group question
From your feedback the undefined/ungrouped is only created now when the first custom group is added. I just double checked another customer who isn't using groups and I can confirm the same state as your second screenshot. I added groups back when the feature was first made so either the process has changed slightly or my memory is fading. I do recall the reason I started using groups was detections went into a pending action state and I needed selected devices to automatically action threats. As per my first post I believe you should at minimum define desktops and servers. We used a "Deleted" tag to add removed devices into a separate group so when looking at the security score or threat management dashboard we can filter out deleted devices. In short using tags is an easy way to add devices to custom device groups but please note these group rules need to be above groups that are defined by OS/bud etc only.8KViews0likes6CommentsRe: Microsoft Defender for Endpoint Device group question
All devices land in the "undefined" group by default (i.e. without any other grouping rules) so if you ensure that group is set to "no automated response" it does nothing. Alternatively you can set undefined to your preferred automation level. If you decide to create Groups its up to you to define a filter and set the automation response (e.g. none, 2x semi option or full).8.1KViews0likes8CommentsRe: Microsoft Defender for Endpoint Device group question
Hi, In our scenario we started with Desktops & Server groups with full auto remediation on Desktops and only partial on Servers. Then due to deleted devices being stuck in Defender for at least 30 days we created a Deleted Tag and Group so I could filter them out of our security score and vulnerability exposure score. Over time we ended up splitting the server groups into two so Critical Services and Non-Critical services had different remediation options. This was just done as a precaution as we wanted to removed the risk of an automatic remediation causing any issues (critical servers are set as "Semi - Require approval for core folders")8.1KViews0likes10CommentsMicrosoft Secure Score - Recently introduced issues
Hi, With the recent updates to Microsoft 365 Defender (https://security.microsoft.com/) we have noticed Edge critical updates are no longer being flagged on the "Exposure score over time". Also at the same time this started to occur all devices are showing two Edge entries under the device "Software Inventory" tab (old and newly installed version) and it's now taking three to five days to process (remove old\process new) and mark this devices as updated. In the past the two versions showed for a maximum of 24 hours (at the quickest they cleared within 4 hours), this is now three to five days. We have also noted the three newly added Teams Security Score checks have not been synced since 7/30/2021. Prior to the new items being added the one Teams improvement (Restrict anonymous users from starting Teams meetings) was being scanned every 24 to 48 hours. As of this post its now 9 days since the last scan. I hoping we can speak with someone from the MS Security Team as we have just about maxed out the security score and security recommendations and we have noted a very large number of bugs. Thanks, Gary1KViews0likes0Comments
Recent Blog Articles
No content to show