Recent Discussions
Welcome to the Virtual Ninja Show’s Ninja Cat giveaway!
We are so excited to announce there will be NINE opportunities across Season 3 of the Ninja Show to earn your very own plush ninja cat and give it a new beloved home and we have many plush ninja cats looking for a new home! It works like this: for each episode there is a task to accomplish related to the topic in that show. You can complete each episode’s task for an opportunity to win! When you receive a LIKE on your response (from me, Heike) make sure you check your messages here in Tech Community for a message (from me, Heike ) with next steps. If you do not receive a like, don’t worry - come back and keep trying! For each episode, you have a new chance to win a kitty! Though we do limit one ninja cat per person, please! Click on any episode conversation below to access the various tasks! Episode specific conversations will be posted after their live broadcast is finished. Once you’ve submitted your response, and received my like, I will reach out for the last few details to get your ninja cat on its way! P.S. You have time to put your raffle ticket in the basket (for any episode) until April 14 th ! > Episode 2 | Mastering email authentication and slashing overrides: Part 2 (March 9 th 9 AM PT) > Episode 3 |Microsoft Sentinel Integration (March 14 th 9 AM PT) > Episode 4 | Defender Experts for Hunting Overview (March 16 th 9 AM PT) > Episode 5 | Mobile Threat Defense (March 20 th 9 AM PT) > Episode 6 | SaaS security posture management (SSPM) (March 21 st 9 AM PT) > Episode 7 | Defender for Identity and Defender for Endpoint: Better Together (March 23 rd 9 AM PT) > Episode 8 | Get to know Microsoft Defender Vulnerability Management Premium (March 27 th 9 AM PT) > Episode 9 | Attack disruption (March 29 th 9 AM PT) > Episode 10 |Identity Threat Detection and Response(March 30 th 9 AM PT) Good luck! Heike and the Ninja Show crew This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash.Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.Ninja Cat Giveaway: Episode 3 | Sentinel integration
Forthis episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash.Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.Ninja Cat Giveaway: Episode 2 | Mastering email authentication and slashing overrides: Part 2
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: Did you spot ninja cat throughout episode? Mention your favorite on-screen ninja cat appearance in this episode along with one thing you’ve learned from this episode of the Ninja Show! This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash.Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.9.3KViews5likes54CommentsShare Your Hunting Challenges!
Hello world!Tali Ashand I would love your input on anything you would like demo'ed in future webcasts! Want to see us demonstrate a specific hunting capability? Got a query challenge on your mind? Reply with your idea or like a reply from the community - we'll pick some of the popular ideas and put together future webcasts on the topics. Also, if you are looking for a great introduction to advanced hunting in MTP and KQL, be sure to check out our four part series Tracking the Adversary athttp://aka.ms/securitywebinars, or download the query files to practice on your own MTP instance at https://aka.ms/TrackingTheAdversary. Happy hunting!7.2KViews4likes12CommentsDate/time display format in the Microsoft 365 Defender portal
Display of dates and times in the correct regional format remains inconsistent in the Defender portal. Being UK-based with UK language and region settings set, we are still seeing US-formatted timestamps (M/D/Y AM/PM) in both the Defender portal and MCAS. 1) Is this an acknowledged issue and does Microsoft plan to fix it so that dates are shown consistently in the appropriate regional format? 2) Is there any possibility of getting all date and time stamps to show in ISO8601 format across all pages? M/D/Y vs D/M/Y causes ambiguity and confusion. This is worse for non-US users who are not used to working w1.6KViews3likes0CommentsMS Secure Score Create an OAuth app policy to notify you about new OAuth applications
Analyzing my Secure Score pending action, it says I need toCreate an OAuth app policy to notify you about new OAuth applications. The implementation instructions are vague and when i try to create a policy there is no filter for newly created Oauth Apps. Anyone have success setting this policy?2.8KViews3likes5CommentsMicrosoft Azure and Microsoft 365 Security - my defense in depth strategy!
Dear Microsoft Azure and Microsoft 365 security friends, Who is interested in my (small) company? We don't have anything to protect and we don't have any money. Besides, we have a firewall. Furthermore, Mr. Wechsler, you are a bit paranoid with your security thinking. These are the first sentences I always hear when it comes to IT (Cloud) security. But the attacker is also interested in a small company and that is to use their system as a bot. It's not always about money and data. What about the reputation a company has to lose? It takes years to build a good reputation but only one event to damage the reputation. What about the employees, the trust in the company? Do you want to put this at risk as a company, I don't think so! Yes! Extended protection mechanisms always cost extra, I am absolutely aware of that. But I also pay monthly for car insurance and accident and health insurance. I'm grateful every day when I don't need the insurance. That's exactly how it should feel when it comes to IT (cloud) security. Let's start with my IT/Cloud security strategy. I am absolutely aware that this list is not exhaustive. There are so many components to consider, plus every infrastructure/company is always different. I'll try to give you a little help here. We start with Microsoft 365, as a first additional measure, use all policies that start with "Anti-". You can find all the information in the Microsoft 365 Security Center. https://security.microsoft.com/threatpolicy The next step is to use the policies that start with "Safe". You can also find this information in the Microsoft 365 Security Center. Multi factor authentication is a key element to further protect your identities/users. You can set this up per user or with a Conditional Access Policy (my preferred way). Azure Active Directory helps you integrate this protection. https://portal.azure.com If you are subject to a regulatory agency, the Microsoft 365 Compliance Center can help.Here you can set up data loss prevention policies, audits, eDiscovery and much more. https://compliance.microsoft.com/homepage In this day and age of bring your own device and work from home, it's a good idea to include the Endpoint Manager. With it you have the possibility to manage endpoints (Mobile Device Management - MDM) and applications (Mobile Application Management - MAM). https://endpoint.microsoft.com/ Get visibility into your cloud apps using sophisticated analytics to identify and protect against cyberthreats, detect Shadow IT, and control how your data travels. https://portal.cloudappsecurity.com/ The Cloudapp Security Portal provides you with the best possible support. Here you can allow or sanction cloud app, configure anti-ransomware policies, data loss prevention policies and much more. Do you want to know how your Windows Active Directory is doing? Then Microsoft Defender for Identity will help you. With this tool you can transfer the local information to the cloud. With an interface to the CloudApp Security Portal. https://yourtenant.atp.azure.com/timeline No person should always work with elevated rights. Only work with elevated rights when it is really necessary. This is where Azure Privileged Identity Management (PIM) comes in. With this tool you can configure the access as you need it for your needs. https://portal.azure.com With Azure Identity Protection do you have a tool that allows organizations to accomplish three key tasks: 1. Automate the detection and remediation of identity-based risks. 2. Investigate risks using data in the portal. 3. Export risk detection data to third-party utilities for further analysis. https://portal.azure.com Just in time access for administrators, this is also possible for virtual machines with Just in time VM Access. In Microsoft Defender for Cloud you can configure this feature (and much more). Microsoft Sentinel helps you keep track of the health of your organization. A SIEM (Security Information and Event Management) and SOAR (Security Orchestration Automation and Response) tool that should not be missing from your portfolio. The tool offers many connectors (98 at the moment) so that you can connect the most diverse portals to Sentinel. There is still so much to show, I wasn't talking about Role Based Access Control (RBAC) now or Network Security Group (NSG), etc. I know some of you are thinking, hey there is a lot more. I am aware of that. My goal is to give you some positive signals on how you can integrate additional security into your organization. Thank you for taking the time to read this article. Kind regards, Tom WechslerDefender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,545Views2likes0CommentsNew Email Response Actions in Microsoft Defender XDR
Hi, Can Microsoft please allow the use of punctuation when adding a new Rule Name or in the description for this functionality. Example below is when adding a new rule name, but using a hyphen (so that on first look, a user can see that the rule was created for a manual action) In the description, it doesn't allow you to use any commas, or any full stops (periods)Solved947Views2likes5CommentsMS Defender for Endpoint Onboarding Method Overview
Finding it hard to protect all your devices with Microsoft Defender for Endpoint? Maybe you are just not aware yet of all the methods available to onboard new devices! In this blogpost, I'll provide a high-level overview of all the methods available: Microsoft Intune Onboarding packages or scripts Device Discovery Personal Devices Azure Azure Arc Direct Onboarding (NEW) After reading this, you are able to choose the perfect MDE onboarding method for your situation! https://myronhelgering.com/mde-onboarding-method-overview/1.2KViews2likes0CommentsDefender Slowness Issue
Hi Team, Developers have been experiencing extreme slowness lately. When we give an exclusion to C as in the below screenshot, It goes back to normal. Exclude C is like saying don't touch C at all. As you know, this is not the correct solution. Is there anything we can optimize this situation for?Also, you find the Defender Performance Analyzer results in the attached files. Thanks in advance for your support.650Views2likes2CommentsRemove access rights on suspicious accounts with the Admin SDHolder permission
Hi, Can the Defender Team please add more information regarding the improvement action "Remove access rights on suspicious accounts with the Admin SDHolder permission"? All sites appear to have this action triggered as "TO ADDRESS" but it displays "Users affected - No data to show" and under "Exposed Entities" it is blank with a line at the bottom displaying: {ISPM_REPORT_SUSPICIOUS_ADMIN_SD_HOLDER_USERS_TABLE_EMPTY_PLACEHOLDER} Just over 24 hours of initial detection the "Exposed Entities" section of "Remove access rights on suspicious accounts with the Admin SDHolder permission" now shows "No non-sensitive Admin SDHolder users" but it is still marked as "To address". Also please note the "More Information" links do not point to any useful or specific information for this improvement action. Thanks, Gary1.1KViews2likes4CommentsNinja Show Episode 1 Season 4 is available!
Did you miss our show today? No worries - we have the recording up for you already!! (113) Investigation Capabilities in M365 Defender | Virtual Ninja Training with Heike Ritter - YouTube The new files page we are showing, will be available in public preview end of this month. If you have any questions on this topic, please ask them! Also, please let us know how you liked it and share your ideas for additional episodes 🙂945Views2likes1CommentNinja Show Season 4 is coming! Content request?
Hi community!! Season 4 is coming - hurray!! Do you have any topics around Microsoft 365 Defender (and the various Defender workloads) you would like us to cover? Need to be possible to cover in 20-30ish mins and realistic ;). Thank you in advance for your answers! Heike510Views2likes0CommentsASR Exclusions
Hi all, I've been experiencing with ASR exclusions at several clients with same results... 1. Rules in Audit mode, exclusion added but file keep comming back in report for all exclusions... 2. Using Get-MpPreferenceon endpoint do not show any exclusion at all Endpoints are W10/11 22h2 My questions are 1. Do exclusions only get pushed to endpoint on block mode? 2. Exclusions are being added to the asr policy, do i need to set them some place else? GPO? 3. If I create a audit policy and a block policy with different group assignment, setting same exclusions in both. Moving endpoint from the audit group to the block group. Will this work? Ive been told only one asr policy can be in place audit or block.... 4. Per rule exclusions, ive been told not to use... not working... is this true? Thank youSolved3.9KViews2likes13CommentsNinja Cat Giveaway: Episode 10 | Identity Threat Detection and Response
For this episode, your opportunity to win a plush ninja cat is the following – Our season finishes here! After learning about this last topic, tell us your thoughts on the Microsoft 365 Defender approach to ITDR. This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash.Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.SolvedNinja Cat Giveaway: Episode 6 | SaaS security posture management (SSPM)
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: Share with us the most valuable piece of information you gained from David's demo on SSPM! This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash.Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.Solved4KViews2likes19Comments
Events
Recent Blogs
- 4 MIN READDo you want to become a ninja for Microsoft Defender XDR? We can help you get there!Dec 16, 2024278KViews61likes43Comments
- 10 MIN READMicrosoft Defender XDR Monthly news December 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets w...Dec 09, 20241.4KViews1like1Comment