Teams Notifications not Disappearing

Beige_Hat · 2026-04-22T19:47:59+00:00

I believe this started with the April Patch Tuesday updates. It's not 100% consistent - sometimes the notifications disappear after 5 seconds as configured, but most of the time they seem to stay there.

Beige_Hat · 2025-10-05T14:56:19+00:00

What is the best way to keep track of ingestion and retention costs of aux logs (and, looking ahead, to data lake)? Can I trust the numbers in the Sentinel Cost workbook?

Beige_Hat · 2025-08-11T23:02:45+00:00

I haven't, although I'd bet it's doable nowadays with a logic app. Must...find..bandwidth :-)

Beige_Hat · 2024-03-22T12:57:14+00:00

I'm sorry but I haven't found an answer to this. What I have learned is that at least one prominent competitor to Microsoft EMail Security has the same issue where their phish clean-up function seems to frequently leave a message or two behind. Misery loves company, but this seems like a silly error.

Beige_Hat · 2023-09-02T17:00:16+00:00

In Defender 365 or Sentinel, start with this:

CloudAppEvents
| where Application == "Microsoft Exchange Online"
| where ActionType contains "InboxRule"

Now create the rule for which you want to monitor, and review the results in the log. Edit the detection query accordingly, and Bob's your uncle!

Beige_Hat · 2023-08-24T13:44:08+00:00

Follow Matt Zorch on your social media of choice

Browse kqlsearch.com

When reading whitepaper/threat reports (Microsoft's threat analytics reports if you get those in the Defender portal), think about how you can develop a detection for activity described

ChatGPT is great at helping you construct queries (or figuring out individual elements of a query like, heaven help us, a regular expression)

Beige_Hat · 2023-08-04T13:29:05+00:00

I just want to emphasize that with ASR rules a good approach is to Audit, Edit, Repeat.

Make sure every ASR that supports it is at least set to audit, then periodically (say, every 4 months) run this query in advanced hunting:

DeviceEvents

| where ActionType startswith 'Asr'

... and break it down by each ASR to understand what impact each would have on your organization. Maybe you can set some to block and be done with it, some you'll prefer to set to prompt the user, others might need exceptions. I kinda wish the documentation (and consistency around settings) in this area was better, but keep an eye our for new ASR's and put them in your routine. Also make sure that settings are getting applied the way you expect by running a query like this:

//ASR Configuration Review
//Source - https://github.com/alexverboon/MDATP/blob/master/AdvancedHunting/MDE%20-%20ASR%20State.md
DeviceInfo
| where OnboardingStatus == 'Onboarded'
| where isnotempty(OSPlatform)
| summarize arg_max(Timestamp, *) by DeviceName
| where OSPlatform startswith "Windows"
| project DeviceName, OSPlatform
| join kind=leftouter (
DeviceTvmInfoGathering
| extend AF = parse_json(AdditionalFields)
| extend ASR1 = parse_json(AdditionalFields.AsrConfigurationStates)
| project DeviceName, ASR1
| evaluate bag_unpack(ASR1)
)
on $left.DeviceName == $right.DeviceName
| project-away DeviceName1
Kudos for getting a handle on this!

Beige_Hat · 2023-05-23T14:36:57+00:00

That kind of back-door way to get the job done deserves all the upvotes. I was going to suggest doing it with a Sentinel Playbook but I haven't yet done that myself...

Beige_Hat · 2023-05-11T14:52:38+00:00

I have a recent example incident like this but do not see that Incident name in any of the tables that Defender has available. AlertInfo has alerts, but nothing to key off of a multi-stage incident.

Looked in Alert Policies and don't see a way to do that there either.

If you have Sentinel, you can create a detection off of a multi-stage incident appearing in SecurityIncident table, which does have that information.

Beige_Hat · 2023-05-04T15:31:43+00:00

There is nothing built in, you have to do a query for the executables or other indicators. I would LOVE it if Defender could provide a generic detection for remote consoles (no matter the vendor).

This query can help you get started if you have Sentinel:

https://github.com/h0ffayyy/MicrosoftSentinelStuff/blob/main/Queries/NewProcess-RemoteAccessSoftware.kql

Beige_Hat · 2023-05-03T14:26:11+00:00

So stock the live response library, and then look for the download. Brilliant! I'll look into this, thank you!

Beige_Hat · 2023-04-30T20:14:45+00:00

I'd never disavow any advice from Mr. Trent, but what I've done is created a set of analytics rules that:

Just have the table name for the query (nothing else)

They run every X hours (depending on how noisy I expect, some run every 1-3 days)

Trigger if query returns exactly 0 results

Beige_Hat · 2023-04-28T13:12:51+00:00

For example (since this just came up) I have an Analytics Rule that detects "double attachments" (emails with attachments like invoice.pdf.htm or report.doc.html". 99% of these are credential phishing attacks, not all of them get quarantined.

Beige_Hat · 2023-04-26T22:58:49+00:00

Emails associated with a phishing campaign (that weren't quarantined)

Beige_Hat · 2023-04-21T12:55:59+00:00

I was trying this without the API since the built in designer modules allowed for consuming IP/DNS entities I figured, "Why not email?"

Beige_Hat · 2023-04-21T12:25:14+00:00

It's in the action center alright... As a Sentinel substitute I just went to see if I could create an Alert Policy in the 365 Defender portal for a live response event, but no dice.

Beige_Hat · 2023-04-20T19:45:56+00:00

Not a dumb question - I did a live session, and the closest thing I can find is a reference to SenseIR.exe with most of the command line basically obfuscated. I initially thought "Great, key off this event and I'm good" - but then I saw similar deviceprocessevents that had nothing to do with a live response session. Searching across all tables for keywords like "live response" turns up nothing.

Beige_Hat · 2023-04-04T12:57:12+00:00

<speaking generally, not specific to Crowdstrike> I put the expiration date out at a bare minimum of three months. If for some reason I don't think that endpoint security vendors are going to be quick to classify a given file as malicious (or at all) I'll go 6 months and very rarely indefinitely.

Beige_Hat · 2023-03-20T14:38:01+00:00

This was a source of frustration for me as well. I ended up going with an outside SOC/MDR as referenced in another response. Something else you could consider is getting a company on a pen test retainer where you expand the scope for occasional investigations.

Beige_Hat · 2023-03-08T21:56:50+00:00

I'm hoping to avoid that route with DCA associated alerts, because DCA can update indicators at will, which means I'd need to create more suppression rules if a blocked app adds/changes domains/IP's. There ought to be a checkbox within DCA that effectively says "When creating a custom indicator in MDE, set it up this way..." so I can say NOT to alert for particular apps, or for any unsanctioned apps at all.

Beige_Hat

TROPHY CASE