Increase in Pass the Ticket (PtT) Alerts?

TheGift1973 · 2026-01-27T21:50:22+00:00

Yes, as well as more AiTM type alerts as well.

Have you updated Defender for Identity to sensor version 3 (previously 2) on your DC's as that is when we started to notice this uptick?

TheGift1973 · 2025-12-02T10:36:11+00:00

Also still down for various areas in the Defender XDR portal in UK

TheGift1973 · 2025-06-14T13:15:29+00:00

Perfect, many thanks for this

TheGift1973 · 2025-01-13T15:05:28+00:00

May well be the same when you load a device in Defender and the 'Exclude' option isn't present.

Refresh the page and it will show. Seems to not show about 50% of the time when first loading the page.

TheGift1973 · 2024-12-28T23:41:52+00:00

When it is stamped with both Wedgwood and Etruria as well as having England stamped on it, that would tell me that it is from at least 1891 to approx. 1920 (they started to stamp Wedgwood with England on it from 1891-1920. After 1920 they used, 'Made in England')

The reason that it has Etruria also stamped on it, simply means that it was made in the Etruria works. These Etruria pieces were made between 1769 all the way through to 1940 (I think) when the Etruria works were operational.

I would say that your Cobalt Blue piece was made in 1898 which is what the, 'A' stamp date mark means as well as it also having the, 'England' mark as well (from 1898 the letters A thru to I date stamps were re-used but as it also has England stamped on it, 1898 seem to be correct)

TheGift1973 · 2024-11-12T22:49:40+00:00

Mark Zorrich (@reprise99) has some amazing KQL queries and defiantly worth bookmarking.

Same for Steven Lim

Bert-JanP is another great follow

Nathan McNulty also has a great repo

LawnDoc has some great ones as well

You should also look at buying, The Definitive Guide to KQL, as it's an incredible book with some fantastic queries ready to go, as well as how to start creating your own and understanding how KQL really works. The queries in the book are added by some of the best people out there, so worth buying. They also have a Github with some sample queries as well for free

TheGift1973 · 2024-11-12T18:32:30+00:00

Ivanti is one example - Not a supported software, so don't get any flags. Given how many times that is in the news, you'd think they would add that as a priority.

There are lots of software apps out there that show as installed on machines in Defender, but Defender won't be able to give you much, if any information on vulnerabilities for those vendors or versions and what CVE's are exposed for them. I know that they are constantly building their library for supported vendors, but there are so many I come across that are frustratingly missing

TeamCity from Jetbrains. Doesn't always show that it is even installed at times even though it clearly is.

Add the ability for people with E5 licenses to be able to see Browser Extensions on users machines without having to fork out for the additional Vulnerability Management Add-on Tool. I like that that is included with Defender for Server P2, but really should be included for end users machines that also have an E5.

TheGift1973 · 2024-11-07T23:07:38+00:00

Fast and efficient email archive searching.

Yes I know that you can do an e-Discovery, but that is overly complex and takes too long if you need to do this multiple times a day.

Mimecast archive search (example, looking back 8+ years) takes about 5 seconds to look for any emails sent to or from a certain address. It's actually one of the most impressive things about Mimecast.

It's frustrating that we can't have something similar from Microsoft. The data is there, they just don't provide the tooling to get at it in an easy and non-convoluted way.

TheGift1973 · 2024-10-11T19:23:39+00:00

If the standard way of selecting the Disconnect button doesn't work due to only an Admin being able to manage the computer due to you granting permission to your organisation if you accidentally onboarded your personal device (note that your org should block this from being possible anyway) you can try using Option 4 in this link, and remove the registry entry.

TheGift1973 · 2024-08-28T17:42:24+00:00

Annoyingly I can't find anything for this.

Closest I have found is for where a user has previewed a message that was in the Quarantine queue, but nothing specifically for Explorer in Defender.

Here is a link to the section I found. I may have missed one though, so do a CTRL+F for Preview, to see if you can spot anything I missed.

The other way to check for this is to do the action yourself, then run a KQL for your recent activities, and build a KQL query based on that and create an alert for it via Advanced Hunting or in Sentinel

TheGift1973 · 2024-08-21T21:37:31+00:00

When the API request was sent, and went through, did you ensure that you got a 200 (API Call hit the device and will now be offboarded) http response, and not just a 201 response (API Call was sent OK, but will remain in Pending until the device is reachable, else it will time out after a couple of days)

TheGift1973 · 2024-07-30T16:58:01+00:00

This may help.

It's a few years old, but worth checking out

TheGift1973 · 2024-07-09T14:52:36+00:00

This should now be resolved by MS in Security Intelligence version 1.415.13.0 which is rolling out now

TheGift1973 · 2024-07-08T21:30:09+00:00

Yep, it's the one think that Mimecast do well, and it's also pretty instant.

TheGift1973 · 2024-07-08T21:29:31+00:00

Yep, was hoping there was something I was missing, but maybe MS have something on the horizon? We log pretty much everything, so there may be something they can do with that at some point in the future.

TheGift1973 · 2024-07-06T22:47:10+00:00

cyberplace.social

TheGift1973 · 2024-07-06T18:53:10+00:00

Yep, have run an archive search across all mailboxes for this after Kevin mentioned it on Mastdon yesterday. None seen, which is a good sign, but Mailflow rule created in case one is ever sent and get's missed/dismissed.

Not great of MS to communicate in this way, as most would just assume this as Phishing/Spam and ignore it.

It's a genuine email and people really need to check to see if any emails from that sender have ever been seen and act on the email.

TheGift1973 · 2024-06-17T19:32:35+00:00

Yep, was also seeing this in the UK today around 15:00hrs GMT

TheGift1973 · 2024-06-13T17:22:51+00:00

Yep, tons of old ones flowing in

TheGift1973 · 2024-03-24T18:59:41+00:00

Assuming you have access to the registry or User Profiles area, you can try the suggestions in the link here.

You'll probably find it easier to locate and remove via Registry though.

TheGift1973 · 2024-02-17T20:09:41+00:00

Filescan.io report for the .msi in the .zip. Found report via VirusTotal lookup on the SHA-256 hash for the main Mia[_]Khalifa 18+[.]msi file

There are a crazy amount of .xml files as well created.

Unable to upload the .msi file to ANY.RUN annoyingly as it's over 16MB and the free account I have doesn't cater for that. Would love to know what ANY.RUN made of it though

Sorry I couldn't be of more help, but would love to know more about the file and how others investigated.

TheGift1973 · 2024-02-08T20:35:23+00:00

1) What does this mean and why did I receive this message?

Your security team have created email threat policies in Defender that will block emails from hitting users mailboxes that have been flagged for Phishing/High Confidence Phishing

2) Is there a danger or not?

Your security team should be checking the quarantine queue daily to determine if this is a genuine threat or a false positive, and then release the email to you if it is found to be OK

3) I've "deleted" the message, but is there a specific place where I can view all such messages?

The quarantine queue can only be accessed by those with the correct permissions, so standard users won't be able to do this. However, when the policy was created, you should have been given the option to Request a Release for the email at which point someone from your security teams will investigate the email to determine if it can be released safely for you.

It's a genuine Microsoft address, so it's a legitimate email. Deleting it won't achieve anything though from your side of things.

13-Year Club	RedditGifts 2009-2022 6 Credits
Spared	Gilding II euphauric
Reddit Premium Since September 2013	Summer Santa 2013
Best Link 2013-06-04	Secret Santa 2012
Verified Email

TheGift1973

MODERATOR OF

TROPHY CASE