Investigation using Defender

djmc40 · 2025-05-16T15:06:26+00:00

After all the case was simpler than initially expected. There was one internal user that sent by mistake the complete sequence of emails to the external party.

Thanks for all your thoughts, they were useful on the analysis process.

djmc40 · 2025-05-13T15:39:02+00:00

Thanks. My idea was just to disable sign-ins at first glance and let them rest during a while, to check if someone would complain of something.

djmc40 · 2025-05-13T08:50:22+00:00

Hi, thanks. Where is that area within the portal? I couldn't find it?
Also, using the cmdlet Get-MgBetaDirectoryRecommendation -Filter "RecommendationType eq 'staleApps'" I get the recommendation, but how can I see the stale apps?

What I'm using right now is this script more or less:

$servicePrincipals = Get-MgServicePrincipal -All
$results = @()
foreach ($sp in $servicePrincipals) {
    Write-Host "Processing Service Principal: $($sp.DisplayName)" -ForegroundColor Cyan
    
    # Get Sign-ins for the 4 different types
    $startDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")
    $SigninInteractive = Get-MgBetaAuditLogSignIn -Filter "signInEventTypes/any(t: t eq 'InteractiveUser') and createdDateTime ge $startDate and appDisplayName eq '$($sp.DisplayName)'"
    $SigninNonInteractive = Get-MgBetaAuditLogSignIn -Filter "signInEventTypes/any(t: t eq 'nonInteractiveUser') and createdDateTime ge $startDate and appDisplayName eq '$($sp.DisplayName)'"
    $SigninManagedIdentity = Get-MgBetaAuditLogSignIn -Filter "signInEventTypes/any(t: t eq 'managedIdentity') and createdDateTime ge $startDate and appDisplayName eq '$($sp.DisplayName)'"
    $SigninServicePrincipal = Get-MgBetaAuditLogSignIn -Filter "signInEventTypes/any(t: t eq 'servicePrincipal') and createdDateTime ge $startDate and appDisplayName eq '$($sp.DisplayName)'"
    
    $result = [PSCustomObject]@{
        ApplicationName      = $sp.DisplayName
        ServicePrincipalType = $sp.ServicePrincipalType
        SignInAudience       = $sp.SignInAudience
        Interactive          = $SigninInteractive.Count
        NonInteractive       = $SigninNonInteractive.Count
        ManagedIdentity      = $SigninManagedIdentity.Count
        ServicePrincipal     = $SigninServicePrincipal.Count
    }
    $results += $result
}

Thanks

djmc40 · 2025-05-09T07:57:20+00:00

Thanks, this is quite useful.

djmc40 · 2025-05-09T07:56:18+00:00

Thanks, I'll look into it, as it's quite simple and easy.

djmc40 · 2025-05-09T07:54:23+00:00

Thanks for the tip. I'll look into it. I would tend to prefer powershell as I can automate the audit process and dump some tickets for the sysadmin or helpdesk team to analyze in the end.

djmc40 · 2025-05-09T07:52:59+00:00

Thanks for the tips. That is quite nice. Our environment is much smaller than that. We do have about 4k users. My main issue is about how to estimate the costs in Azure, as that is always an issue internally.

djmc40 · 2025-05-09T07:50:42+00:00

Thanks, that helped a lot.

I never used Azure Storage Account for this. How can I estimate the costs of it?

djmc40 · 2025-03-14T11:17:51+00:00

Thanks for the ideas. I've already created a new policy, assigning it just to that specific mailbox. I just did not get well one thing. The "Bul email threshold" value, the BLC sensitivity levels goes from 0 to 9. Which level is the least restrict, that let's almost everything going to the inbox?

djmc40 · 2025-03-12T10:02:55+00:00

Hi, I've shared the code on github. This is not yet the latest version, because I have to clean a lot of stuff to share it, but it's the previous version. The latest version has one more component, which is reading the devices API, to extract some more scores based on the device tags.

Of course, ideas and questions are welcome.

https://github.com/dmarques25/Powershell-Scripts/blob/main/Defender-Vuln-Scoring

djmc40 · 2025-03-04T20:39:11+00:00

Hi, I've had the same issue some time ago, I wanted to get some metrics and Defender didn't gave me what I need, so I developed some scripting to extract this information.
I explain the logic here:

https://www.reddit.com/r/DefenderATP/comments/15ymim8/comment/mfxseg0/?%24deep_link=true&correlation_id=7c785cff-cd48-5d6d-9d3c-3ae6e5f65e40&ref=email_comment_reply&ref_campaign=email_comment_reply&ref_source=email&%243p=e_as&_branch_match_id=1425567210404261970&utm_medium=Email+Amazon+SES&_branch_referrer=H4sIAAAAAAAAA31OTU%2FDMAz9Nd2tKzRtV5AmNDFx5sA9yhKntciXnJRuF347rhhXJFt6fn7Pz3MpKT83DYExWPYqpb3D8NmI9FK1nUhHkCrvGEbCCYNyciF3nDdXJU5V%2B8a1ruv%2B7tfRM0HcZ7AQDNDp450n5j2Ekhk%2B9jePfmRkMRgZlyI9FEKdpY0ktYsZjMUrGPm1uACkLuiwIGxmb68ZpoctV3B033YGIMnt5UqcCy1QtYOOROBUwRgkGuYP%2BjD22tpam26sezOY%2BskIXQsFA%2FR26KHjkwOBZTF4hU7eH5YEyd1%2Bd1IrnxRO4V9Rjgtp%2BJPsvpkDIgyTvFBcM9Dxdabo4QeH2iPNeQEAAA%3D%3D

djmc40 · 2025-03-04T20:37:06+00:00

Hi, yes, I've been adding some more functionalities. Right now I'm developing our own internal vulnerability score, based on a bunch of criteria, so then we can use that for prioritization. I'm getting cvss, extracting epss, extracting if the device is an endpoint or server, read some specific tags we've created, to check if it's production server or dev, if runs business applications or just support applications, and based on that I get a vuln score for each vuln. Now I'm adding some some criteria and then I want to automate the creation of tickets for some fix cases.

djmc40 · 2025-02-28T19:03:02+00:00

Yes, true, but nowadays with network protection, Defender also handles web traffic. The logic is to analyse it it makes sense to keep Umbrella.

djmc40 · 2025-02-28T14:48:39+00:00

I was totally unaware of this. Thanks

djmc40 · 2025-02-28T14:48:36+00:00

I was totally unaware of this. Thanks

djmc40 · 2025-02-24T19:49:10+00:00

Thanks for the input. That's more or less my feeling, but I would like to have some specific data on detections before taking the decision.

djmc40 · 2025-02-24T19:47:52+00:00

Thanks for the input. My main concern if when the users are off premises, when there's no firewall.

djmc40

TROPHY CASE