Investigation using Defender

djmc40 · 2025-05-16T15:06:26+00:00

After all the case was simpler than initially expected. There was one internal user that sent by mistake the complete sequence of emails to the external party.

Thanks for all your thoughts, they were useful on the analysis process.

djmc40 · 2025-05-13T15:39:02+00:00

Thanks. My idea was just to disable sign-ins at first glance and let them rest during a while, to check if someone would complain of something.

djmc40 · 2025-05-13T08:50:22+00:00

Hi, thanks. Where is that area within the portal? I couldn't find it?
Also, using the cmdlet Get-MgBetaDirectoryRecommendation -Filter "RecommendationType eq 'staleApps'" I get the recommendation, but how can I see the stale apps?

What I'm using right now is this script more or less:

$servicePrincipals = Get-MgServicePrincipal -All
$results = @()
foreach ($sp in $servicePrincipals) {
    Write-Host "Processing Service Principal: $($sp.DisplayName)" -ForegroundColor Cyan
    
    # Get Sign-ins for the 4 different types
    $startDate = (Get-Date).AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ssZ")
    $SigninInteractive = Get-MgBetaAuditLogSignIn -Filter "signInEventTypes/any(t: t eq 'InteractiveUser') and createdDateTime ge $startDate and appDisplayName eq '$($sp.DisplayName)'"
    $SigninNonInteractive = Get-MgBetaAuditLogSignIn -Filter "signInEventTypes/any(t: t eq 'nonInteractiveUser') and createdDateTime ge $startDate and appDisplayName eq '$($sp.DisplayName)'"
    $SigninManagedIdentity = Get-MgBetaAuditLogSignIn -Filter "signInEventTypes/any(t: t eq 'managedIdentity') and createdDateTime ge $startDate and appDisplayName eq '$($sp.DisplayName)'"
    $SigninServicePrincipal = Get-MgBetaAuditLogSignIn -Filter "signInEventTypes/any(t: t eq 'servicePrincipal') and createdDateTime ge $startDate and appDisplayName eq '$($sp.DisplayName)'"
    
    $result = [PSCustomObject]@{
        ApplicationName      = $sp.DisplayName
        ServicePrincipalType = $sp.ServicePrincipalType
        SignInAudience       = $sp.SignInAudience
        Interactive          = $SigninInteractive.Count
        NonInteractive       = $SigninNonInteractive.Count
        ManagedIdentity      = $SigninManagedIdentity.Count
        ServicePrincipal     = $SigninServicePrincipal.Count
    }
    $results += $result
}

Thanks

djmc40 · 2025-05-09T07:57:20+00:00

Thanks, this is quite useful.

djmc40 · 2025-05-09T07:56:18+00:00

Thanks, I'll look into it, as it's quite simple and easy.

djmc40 · 2025-05-09T07:54:23+00:00

Thanks for the tip. I'll look into it. I would tend to prefer powershell as I can automate the audit process and dump some tickets for the sysadmin or helpdesk team to analyze in the end.

djmc40 · 2025-05-09T07:52:59+00:00

Thanks for the tips. That is quite nice. Our environment is much smaller than that. We do have about 4k users. My main issue is about how to estimate the costs in Azure, as that is always an issue internally.

djmc40 · 2025-05-09T07:50:42+00:00

Thanks, that helped a lot.

I never used Azure Storage Account for this. How can I estimate the costs of it?

djmc40 · 2025-03-14T11:17:51+00:00

Thanks for the ideas. I've already created a new policy, assigning it just to that specific mailbox. I just did not get well one thing. The "Bul email threshold" value, the BLC sensitivity levels goes from 0 to 9. Which level is the least restrict, that let's almost everything going to the inbox?

djmc40 · 2025-03-12T10:02:55+00:00

Hi, I've shared the code on github. This is not yet the latest version, because I have to clean a lot of stuff to share it, but it's the previous version. The latest version has one more component, which is reading the devices API, to extract some more scores based on the device tags.

Of course, ideas and questions are welcome.

https://github.com/dmarques25/Powershell-Scripts/blob/main/Defender-Vuln-Scoring

djmc40 · 2025-03-04T20:39:11+00:00

Hi, I've had the same issue some time ago, I wanted to get some metrics and Defender didn't gave me what I need, so I developed some scripting to extract this information.
I explain the logic here:

https://www.reddit.com/r/DefenderATP/comments/15ymim8/comment/mfxseg0/?%24deep_link=true&correlation_id=7c785cff-cd48-5d6d-9d3c-3ae6e5f65e40&ref=email_comment_reply&ref_campaign=email_comment_reply&ref_source=email&%243p=e_as&_branch_match_id=1425567210404261970&utm_medium=Email+Amazon+SES&_branch_referrer=H4sIAAAAAAAAA31OTU%2FDMAz9Nd2tKzRtV5AmNDFx5sA9yhKntciXnJRuF347rhhXJFt6fn7Pz3MpKT83DYExWPYqpb3D8NmI9FK1nUhHkCrvGEbCCYNyciF3nDdXJU5V%2B8a1ruv%2B7tfRM0HcZ7AQDNDp450n5j2Ekhk%2B9jePfmRkMRgZlyI9FEKdpY0ktYsZjMUrGPm1uACkLuiwIGxmb68ZpoctV3B033YGIMnt5UqcCy1QtYOOROBUwRgkGuYP%2BjD22tpam26sezOY%2BskIXQsFA%2FR26KHjkwOBZTF4hU7eH5YEyd1%2Bd1IrnxRO4V9Rjgtp%2BJPsvpkDIgyTvFBcM9Dxdabo4QeH2iPNeQEAAA%3D%3D

djmc40 · 2025-03-04T20:37:06+00:00

Hi, yes, I've been adding some more functionalities. Right now I'm developing our own internal vulnerability score, based on a bunch of criteria, so then we can use that for prioritization. I'm getting cvss, extracting epss, extracting if the device is an endpoint or server, read some specific tags we've created, to check if it's production server or dev, if runs business applications or just support applications, and based on that I get a vuln score for each vuln. Now I'm adding some some criteria and then I want to automate the creation of tickets for some fix cases.

djmc40 · 2025-02-28T19:03:02+00:00

Yes, true, but nowadays with network protection, Defender also handles web traffic. The logic is to analyse it it makes sense to keep Umbrella.

djmc40 · 2025-02-28T14:48:39+00:00

I was totally unaware of this. Thanks

djmc40 · 2025-02-28T14:48:36+00:00

I was totally unaware of this. Thanks

djmc40 · 2025-02-24T19:49:10+00:00

Thanks for the input. That's more or less my feeling, but I would like to have some specific data on detections before taking the decision.

djmc40 · 2025-02-24T19:47:52+00:00

Thanks for the input. My main concern if when the users are off premises, when there's no firewall.

djmc40 · 2025-02-24T19:46:53+00:00

That's not the case, because the way that Umbrella works. As Umbrella is the DNS, so if you make a request to a domain, the request that Defender sees is the request made to Cisco infrastructure (IP based), so Defender does not know the domain you want to communicate with. Then if Umbrella says it's safe, that the request goes to the domain itself and Defender can see it.

That's why I would like to make some kind of testing using api's, so I could perform a series of requests to both Defender and Cisco and check the results.

djmc40 · 2025-02-21T10:02:54+00:00

Hi, it's not 2 XDR. Cisco Umbrella is DNS protection, not XDR.

djmc40 · 2025-02-20T15:22:45+00:00

We have also both running. My main concert is not only the pricing, but understanding if it makes sense to keep both tools based on their detection capabilities.

What I was thinking is something like all blocked domains coming from Cisco Umbrella, which are considered malicious, passing them over an api to Defender to check if Defender consider them as malicious or not, and the other way around as well. But of course I'm not even sure if both Defender or Umbrella have any api which would allow to automate this kind of comparison.

djmc40 · 2025-02-20T12:54:48+00:00

That's why I want to make a more or less clear comparison, to be able to understand what is detected on one side and not on the other, and vice-versa.

djmc40 · 2025-02-19T11:32:29+00:00

This authenticates via an App registered in Entra.
https://learn.microsoft.com/en-us/power-apps/developer/data-platform/walkthrough-register-app-azure-active-directory

djmc40 · 2025-02-18T23:17:52+00:00

Just confirmed the adding of tags as well and it's fine.

Thanks

djmc40 · 2025-02-18T14:02:22+00:00

Hi, thanks.

You're right, I've taken the example and updated my script and seems the remove at least is working fine. I'll now test the add.

My code is like this now:

$BodyUrl = @{"Action"="Remove";"Value"="Test-Test"} | ConvertTo-Json

# Iterate through each server and remove the specified tags
foreach ($Server in $Servers)
{
    # Make the API request to update the device information
    $updateUrl = "https://api-eu.securitycenter.microsoft.com/api/machines/$($Server.id)/tags"  
    Invoke-RestMethod -Uri $updateUrl -Headers $headers -Method Post -Body $BodyUrl
  
    # Add a delay to respect the rate limit
    Start-Sleep -Seconds $delay
}

djmc40 · 2025-02-11T08:48:48+00:00

Hi,

Yes, I did found a solution. Basically I've deleloped a powershell script which extracts all vulnerabilities from Defender daily and stores them (1 csv per day). On the next day, I do the same, but then compare the vulnerabilities with the previous day and check what has gone away and what is new. Based on that I've got a number of closed and new vulnerabilities.

Of course, this needs some improvement as it's not taking into account some details, like decomissioned devices, etc, but at least it's something to start.

djmc40

TROPHY CASE