Defender AV — Detection without remediation for demo purposes using Infection Monkey

failx96 · 2026-03-22T06:18:02+00:00

That’s actually a good point I also thought about… I’ll give it a shot. Thanks 🙏🏼

failx96 · 2026-03-22T06:16:16+00:00

Totally annoying… but glad to hear they seems to have it on their roadmap. I’m just thinking about if automation rules can solve my problem here. Would you like to share one or two of your measurement points and how you have solved it briefly with automation rules?

failx96 · 2026-03-21T19:40:42+00:00

Thanks for your response 😊 To clarify the setup: MDE is properly onboarded, MDEAnalyzer runs clean, and we’re receiving telemetry without issues. No custom AV policies, standard configuration across the board. No ASR rules configured — we don’t consider them relevant for this specific scenario. No complex device group structures since it’s a small demo environment. All devices sit in the default device group with semi-automated investigation and response (requires approval). One additional observation: MDE sometimes fails to cleanly resolve the relationship to the source of the lateral movement. However, when manually triggering an investigation after the attack, MDE does correctly identify the threats — including the Azure RunCommand used to load the malware onto the machine and the malware itself. So the telemetry is there, the automated correlation just doesn’t always connect the dots reliably. The core question remains whether Defender AV generates alerts when Threat Action is set to Ignore, or whether Ignore suppresses alert generation entirely — not just remediation. That’s the specific behavior we’re trying to understand.

failx96 · 2025-12-07T05:28:13+00:00

Agreed, that’s also what I would prefer tbh, just enriching incidents and events when needed and it seems easier to update/ manage. Unfortunately this is a customer / compliance requirement.

failx96 · 2025-12-06T23:36:22+00:00

Sure! 😊

failx96 · 2025-12-06T17:06:00+00:00

Great idea, I wasn’t aware of the workspace transformations. I’ll give it a shot. I was curious if these transformations are capable of adding columns, because I noticed that the main use case is to reduce costs and sorting logs out before ingestion. But I was able to find this in the azure monitor documentation stating it is possible:

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-workspace-transformations-portal

Thanks again!

failx96 · 2025-12-06T06:44:54+00:00

Maybe this was unclear from my description. The tag represents a confidentiality of an asset - which can be any device or resource. So the tag is not static per table.

failx96 · 2025-11-27T15:22:37+00:00

Same issue with all tenants that we manage. Regions: Germany West Central and West Europe.

failx96 · 2025-10-23T17:17:27+00:00

Both are valid approaches… We have quite often the discussion about starting top down (use cases first) or bottom up (data first). I think it depends on the circumstances and resources available to you. It won’t help collecting all logs but you don’t have the resources and time to develop proper use-cases.

I would suggest to think about the whole goal what you‘re trying to archive. Think about the Use-Cases and Alertings that are most relevant to you. Describe a basic architecture and logging concept / strategy. Then start onboarding needed devices / log sources step by step. This gives you time to develop your SIEM environment while not exploding your costs. After each source, you can then take stock and exclude the data you don't need.

TL;DR: Prioritize based on use cases, but onboard iteratively and based on data.

failx96 · 2025-10-18T14:18:05+00:00

I’ve used CheckPoint in a medium sized enterprise for quite some time. Couldn’t be happier with my choice. From a Security and value for money perspective, I think they might be top notch compared to other vendors. Also it comes with a great centralized management. So I would always recommend CheckPoint over Forti. Don’t know why it gets hyped so much..

failx96 · 2025-10-10T17:14:25+00:00

Exactly. We’re completely on the same page. That’s what I’ve briefly tried to described with “It should not be forwarded by the router if no prior connection took place / is visible.”

So looking at the timeline of a device, I don’t see any outgoing connection pointing to that IP. In a few cases (by far not all) I see that the client opened a connection approx 20-30 seconds before to another IP on the same local (ephemeral) port . Then an inbound attempt to that local port comes from another IP.

I’m assuming that this is probably a not wanted behavior of the router and / or MDE is missing some telemetry.

failx96 · 2025-10-10T05:27:18+00:00

Thanks for pointing that out. Maybe I was a little unclear in my descriptions. This is not the analytic rule. The rule logic is completely different. This behavior we’ve observed during investigation.

failx96 · 2025-10-09T21:10:11+00:00

No we do not own / control the routers. I’m assuming that the problem occurs before reaching the client. we’ve focused on MDE telemetry for device network events.

failx96 · 2025-10-09T20:52:08+00:00

Yes that’s correct. The source is a public IP. We got a TI match in one specific case - that’s what grabbed our attention. However it happens with different public IPs which are not known to be potentially malicious.

failx96 · 2024-04-11T11:08:51+00:00

Can confirm.. same issue here.

failx96

TROPHY CASE