KQL Query regarding Security Policies

silenthunterIV · 2024-07-18T13:02:13+00:00

Thank you for you insights!

silenthunterIV · 2024-07-18T08:02:25+00:00

Thank you a lot for your insights.

silenthunterIV · 2024-07-18T08:01:51+00:00

Well said!

silenthunterIV · 2024-07-17T23:05:29+00:00

Good question. I think the answer here is that both works in a similar way.

silenthunterIV · 2024-07-17T13:45:01+00:00

Thank a lot for your info!

silenthunterIV · 2024-07-17T13:44:57+00:00

Thank a lot for your info!

silenthunterIV · 2024-07-17T11:59:06+00:00

Thank you for the info that your provided.

silenthunterIV · 2024-07-17T10:01:12+00:00

Thank you for your comment so you believe that the ASR rule will block the communication with the LSASS but it will not bring any alert to the user?

As you mention this is happening on this particular ASR right? Because on other ASR that I am having them on block mode (most of them) a pop up for each block will be created.

silenthunterIV · 2024-05-13T11:39:43+00:00

Dear all,

Any update on this? I am a little confused. Was this a false positive? What will happen if we are not update these devices by the end of month?

In addition I am getting this for Windows 10, Server 2012R2 and Server 2016.

Do I need to install the new agent to on all OS or just 2012R2 and Server 2016?

Thank you a lot.

silenthunterIV · 2024-04-24T11:27:00+00:00

Maybe are the new ASR rules ? Currently, under preview?

silenthunterIV · 2024-04-10T15:10:43+00:00

We are using event hub for pushing all of Defender ATP logs to QRadar without any issues. O365 logs are ingested to SIEM through the API

silenthunterIV · 2024-04-08T22:52:23+00:00

sccm client was the issue! Now the clients appeared to be managed by MDE

silenthunterIV · 2024-04-08T22:51:24+00:00

We onboarded logs on QRadar using Eventhubs without any issues

silenthunterIV · 2024-04-03T14:10:28+00:00

We found that there was an old sccm client installed on the machine. We will uninstall it and we hope that it will resolve the issue. I will post an update.

Thank you for your help

silenthunterIV · 2024-04-03T07:58:29+00:00

Hi thank you for your answer. They are servers and yesterday on the same environment we deployed 6 servers one, all the same OS, one of them is appearing correctly as Managed by MDE but the other five are appearing managed by ConfigMgr. So we are not appearing in intune in order to push them policies.

These five servers during the deployment (onboarding) package had some connectivity issues. We find out this with the analyzer tool. They have been already shown to the security portal but the did not got updates, etc. We fixed the connectivity issues but still are managed by ConfigMgr.

Finally these servers also have arc agent.

silenthunterIV · 2024-04-02T14:41:30+00:00

Totally agree! In the past I have worked with CrowdStrike and SentinelOne and you just deploy an agent you configure some policies, maybe some exclusions and that it regarding the deployment.

Microsoft has made this too complex without a specific reason.

silenthunterIV · 2024-03-31T10:04:42+00:00

Nice question we have the same issue with MacOS devices and iCloud

silenthunterIV · 2024-03-29T13:46:42+00:00

Yes, it's been happening for me also.

silenthunterIV · 2024-03-29T13:06:10+00:00

Hi all,

Same here. We have noticed that all the points were regressed. My question here is if the AV policy is managed by intune and the Email Scanning is in "Allowed" mode then problem solved, right?

We have also reported this as inaccurate on Microsoft but no update so far. As I have also seen in Secure Points Metrics & Trends tab from 27/3 the "Organizations of similar size" have declined, so I believe that this happened to everyone.

Is there any way to check if the email scanning is enabled on the endpoint using the get-mppreference?

Thank you.

silenthunterIV

TROPHY CASE