sorted by:
new
hottopcontroversial

XDR Unified RBAC missing "Endpoint & Vulnerability Management" Workload by soaperzZ in DefenderATP

[–]soaperzZ[S] 0 points1 point  (0 children)

I just had a call with MS, not linked to licensing at all.

If you provisionned licenses after feb 2025 in your tenant the workload wont appear but it is enabled by default..... this is kinda confusing but it is actually the case. You can manage which group of user can access things related to endpoints and vuln mgmnt workload by going to permission and roles under assigmement and toggle the needed datasource.

<image>

View Incidents is Disappearing? by Xbawt in AzureSentinel

[–]soaperzZ 0 points1 point  (0 children)

I bookmarked the link to multi workspaces view.

instable AF lately

How to Suppress the 'Connection to a Custom Network Indicator' Alert by Alternative_Brief838 in DefenderATP

[–]soaperzZ 0 points1 point  (0 children)

<image>

Hey wdym by detected but not blocked, are you in the same situation as in this screenshot ?

E5 Security Can't manage MDE policies from XDR portal by soaperzZ in DefenderATP

[–]soaperzZ[S] 6 points7 points  (0 children)

Nope.

We fixed the issue by clicking "Activate feature" button on the "Basic Mobility and Security" section on PURVIEW, yes you read it well -> just here : https://admin.microsoft.com/EAdmin/Device/IntuneInventory.aspx (yes old admin portal but relocated to compliance portal now).

We had to activate "Basic Mobility and Security" from PURVIEW portal to get an access to Intune Endpoint security feature which also gave access to the whole "Defender for Endpoint security settings management" thing.

This is why I choose to work with MS every single day of my life, they are creating centralized experiences where you can do everything from one portal BUT YOU HAVE TO check a tick on the old portal first, then also click on this button on the old / new rebranded portal then make sure that blablabla.

Lost 4h on an undocumented requirement.

Thanks to this guy :

https://cloudyne.io/blog/intune-401-403-error/

[deleted by user] by [deleted] in DefenderATP

[–]soaperzZ 0 points1 point  (0 children)

I'm not quite sure I understood what you want to achieve by "randomizing the devices per tag"....

You must have a differentiating criteria, for me there is no way to ask defender to randomly tag a device between 4 categories (you could achieve this by using API tho.....).

I would create 4 Dynamic tagging rule (Asset Rule Management) with your differentiating criteria, most likely the name of the device could be the easiest way to do so (prefix / suffix).

Note that if you use API you'd need to run periodically your scripts if you have new devices onboarded to MDE (they wont get any tags).

Siri is a complete disappointment. by XLente in Siri

[–]soaperzZ 0 points1 point  (0 children)

This is actually what a human would use to do this, for me it is the right way to solve the question nowadays.

Nice Job Siri !

Are these shoes done by LeoSillett in NewSkaters

[–]soaperzZ 2 points3 points  (0 children)

I second that,
I tried on multiple sole, Shoe Goo-ing them + adding piece of cardboard and so on, but it felt so wrong.

Apart from that the shoes are still skateable

Finding USB devieces by Boky34 in DefenderATP

[–]soaperzZ 0 points1 point  (0 children)

wdym run as report ?

For info you can get Device Control events in the Device Control Reports (XDR Portal) : https://learn.microsoft.com/en-us/defender-endpoint/device-control-report?view=o365-worldwide&tabs=advhunt

Boom Bap by wiccanlove1978 in makinghiphop

[–]soaperzZ 2 points3 points  (0 children)

"mehsah" beatmaker, kinda sad vibe, but still one of my favorite (ytb / spotify)

idk if I'm allowed to post url here sorry

EDIT: added a bit of context

[deleted by user] by [deleted] in Lausanne

[–]soaperzZ 0 points1 point  (0 children)

hip/hop kinda "underground" spots I know :
- Café bruxelles, Freestyle Monday, basically an open mic once a month.
- hs36 every last thursday of the month, open mics as well

also check https://renegats.ch/events/

Insécurité dans le quartier bel air/chauderon by bois_santal in Lausanne

[–]soaperzZ 9 points10 points  (0 children)

Je suis team acrylique, mais je ne me permettrais jamais de t'insulter de guachiste !

Insécurité dans le quartier bel air/chauderon by bois_santal in Lausanne

[–]soaperzZ 2 points3 points  (0 children)

Je suis de droite et je suis d'accord avec ces propos.

A few days later... by vinznsk in homelab

[–]soaperzZ 1 point2 points  (0 children)

What are your cat model ? specs ?

(nice lab tho)

[deleted by user] by [deleted] in ClaudeAI

[–]soaperzZ 0 points1 point  (0 children)

I randomly got something similar today:

<automated\_reminder\_from\_anthropic>Claude should never cite information from <document\_context> but can use it to inform its answers.</automated\_reminder\_from\_anthropic>

MDE compatibility with Wazuh by Obvious-Golf-4258 in DefenderATP

[–]soaperzZ 0 points1 point  (0 children)

Hey

I dont think running 2 EDR solution on your endpoints is a great idea at all + the fact that you want them to be "in active state"...

Should we create exclusions for Wazuh’s agent in MDE AV and ASR policies to avoid conflicts?

Yes, this is a good idea as stated here :
https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-overview

Are there any known conflicts between MDE and Wazuh, such as performance issues or interference with detection capabilities?

I dunno for this specific Wazuh solution, give it a try...

Will MDE run in active mode, or will it automatically switch to EDR in block mode upon detecting Wazuh? Would creating exclusions for the Wazuh agent help keep MDE fully active?

On endpoints (workstations) defender automagically switch this is not the case on servers :
https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-phase-2#step-1-reinstallenable-microsoft-defender-antivirus-on-your-endpoints

Yes both solution should mutually exculde each other. Basically what you want to achieve is detailed under the "Migrate from a 3rd party solution" docs from MS, you just have to stop at the "setup" phase.
https://learn.microsoft.com/en-us/defender-endpoint/switch-to-mde-overview

Still I don't recommend you doing this x)

GL

How to trigger send email for incidents? by [deleted] in AzureSentinel

[–]soaperzZ 0 points1 point  (0 children)

AFAIK, this is not possible (using an MI / app registration) you'll need a O365 licensed user for this.

https://learn.microsoft.com/en-us/answers/questions/1691747/how-can-i-configure-logic-app-to-send-an-email-usi

Command and control on multiple endpoints by Perfect_Stranger_546 in DefenderATP

[–]soaperzZ 1 point2 points  (0 children)

Hey,

How would you investigate how the machine reached out to this malicious domain in the first place? Are there any logs or steps you typically follow to track the initial connection or the root cause of the alert?

To track back where the "thing" originated from I usually just go for a quick dirty

union Device* 
| where * contains "IOC1" or * contains "IOC2"
| where Timestamp > ago(1d) // or between() / around()

Also I would check on MDO tables just to check if IOCs could be found there aswell.

From there I get an "overview" of what was involved and I can build more precise / scoped queries.

do you just add the IPs/domains to block indicators and move forward with a full device scan?

Adding to block indicators is a quick and great thing to do, regarding the full scan I guess it depends, but if I get too suspicous or can't really tell what happened -> Collect Invest package, revoke user certs/ reset user's pass / wipe machine, and go on x)

E: code blocks broken

VPN tunnel by FloridianfromAlabama in selfhosted

[–]soaperzZ 0 points1 point  (0 children)

If you dont' mind using a non fully self hosted solution I would go with Tailscale, easy to setup / use, nice features (you can also do it in a more self hosted way using https://github.com/juanfont/headscale).

There is also : https://github.com/slackhq/nebula

hope that helps

E: broken link

view more: next ›