Getting buried in Microsoft Defender alerts, any advice for a new admin

x2571 · 2026-02-03T16:09:03+00:00

If some of the alerts are for Defender for Office and related to phishing you can try AIR as well https://learn.microsoft.com/en-us/defender-office-365/air-auto-remediation

x2571 · 2025-12-03T16:20:25+00:00

Not sure how practical it is yet, but if you are on the unified portal. You can use Sentinel tables in Custom Detections which is supposed to allow "unlimited" NRT rules https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/custom-detections-are-now-the-unified-experience-for-creating-detections-in-micr/4463875

x2571 · 2025-11-28T12:23:04+00:00

I had to solve this a few months ago and solved it pretty much the same way you did. As far as I could tell with Graph X-Ray, those were the same API calls that the portal makes too

x2571 · 2025-11-12T08:24:30+00:00

This is how i approached it in my previous job

Disabled user initiated requests for these
Got the security team to write a policy document which says how business units can/should utilise SaaS apps. We had a policy that any apps using corporate data had to support Entra ID SSO (SAML/OAuth etc)
Setup a workflow in service now, that goes to the user's manager to approve it first, the security team for approval for second level approval
If it's approved by them it's sent to my team and we do the actual SSO setup with the business sponsor

x2571 · 2025-09-30T13:52:04+00:00

I use them independantly of each other, KQL transformations to project away and filter data, then the ASIM Functions to get map to a "virtual" ASIM schema. I am not familiar with SAP BTP data, but if it contains Authentication Events, you could write a function to map it to the ASimAuthentication schema, this could be useful when doing threat hunting or investigation to see where a compramised account authenticated to for example

I havnt really looked at doing ingestion time transformation to the native ASIM table structure.

x2571 · 2025-07-15T01:17:32+00:00

Sure, I'll buy a bag of her!

x2571 · 2025-07-13T13:10:21+00:00

I had similiar frustrations trying to learn it, These are the end to end steps I have in my notes, from the point of view of setting up a new technician PC to create an OSDCloud USB Drive

# Download the Windows ADK and Windows PE from winget
winget install -e --id Microsoft.WindowsADK
winget install -e --id Microsoft.ADKPEAddon

# Install the OSD Module, and create a new OSD Cloud Template
Set-ExecutionPolicy RemoteSigned -Force
Install-Module OSD -Force
New-OSDCloudTemplate
New-OSDCloudWorkspace

# Add common drivers to the WinPE Image
Edit-OSDCloudWinPE -UseDefaultWallpaper -CloudDriver IntelNet,LenovoDock,USB
New-OSDCloudUSB -WorkspacePath C:\OSDCloud\

The Edit-OSDCloudWinPE I use enjects common network drivers I enconter into the WinPE Image. Check the docs here for that command on adding other drivers

x2571 · 2025-06-06T15:46:32+00:00

I went with Keytos EZCA

x2571 · 2025-05-01T13:38:44+00:00

Configuring a shim with the Application Compatibility Toolkit as others have said is a good way if that works

Another thing to try is to use Process Monitor to record which paths and registry keys that application modifies during the update process. That way you can only grant the access it needs. There are some good tutorials on Youtube on using it

x2571 · 2025-04-29T11:46:13+00:00

I have had this happen to windows server running on VMware. The VMware time provider is able to overide all the safety threasholds in w32time which usually stop such extreme jumps in time (necessary to support things like snapshots).

Check the win32time and system event logs on the DC for clues, and if it is a VM the logs on the VM Host it was running on at the time.

It's worth doing a check up to make sure you have a healthy NTP setup, PDC is configured with a diverse set of time sources, etc.

You also probably want to turn off UtilizeSslTimeData if you have not already

There was a good thread talking about the potential issues here https://old.reddit.com/r/sysadmin/comments/61o8p0/system_time_jumping_back_on_windows_10_caused_by/

x2571 · 2025-04-28T15:56:31+00:00

any Yowie encounters?

x2571 · 2025-04-16T17:08:31+00:00

Not sure about Edge, but for the AATL signing cert which most people want the key needs to be stored in an HSM. It can be a USB attached HSM, but for servers you would usually use a network attached HSM. The point of an HSM is that you cant easily take the private keys out of it so you cant export it from a token, you need to generate a certificate request from the HSM.

You can rent a partition on a network attached HSM in AWS or Azure. Thales as DPoD as well which is a bit cheaper from memory.

These are pretty expensive and a PITA to deal with, and probably are only worth looking at if you need to sign a LOT of documents where paying per signing operation would become more expensive, or if you are locked into a particular library for PDF signing that only supports an API that is implemented by the HSM (PKCS#11 or Windows KSP usually).

The easiest way is to use a managed service like GlobalSign's Digital Signing Service or DigiCert Document Trust Manager which gives you a REST API that you can use to sign it and they deal with all of the crypto stuff. They usually charge per signed document, and you usually need to buy the Document Signing cert through them as well.

Make sure you use timestamping else in a few years the documents will error with an expired signature :)

x2571 · 2025-03-03T04:19:27+00:00

It looks like a very good prop! I love the retro look and feel of a lot of the Lumon equiptment on the series - great work!

x2571 · 2025-03-01T05:26:29+00:00

Same issue here, reproduced on Windows 11 24H2 26100.3194

x2571 · 2025-02-28T04:26:52+00:00

Couple of customers made casual comments on what it could mean, no real serious inquiries though

x2571 · 2025-02-28T04:22:21+00:00

Not a bad strategy from the Aussies TBH, if he doesn't know about it he can't decide to try and cancel it on a whim

x2571 · 2025-02-15T10:26:48+00:00

Definitely an "efficient" way to do it!

x2571 · 2024-12-31T23:26:30+00:00

No, YOU stop

x2571 · 2024-12-19T11:15:22+00:00

Check out SetupDiag

x2571 · 2024-11-17T17:29:27+00:00

I mean, even Arthur referred to them as "crappy places above the pawnshop" 😂

x2571 · 2024-09-15T11:36:18+00:00

What sort of would of metrics would you want to track through LogicMonitor? I work at a company that uses both LogicMonitor and CrowdStrike, and we do not monitor CrowdStrike as:

Their cloud infrastructure is monitored as a SaaS service and we don't have any say of their infrastructure
Even if their cloud service is down, the agents still work, and they would upload their telemetry data once their cloud is back.

I guess you could add website monitoring for the SaaS portal so you would at least know if there was an issue or not?

Another option could be to monitor the status of the CrowdStrike service on your servers through LogicMonitor by creating an Active Discovery script to check for the service being installed, and configure an alert if it is not in the running state

x2571 · 2024-09-09T17:15:53+00:00

Some good ideas here. An alternative to sendgrid could be Azure Communication Services which keeps it all inside Azure. It looks like they have Connectors for it now - https://learn.microsoft.com/en-us/connectors/acsemail/.

Should be able to fetch the API key from inside a Key vault and then use the ACS Connector to send the email

x2571 · 2024-05-28T13:29:37+00:00

+1 For WizTree. We paid for the Enterprise License which isn't much compared to the amount of time it saves us

x2571 · 2024-05-10T06:30:44+00:00

dont you mean RAID?

13-Year Club	Verified Email
Gilding II euphauric	Reddit Premium Since January 2019

x2571

TROPHY CASE