How does Defender detect file version limit default changes?
Hi all, I am currently reviewing a historic article that mentions a Cloud Ransomware attack where attackers can change the default number of file versions saved by default. They change this from the default 500 to 1 and then save over your files to make them unrecoverable. Apparently this doesn't need admin credentials, a standard user can do this themselves. All of the Microsoft guidance says that Microsoft is protected against cloud ransomware attacks of this type because of the file versioning feature, as well as being able to contact Microsoft for 14 days after such an incident and they can retrieve your data. My questions are: Where do I find what the current settings are for file version limit defaults? Is it in the OneDrive/SharePoint admin centres? How do I find out whether such a change has been made? Is there an alert already configured in Defender to detect such a change? If not, does anyone know how to set one up, e.g., KQL and a custom detection? I tried asking Copilot, but it just sends me to the official Microsoft documentation, so any help is greatly appreciated.
Missing auditability on use of Explorer and Advanced Hunting
Considering Defender for Office's Explorer and Advanced Hunting can be used to get insight into very sensitive data we assumed this activity is auditable, but unfortunately not. A Microsoft Support request confirmed it's not, and we're confused as to why and would highly request Microsoft to implement audit tracking for any user, including queries used. Explorer gives access to email subjects and Advanced Hunting can be used to view users files etc so from a GDPR and tracking point of view we need to be able to audit our SOC team and other admins on when they access potential personal information.MS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?
Stop Defender isolating Domain Controllers
Recently we have experienced Defender isolating our Domain Controllers. It is always the same rule which causes the isolation "Suspected AD FS DKM key read". I edited the rule and set it to auto resolve if triggered by the DCs. I assumed this would then release the DCs from isolation but this doesn't seem to be the case. Manual intervention is still required. I either need to stop Defender alerting this particular rule against my DCs (not ideal) or i need to stop the rule isolating the DCs. Any help would be appreciated.
Custom critical filter for EDR/XDR
Hello everyone, i would like to ask if somebody is trying to make a unique "critical" filter for alerts/incidents that need to be done as fast as possible? We have many high alerts and we are trying to figure one to have prio list with important notifications. Have you any ideas? Thank you.Alert tuning Cloud apps
We are running the template rule "Mass download by a single user" and getting a lot of alerts and we would like to tune the alerts with a specific Sharepoint site/url. The issue is that I am not able to find a filtering setting/field in the "Alert tuning" rule that would match this, is there anything I have missed or is there fields missing? I know that in the policy rule there is a field-filtering option named Activity objects > Activity object ID which I might be able to enter the "ObjectId" value of the site I want to exclude, this seem to exclude the whole site. If it would be possible to filter on a URL/path, we could filter just a specific folder which is downloaded a lot.
MS Defender XDR API missing Alerts
The Microsoft Defender XDR API is missing Alerts that are visible in the console (https://security.microsoft.com). The number of Alerts returned by the Incident API is limits to 150. This information is no where in the documentation. If you have an Incident with greater than 150 Alerts, the API will not provide all the Alerts for a given Incident. https://learn.microsoft.com/en-us/defender-xdr/api-list-incidents My team has confirmed this behavior across hundreds of tenants and thousands of Incidents. MS Premier Support has not been helpful in understanding if this is a known issue or a bug. Has anyone encountered this issue and have any information? Obviously closing the Incident will solve the problem, but for ongoing investigations this is not alway an option.
Find the file creation time/date in Microsoft 365 Defender Alerts for blocked software
In the portal it tells you the SHA1 hash and the path of the file(s) in question but does not indicate when the file was created. This file in particular was found during a routine scan and I would like to know when the file was created for creating a timeline for hunting. Any assistance on this would be appreciated.
Pending actions notification via KQL / Graph API
Hello, I'm looking for a way to get notifications when an investigation is in Pending Approval state. I have tried searching the logs in Defender and Sentinel and have tried finding a graph request that could get this information, but no luck. Is this something that exists? Thank you for any help regarding this topic. Kristof
