Recent Discussions
Sensor install failing, error log indicates proxy issue
Hi Everyone, I was re-installing a sensor that was stuck on updates and I get an error in the logs - failed connecting to service. The issue can be caused by a transparent proxy configuration From what I can find that's related to either missing certificates or SSL inspection. The proxy works fine for other sensors and I know it's not inspecting this traffic anyway. I found a troubleshooting page that calls out the specific Root CA - "DigiCert Global Root G2" which exists on this machine. https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues#proxy-authentication-problem-presents-as-a-connection-error I believe this sChannel error is related The remote server has requested SSL client authentication, but no suitable client certificate could be found. I am stumped at this point, any help is appreciated.Agent install error
Hi Everyone, One of the servers running the agent was failing to update so I attempted a reinstall. During install it fails / rollsback with an error in the log stating "failed connecting to service. The issue can be caused by a transparent proxy configuration". The device does use a proxy set via netsh, and I've tried specifying it on the command line of the install. I have read elsewhere that this can be related to SSL inspection or an issue with Root CAs on the device. I know there is no inspection going on in this case. I have compared the Root CA list on this device to working devices and don't see anything related to Microsoft that is different. Any ideas?Help! Sensitivity label applied to whole tenant mistakenly with Watermark
We create a sensitivity label to have a watermark to be applied on the files on where it assigned but accidentally or due to misconfiguration, the watermark applied to whole tenant and the files, need a solution to automatically removed these watermarks from the files wherever it is applied. Please assist, TIA... .Sharing: All Built-in SIT categorised
So, Microsoft Purview gives you 313 built-in Sensitive Information Types (SITs)—yes, I counted! When I worked with an Cyber Risk auditor, one of their ask was categorizing all the items that we decided for it to be deployed. This was a bit of a nightmare, so I took one for the team and grouped them into three neat categories: PII, Financial, and Medical. Now, I’m sharing it with you so that my struggle can save you the headache. You’re welcome! Download the excel spreadsheet here: All SIT list and their categories.xlsx
Ingesting Purview compliance DLP logs to Splunk
We are in the process of enabling Microsoft purview MIP DLP for a large-scale enterprise, and there is a requirement to push MIP DLP related alerts, incidents and data to Splunk SIEM. Could not find any specific documentation for the same. researched on this and found below solutions however not sure which could work to fit in our requirement: Splunk add on for Microsoft security is available: The Splunk Add-on for Microsoft Security is now available - Microsoft Community Hub but this does not talk about Purview DLP logs. This add-on is available for Splunk but only says MIP can be integrated however does not talk about DLP logs: Microsoft Graph Security API Add-On for Splunk | Splunkbase As per few articles we can also ingest Defender logs to Azure event hub then event hub can be connected to splunk. Above mentioned steps do not explain much about Ingestion of MIP DLP raw data or incidents. If anyone has done it in the past I will appreciate any input.
New Blog | Embracing the Data Protection and Data Privacy Act
By Manny Sahota In an era where data breaches and privacy concerns are at the forefront of concerns, the Data Protection and Data Privacy (DPDP) Act 2023 emerges to enhance protection for individuals' personal information. This landmark legislation signifies a pivotal shift in the global data privacy landscape, imposing rigorous standards for data handling and compelling organizations to elevate their data protection measures. As we navigate the intricacies of compliance with the DPDP. Microsoft Compliance Manager emerges as a tool to help our customers meet regulatory obligations. Compliance regulations protect customers and the organizations they serve, and Microsoft Compliance Manager is here to help protect private data. Unpacking the DPDP Act 2023 The DPDP Act 2023 introduces a stringent legal framework aimed at safeguarding personal data against misuse, unauthorized access, and breaches. It mandates comprehensive data protection protocols, consent mechanisms for data collection, and stringent penalties for non-compliance, thereby setting a new benchmark for data privacy. This act underscores the importance of responsible data stewardship, emphasizing transparency, security, and the individual's right to privacy. For organizations, the enactment of the DPDP Act 2023 signifies a call to action—a mandate to reassess and fortify their data handling practices. It necessitates a holistic approach to data privacy, requiring robust governance, risk management, and compliance (GRC) frameworks to ensure adherence to the law. This is where the strategic deployment of Microsoft's Compliance Manager can make a substantial difference. Read the full post here: Embracing the Data Protection and Data Privacy Act: A Strategic Approach with Microsoft's ComplianceHunting for MFA manipulations in Entra ID tenants using KQL
The following article, Hunting for MFA manipulations in Entra ID tenants using KQL proved to be an invaluable resource in my search for an automated way to notify users of MFA modifications. I've adapted the KQL query to function within Defender Advanced Hunting or Azure Entra, my objective is to establish an alert that directly E-Mails the affected user, informing them of the MFA change and advising them to contact security if they did not initiate it. While the query runs correctly under Defender Advanced Hunting, I'm currently unable to create a workable custom alert because no "ReportId" is being captured. Despite consulting with Copilot, Gemini, CDW Support, and Microsoft Support, no workable solution has been achieved. Any insight would be greatly appreciated - Thank You! //Advanced Hunting query to parse modified: //StrongAuthenticationUserDetails (SAUD) //StrongAuthenticationMethod (SAM) let SearchWindow = 1h; let AuthenticationMethods = dynamic(["TwoWayVoiceMobile","TwoWaySms","TwoWayVoiceOffice","TwoWayVoiceOtherMobile","TwoWaySmsOtherMobile","OneWaySms","PhoneAppNotification","PhoneAppOTP"]); let AuthenticationMethodChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationMethod" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | mv-expand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationMethod" | project Timestamp,Actor,Target,ModifiedProperties,RawEventData,ReportId; let OldValues = AuthenticationMethodChanges | extend OldValue = parse_json(tostring(ModifiedProperties.OldValue)) | mv-apply OldValue on (extend Old_MethodType=tostring(OldValue.MethodType),Old_Default=tostring(OldValue.Default) | sort by Old_MethodType); let NewValues = AuthenticationMethodChanges | extend NewValue = parse_json(tostring(ModifiedProperties.NewValue)) | mv-apply NewValue on (extend New_MethodType=tostring(NewValue.MethodType),New_Default=tostring(NewValue.Default) | sort by New_MethodType); let RemovedMethods = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=leftouter NewValues on ReportId,$left.Old_MethodType==$right.New_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Removed (" , AuthenticationMethods[toint(Old_MethodType)], ") from Authentication Methods.") | extend ChangedValue = "Method Removed"; let AddedMethods = AuthenticationMethodChanges | join kind=inner NewValues on ReportId | join kind=leftouter OldValues on ReportId,$left.New_MethodType==$right.Old_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Added (" , AuthenticationMethods[toint(New_MethodType)], ") as Authentication Method.") | extend ChangedValue = "Method Added"; let DefaultMethodChanges = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=inner NewValues on ReportId | where Old_Default != New_Default and Old_MethodType == New_MethodType and New_Default == "true" | join kind=inner OldValues on ReportId | where Old_Default1 == "true" and Old_MethodType1 != New_MethodType | extend Old_MethodType = Old_MethodType1 | extend Action = strcat("Default Authentication Method was changed to (" , AuthenticationMethods[toint(New_MethodType)], ").") | extend ChangedValue = "Default Method"; let AuthenticationMethodReport = union RemovedMethods,AddedMethods,DefaultMethodChanges | project Timestamp,Action,Actor,Target,ChangedValue,OldValue=case(isempty(Old_MethodType), "",strcat(Old_MethodType,": ", AuthenticationMethods[toint(Old_MethodType)])),NewValue=case(isempty( New_MethodType),"", strcat(New_MethodType,": ", AuthenticationMethods[toint(New_MethodType)])); let AuthenticationDetailsChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationUserDetails" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | extend ReportId= tostring(RawEventData.ReportId) | mvexpand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationUserDetails" | extend NewValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.NewValue),"[",""),"]","")) | extend OldValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.OldValue),"[",""),"]","")) | mv-expand NewValue | mv-expand OldValue | where (tostring( bag_keys(OldValue)) == tostring(bag_keys(NewValue))) or (isempty(OldValue) and tostring(NewValue) !contains ":null") or (isempty(NewValue) and tostring(OldValue) !contains ":null") | extend ChangedValue = tostring(bag_keys(NewValue)[0]) | extend OldValue = tostring(parse_json(OldValue)[ChangedValue]) | extend NewValue = tostring(parse_json(NewValue)[ChangedValue]) | extend OldValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(OldValue,dynamic([' ','(',')']), dynamic(['','',''])), OldValue ) | extend NewValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(NewValue,dynamic([' ','(',')']), dynamic(['','',''])), NewValue ) | where tostring(OldValue) != tostring(NewValue) | extend Action = case(isempty(OldValue), strcat("Added new ",ChangedValue, " to Strong Authentication."),isempty(NewValue),strcat("Removed existing ",ChangedValue, " from Strong Authentication."),strcat("Changed ",ChangedValue," in Strong Authentication.")); union AuthenticationMethodReport, AuthenticationDetailsChanges | extend AccountUpn = Target | where Timestamp > ago(SearchWindow) //| summarize count() by Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | summarize arg_max(Timestamp, *) by Action | project Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | sort by Timestamp descsecure score not improving: ensure all users can complete MFA
I have created a conditional access rule for all users + all cloud apps +any location to require MFA but the score hasn't increased in a week. I notice it says "You have 56 out of 183 users registered and protected with MFA." (which was the case before the conditional access policy). (FYI this is a messy tenant with lots of previous users that have sign-in blocked and lots of users converted to shared mailboxes. Does that mean that the score is actually evaluated on the % of users that complete the MFA registration? If so, the title of this item is misleading... it should just be called something like % of users registered for MFA and the remediation steps should make clear that creating the policy doesn't guarantee score improvement. please assist,
Compromise from the first moment we open a browser
Internet Vs Local file Content Interference and Control Part 1 I started looking at this a while ago. I’d look something up online, go away, tell people about it or make a calendar appointment; only to return to the source material and find it somewhat different to my recollection. At first I thought I was going a bit forgetful, but the problem was the memory was very clear, I’d double check, it would still change. Over time it started seeping out further - progressing from time differences on the files saved in onedrive (desktop vs mobile view, not just my memory vs PC and this was the first clue); to lists rearranging them in excel, and data copied from one source to another showed alteration…. But seemingly only when I was being particularly boastful, or especially stressed. I remember I’d just started working at a new place, and keen to impress, made a spreadsheet that saved a LOT of manual reconciliation for the team. The first run and second went great, no major issues…. The third and on developed errors (and this was in a vlookup, it’s quite a standard easy to predict feature, shouldn’t change much between times). Whilst the saved file hadn’t been tampered with, I started to suspect that the data input may have been. This wasn’t the start of the issues, it’s just a good example of it interfering with life in a way that makes you doubt your skills and abilities. Electronic gaslighting. Background The actual code that allows such interference eluded me however, until I came across a website called string-functions.com. Here we could convert string characters from or to hex, decimal, binary, " String(Hello) = hex(48656c6c6f0d0a) = Dec(20377714673257738) = Binary(1001000011001010110110001101100011011110000110100001010) " … but oddly binary back to string gave me this: “?????” which I presume is down to how the software defines and executes each step. Do more than one and there’s a chance that, without standardisation between all elements, you can’t reverse the process, at least not by presuming output(step n) = input (step 1). The same is true when you translate languages when you think about it. Then I spotted character encoding. I’d largely forgotten that this was a thing, but it’s the second half of making sure what I type is what you see. The text is stored in this document as strings when you view it, and probably as binary somewhere further down the storage chain (ask Microsoft!) but to get from the building blocks back to the text we need to know how it’s encoded. Internet packet analysers often use terms like “Big5”, “ANSI”, “UTF-8”, “YAML”, “UTF-16” and etc. Vast lookup tables tell software that when a document opens with (X), it needs to read the data with encoder (Y). There’s no left to right or right to left when looking at a datafile. Just sequence. Here’s the clever bit. Some methods of encoding have visible character to tell the computer how to display the sequence of data. Some don’t. Either way, the data is still there and will be read, and in just about every single modern application, it will be executed in the order in which it is read. For example, I could add a “right to left” control character in the above paragraph between “clever and “bit”, with a “stop” and “left to right” control character between “the” and “order” (last paragraph) to make sure it will only ever be copied and pasted as “Here’s the clever order in which it is read”. The same applies to information received by your browser, and all the webpages that it prefetches every time you open the Bing search page on a fresh install of windows. These control characters can call every database function you can think of in addition to reordering text (which includes websites, IP addresses and search terms you put into that address bar, which thanks to convenience, if no longer just a locked down address bar). I think I'm on the right lines of thought here. My computer has a small fit every time I try to post about it or investigate further. Next time, I'll cover cookies, timestamping, and computer certificates.Clarification over "dormant" account status
I was looking today at our list of "Remove dormant accounts from sensitive groups" within Microsoft Defender for Identity, and one service account has caused a bit of discussion. The account would only be used on-premise and would never be carrying out authentications out of our estate. In this case would Defender for Identity still see the account as being "dormant", or is the reason because it's not carried out any of those off-estate authentications? Apologies if this is a simple question, but it would be very helpful to know the answer.
Multiple CA on same domain
We're about to deploy a new two-tier Windows PKI in domain which already has a 1-tier Enterprise CA and wonder of possible impacts on the current configurations. Devices and Users are auto-enrolling with the current CA through GPO and what can be the impact of the new CA ? How will the users get the certificate from the old or the new CA selectively? Is it just managed by the template's security settings, which by default allow authenticated users/devices to enroll? What sort of impact can we expect ? thanks
Confusing content in several training modules
I have noticed the following content present in several training modules and I can only conclude that there are errors in the example URLs in the content. This slide is from the module called "Phishing website" but I have seen the same example in other modules. Note the following: the two example URLs in the slide are identical except for bold formatting, and this is confusing. Additionally, each example is confusing. In the section below Name, what point is served by the example URL? It seems as though the author wants the reader to understand the difference between URLs with replaced, additional, or missing characters. If we assume the reader believes their bank website may be mybanksite.net then a good example URL to illustrate an illegitimate site would be mybanksites.net, because this highlights the additional letter s in the address. But why highlight the other s in the address? And why include .135 in the example? In the section below Domain, it seems as though the author wants to teach the reader about domains (important parts of which one can find on both sides of the last period in a domain). If we assume the reader believes their bank website may be at my mybanksite.net then a good example URL to illustrate an illegitimate site would be mybanksite.135.net, because this highlights that 135.net is the part of the address that should receive the reader's focus. And what is the reader supposed to conclude from these two examples being identical? If the point is that the address is suspicious in two ways, then the slide should first introduce mybanksite.net as the correct URL. Most other slides in the training modules are excellent but I cannot feel good about assigning this misleading and confusing content to my users. Am I misunderstanding something?
Defender for Identity Certificate Requirements
One of the required certificates for the MDI sensor to run is this certificate: Subject : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Issuer : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Thumbprint : D4DE20D05E66FC53FE1A50882C78DB2852CAE474 FriendlyName : DigiCert Baltimore Root NotBefore : 5/12/2000 11:46:00 AM NotAfter : 5/12/2025 4:59:00 PM Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid} It expires in a little over 2 weeks. I still see it listed as required here: https://learn.microsoft.com/en-us/defender-for-identity/troubleshooting-known-issues Does anyone know if that requirement will be going away and/or will the certificate be updated before this one expires? I haven't been able to find anything related to its replacement through my various searches so I apologize if this has been covered already. Thanks.Authenticator not displaying numbers on MacOS
I'm have an issue with MFA on a Mac (all the latest versions). We have conditional access policies in place, so once a day I'm prompted for MFA (I work off-site) and the Office app (e.g. Outlook, Teams) will create the pop-up window that 'should' display a number that I then match on my phone. My phone see's the push notification, but the Mac never creates the numbers in the first place. The pop-up is there, just no number. The workaround is: Answer 'its not me' on the phone On the Mac, select 'I can't use Authenticator right now' Tell the Mac to send a new request This time it creates the number and I can authenticate on the phone. It only appears to happen for the installed Office applications i.e. if I'm accessing applications/admin-centre via the browser, then the pop-up is within the browser and everything works first time. Is this a known issue?
Spurious health alerts with sensor 2.241.18721.18894
We use delayed update on half of our sensors to help catch possible issues with new sensor versions. Only on half of our DCs running the latest sensor 2.241.18721.18894, we are receiving alerts "The virtual machine that sensor [hostname.domain] is installed on has a network configuration mismatch. This issue may affect the performance and reliability of the sensor" Looking at the alert in the portal, MDI alleges that the affected virtual machines virtual NICs have Large Send Offload (LSO) enabled. However, the virtual machines do NOT have LSO enabled. We are not seeing these alerts from the other half of our sensors that are still running 2.241.18708.7989. The issue is only appearing on VM DCs running sensor 2.241.18721.18894. Anyone else see this issue? All the affected DCs are virtual machines. We do have some bare-metal DCs, but they are still running 2.241.18708.7989.Fetching user/riskyusers/risk_detections info in incremental approach
Hi All, Using @odata.deltaLink I am able to track changes in Microsoft Graph data for users. DeltaLink we can’t get changes related to SIGNINACTIVITY, AUTHENTICATION_METHODS_USER_REGISTRATION_DETAILS , USER_APP_ROLE_ASSIGNMENT. At present risky_users and risky_detections are not supported by delta queries. Any other approach where we can track changes apart from DeltaLink. Note: Apart from storing in DB and comparing.Meet Your New Cybersecurity Sidekick - Microsoft Security Copilot Agents
Imagine if your security team had a super-smart assistant that never sleeps, learns from every task, and helps stop cyber threats before they become disasters. That’s exactly what Microsoft’s new Security Copilot Agents are designed to do. Why Do We Need Them? Cyberattacks are getting sneakier and faster many now use AI to trick people or break into systems. In fact, 67% of phishing attacks in 2024 used AI. Meanwhile, security teams are drowning in alerts 66 per day on average and 73% of experts admit they’ve missed important ones. That’s where Security Copilot comes in. It’s like having an AI-powered teammate that helps you investigate threats, fix issues, and stay ahead of attackers. What Are Security Copilot Agents? Think of these agents as mini digital coworkers. They’re not just chatbots they’re smart, adaptable tools that: Learn from your feedback Work with your existing Microsoft security tools Help you make faster, better decisions Keep you in control while they handle the heavy lifting They’re built to be flexible and smart unlike traditional automation that breaks when things change. Real-World Examples of What They Do Here are a few of the agents already available: Phishing Triage Agent: Automatically checks if a suspicious email is a real threat or just spam. It explains its reasoning in plain language and learns from your feedback. Alert Triage Agents (in Microsoft Purview): Helps prioritize which security alerts matter most, so your team can focus on the big stuff first. Conditional Access Optimization Agent (in Microsoft Entra): Keeps an eye on who has access to what and flags any gaps in your security policies. Vulnerability Remediation Agent (in Microsoft Intune): Spots the most urgent software vulnerabilities and tells you what to fix first. Threat Intelligence Briefing Agent: Gives you a quick, customized report on the latest threats that could affect your organization. Even More Help from Partners Microsoft is also teaming up with other companies to build even more agents. For example: OneTrust helps with privacy breach responses. Tanium helps analysts make faster decisions on alerts. Fletch helps reduce alert fatigue by showing what’s most important. Aviatrix helps diagnose network issues like VPN or gateway failures. BlueVoyant: helps to assess your SOC and recommends improvements. Why It Matters These agents don’t just save time they help your team stay ahead of threats, reduce stress, and focus on what really matters. They’re like having a team of AI-powered interns who never get tired and are always learning. Learn More 📢 Microsoft Security Blog: Security Copilot Agents Launch 🎥 https://aka.ms/SecurityCopilotAgentsVideo
Events
Microsoft Purview Data Security Investigations is a new solution that enables data security teams to identify incident-related data, investigate that data with generative AI-powered deep content anal...
Online
Join us as we kick off the Summer Camp with a deep dive into the scenarios that the Microsoft Entra Suite will enable for your organization. Discover how bringing identity and network access together...
Online
Recent Blogs
- If you are building enterprise grade custom GenAI applications or agents, you are probably familiar with the increasing data security and compliance challenges that your target customers worry about:...Jul 03, 2025
- With the retirement of Content Search (Classic) and eDiscovery Standard (Classic) in May, and alongside the future retirement of eDiscovery Premium (Classic) in August, organizations may be wonde...Jul 03, 2025
