Share via

Defender ATP - Query failed, how to investigate

Tetera, Jakub 6 Reputation points
2021-01-07T08:37:20.74+00:00

Hello,

This morning, we've had an issue with one of our custom rules in Microsoft Defender ATP. For a two hour period, the query returned several false positives, which points us to one of the threat intelligence functions (FileProfile()) either returning incorrect results or not returning anything at all. However, the "Health" tab isn't showing anything in the history to explain this behavior. I'd like to investigate further and determine how this happened.

A previous SIEM tool I worked with (Splunk) used to have its own query logs that would contain the information I'm looking for (external function invocations & results). I couldn't find anything of the sort in Defender ATP, though I'm still familiarizing myself with the environment and might have missed something.

Could you point me in the right direction?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
996 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Candy Luo 12,661 Reputation points Microsoft Vendor
    2021-01-08T07:42:27.033+00:00

    Hi ,

    Windows 10 security forum doesn't focus on Microsoft Defender ATP related question, I will remove windows-10-security tag.

    For the related questions about Defender ATP, you might have this asked in here :

    https://techcommunity.microsoft.com/t5/microsoft-security-and/ct-p/MicrosoftSecurityandCompliance

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments