Microsoft Defender for Endpoint alerts no longer showing in Stories Workbench
I'm seeking advice regarding the integration between Cato XDR and Microsoft Defender for Endpoint (MDE). Previously, MDE alerts were being displayed correctly in Cato XDR (Home > Stories Workbench), but since yesterday, new incidents detected in MDE are no longer appearing in XDR. Below is the current status of our investigation: When an incident occurs on a device, it is properly detected and displayed in MDE. The integration with MDE was successfully completed, and the corresponding application in Entra ID has been granted the following application permissions with admin consent: SecurityAlert.Read.All SecurityIncident.Read.All ThreatHunting.Read.All User.Read (delegated) User.Read.All (application) In Microsoft Entra ID, the Sign-in logs show that all sign-ins by the service principal are marked as "successful." We tried deleting "Microsoft Defender" once from Security > Endpoint Connector and re-integrating it, but the alerts still do not appear in XDR. I would greatly appreciate any advice or insights to help resolve this issue. Thank you very much in advance.
You Ask a Good Question: Top 5 Applications Per Site, by Total Bandwidth
The Ask: I’d like to be able to see the top 5 applications, per site, by total bandwidth. Basically, this graph multiple times. API Guy answer: My solution is a multi-query approach. Step 1: This appStats query to get the list of site names and their total traffic: Step 2: Iterate over each site, calling an appStats() query for each one, with the site name as the filter. Here’s an example for one site: You will need to then calculate the percentages based on the total for each site from the first query.
