Forum Widgets
Latest Discussions
Defender for Server deployed, integration for DfE checked, but M365 Defender showing "Can be onboard
I'm sure I'm missing something in the slightly complicated way of enabling servers for DfE via Defender for Cloud Server. The licensing is in-place the checkboxes to share data are ticked. The servers are showing as onboarded in Defender for Cloud however, the one portal to rule them all - Microsoft Defender 365 - is still showing the servers as "Can be onboarded" and missing the data of a properly onboarded DfE client. Where should I start my troubleshooting to determine what I've missed or what is going wrong? Paul2.2KViews0likes5CommentsKQL Secure score controls and Assessments
I have a query that is working but is not producing what I need. a query that will combine the Recommedation categories( 13 listed under the Classic View in recommendations) and the individual assessments associated to those categories: securityresources | where type == "microsoft.security/securescores/securescorecontrols" | extend category_name = tostring(properties.displayName) //category name | extend Tenant_Id=tostring(tenantId) | extend healthy = properties.healthyResourceCount | extend unhealthy = properties.unhealthyResourceCount | extend notApplicable = properties.notApplicableResourceCount | extend score = properties.score | extend scr= parse_json(score) | project category_name, healthy, unhealthy, notApplicable, CurrentScore=scr.current, MaxScore=scr.max, Tenant_Id | join ( securityresources | where type == "microsoft.security/assessments" | extend assessment_name = tostring(properties.displayName) //assessment name | extend Tenant_Id=tostring(tenantId) | extend resourceName = properties.resourceDetails.ResourceName | extend status = properties.status.code | extend metadata = properties.metadata | extend severity = metadata.severity | project assessment_name, resourceName, status, severity, Tenant_Id ) on Tenant_Id | project category_name, assessment_name, resourceName, status, severity, healthy, unhealthy, notApplicable, CurrentScore, MaxScore,Tenant_Id This is a work in progress script, I do get a valid script but I know it is not working like I need it to work. For example, when I run this script, I get for "assessment_name: EDR solution should be installed on Virtual Machines" but for the "category_name" I get "Restrict unauthorized network access". It should be category_name = Enable endpoint protection. I'm trying to find a valid join field but not getting it correctly. Perhaps I need to add anothere "Type" but I'm not sure which. Please advise, SergesnteranJan 18, 2025Copper Contributor3Views0likes0CommentsNo automatic MDE.Windows installation anymore
We have an Azure subscription to which our on-premises servers are connected via Azure Arc. Actually, only Microsoft Defender for Servers Plan 1 should be used. However, ‘Plan 2’ is billed in the cost analyses, which leads to significantly higher costs than planned. I´ve fixed it but it lead to the Problem of not installing MDE.Windows anymore. The servers are connected to Azure by executing a script, after which some plugins are installed(MDE.Windows, MicrosoftMonitoringAgent, and on some servers "WindowsPatchExtension"). In the environment management of Defender for Cloud we have explicitly selected plan 1, despite this plan 2 is activated for each server. There is no Log-Workspace. Here are the Policies, i think they go automaticly created by Azure. I´ve deleted "ASC provisioning LA agent Windows Arc" and the linux one because this is deploying the two Extensions "MicrosoftMonitoringAgent" and "WindowsPatchExtension", which activate Plan 2. After deleting those to Extensions i should not get billed as Plan 2 anymore. My Problem is now that i don´t have the policy to install the MDE Plugin anymore. How do i get this working again, i need to install only the MDE Plugin on the computers to ensure we only use Plan 1. No other extensions, no Log-Workspace... Appreciate the help.35Views0likes0CommentsAutomate the AWS account onboarding process
How can we automate the onboarding process for new tenants that ensures any new AWS account created within the landing zone is automatically onboarded to Microsoft Defender, exploring an alternative automation approach that is directly embedded within the structure of the stack set.VaibhavBeoharJan 14, 2025Copper Contributor6Views0likes0Comments"Duplicate" alerts in Defender for Cloud from MDE
Hello, I discovered that security alerts generated from Defender for Endpoint are causing "duplicate" security alerts in Defender for Cloud. We have several Azure Arc-enabled servers active with Defender for Server P1 which includes Defender for Endpoint integration. Hence Arc servers are automatically onboarded to Defender for Endpoint. We had a false positive caused by the addition of AV exclusions which generated an alert / incident in Defender XDR which was then synced to Sentinel. Closing the alerts in Defender XDR or Sentinel resulted in synced status between the two. However it seems the same alerts were also created in Defender for Cloud, and their status remained "open" even after being resolved in Defender XDR. The link in the open Defender for Cloud Alert effectively opens up the resolved alert in Defender XDR. So it seems to be the same alert but its status is not being synced. Is this a known issue?packetknightJan 12, 2025Copper Contributor57Views0likes1CommentHow to check the standard policy is working? Is there any report tracking?
How to check the standard policy is working? Is there any report tracking? https://learn.microsoft.com/en-us/azure/defender-for-cloud/create-custom-recommendationsbimalashresthaJan 12, 2025Copper Contributor18Views0likes1CommentDisable MFA 14 day grace period?
Hi, Just looking for some advice here... Is it possible to disable/remove the 14 day "grace period" for MFA registration for new users? Premium subscription being used. Customer wants all new users to be forced to set up MFA when they first log in and not allow them to skip for 14 days. I can't find anywhere to disable this? Security defaults is not enabled. A 3rd party service is being used for SSPR. Thanks.luke_m137Jan 05, 2025Copper Contributor39KViews0likes7CommentsAvailable Alerts on Microsoft of Defenders
Hi All, Can anyone help identify whether the alerts mentioned in this article will generate incidents/alerts by default on Defender for Cloud and send them to Sentinel if it is integrated? https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machinestalkingpointDec 11, 2024Copper Contributor25Views0likes1CommentEnhancing Governance Rules/Notifications with Risk-Based Recommendations
Hi everyone, I'm looking to improve how governance rules in Defender for Cloud integrate with risk-based recommendations from Defender for CSPM. Currently, governance rules measure against the severity of recommendations, but our users receive emails highlighting severity without any mention of risk. This has led to confusion because the default view in the portal sorts by risk. Is there a way to make governance rules more flexible to incorporate risk-based recommendations? Also, are there any upcoming integrations for different ticketing tools like Jira? Any advice or updates would be appreciated. Thanks!grahamobrienDec 10, 2024Copper Contributor26Views0likes0CommentsProblems adding Defender for Business Server to a 2019 Windows server.
Hi. We recently purchased a one-year subscription to Microsoft Defender for Business Servers through a retailer. I've onboarded a Windows Server 2019 device using a PowerShell script, following Microsoft's guidance, since the server is not enrolled in Intune. The onboarding process appears to have been successful, as confirmed by event logs. However, the device isn't visible in the Microsoft Defender portal. Additionally, the Defender for Business Servers license isn't assigned to the device in the Office 365 admin center. Is it possible that I'm missing a configuration somewhere in one of the Admin centers (Defender, Office 365, etc.) so the license can be applied to the device? What additional steps might be required to ensure the device is visible in the Microsoft Defender portal and the license is assigned correctly?jortegaDec 06, 2024Copper Contributor33Views0likes0Comments
Resources
Tags
- Cloud Security92 Topics
- cloud security posture management34 Topics
- security31 Topics
- microsoft defender for endpoint22 Topics
- Azure Defender for Servers22 Topics
- azure20 Topics
- Threat Protection19 Topics
- vulnerabilities15 Topics
- best practices12 Topics
- Security Controls12 Topics