Forum Widgets
Latest Discussions
Submit files for malware analysis using API
Hi, is there any kind of API to submit files for malware analysis? We would like to embedded the submission to our automatic app build/publish process. We know that the submission can be done manually using web portal https://www.microsoft.com/en-us/wdsi/filesubmission/ but this is unsuitable for any kind of automatic processing. Thank you.ViktorSpacilJan 23, 2025Copper Contributor518Views2likes2CommentsGet-MpComputerStatus output is blank
Hello, We recently transitioned from ESET AV to a solution that uses the Microsoft Defender engine. However, we're encountering an issue where domain-joined VMs running Windows Server 2022 return no output when executing the following command: Get-MpComputerStatus | Select AntivirusEnabled The antivirus application (Heimdal Next-Gen Antivirus) relies on this output to verify that real-time scanning is enabled. We have tried several troubleshooting steps, including rebooting the machines, running the command D i s m /Online /Enable-Feature /FeatureName:Windows-Defender, and checking the registry to ensure that Defender is not in passive mode. However, the issue persists. Has anyone encountered a similar issue, or can anyone suggest additional steps to resolve this? Any help would be greatly appreciated!unslogJan 23, 2025Brass Contributor130Views0likes5CommentsDefender of Endpoint on Comanaged Laptop
We are testing device control feature of Microsoft Defender for Endpoint (MDE). Onboarded a laptop to MDE only (not enrolled to Intune) - created two policies in Defender portal Attack Surface reduction - Device Control - this policy could never be successfully applied on the machine (Reason - Learn about using Intune to manage Microsoft Defender settings on devices that aren't enrolled with Intune | Microsoft Learn suggests that Device Control profile is visible in the Defender portal but isn't supported for devices managed only by Microsoft Defender through the Microsoft Defender security settings management scenario. This profile is supported only for devices managed by Intune.) AV - this policy successfully deployed and I could see the deployed config on the machine Onboarded to MDE and co-managed (Intune, SCCM) - Configured Endpoint protection workload to be managed by Intune. Created Attack surface reduction Device control policy in Intune portal - policy deployed successfully on the laptop. Connected the USB on the device it showed the following Left the device connected, after few hours, I could see the capacity, used storage of the USB, clicking continue and entering admin credentials also wont allow the access of the USB. Left the device connected overnight, and next Morning, I could double click on the drive and access the content, it directly allowed me the read-write access of the USB. Unplugged and re-plugged the USB, then it shows USB is not accessible I am not able to understand this inconsistent behaviour, please suggest if I am doing something wrong. Also, instead of Access is denied messaged, can we display a message like "As per the corporate policy, you cant access the removable devices." when the user tries to access a USB. Please help.SochitoJan 22, 2025Brass Contributor18Views0likes0CommentsAIR (Automated Investigation and Response) disables user in Active Directory, suspends in Entra ID
My organization saw an incident yesterday with a new-to-us behavior: Defender disabled the user access in Active Directory and suspended the user in Entra ID. It was an AitM (Attacker in the Middle) scenario, which we believe was delivered via phishing message and a shared OneDrive file. Defender correctly identified the malicious activity and disabled the account shortly after. I am curious because we have not seen this behavior before. Does anyone know if this is a new feature? Or possibly something that just hasn't hit our environment before (which seems unlikely)? I checked the following pages but didn't see anything that looked related: What's new in Microsoft Defender XDR What's new in Microsoft Defender for Identity What's new in Microsoft Defender for Endpoint I do see in security.microsoft.com under Settings - Microsoft Defender XDR -- Automation -- Identity automated response that we have the capability to exclude users from the automated response. It's possible this capability has been enabled for a while.redherringJan 19, 2025Copper Contributor34Views1like1CommentApi's problem
All the other api's i use work properly, but these does not. "https://api.securitycenter.microsoft.com/api/users/{user_id}/machines" "https://api.securitycenter.microsoft.com/api/users/{user_id}/alerts" Always return empty set. Any idea?Gerard Forcada BigasJan 15, 2025Copper Contributor21Views0likes1CommentNo Automated Investigation Triggered for High Severity Incident
Hi Community, I’ve noticed an issue where no Automated Investigation and Response (AIR) was invoked for a high-severity incident and alert on a device that belongs to a device group configured with full AIR. This behavior contradicts the expected principle of AIR, as outlined in the documentation: How Automated Investigation Starts. Details: The device is part of a group with full AIR enabled. A high-severity alert/incident occurred but did not trigger any automated investigation. Manual actions were required to address the threat, despite AIR being enabled. Questions: Has anyone experienced similar behavior where AIR is not triggered for eligible devices/incidents? Are there known scenarios or conditions that might prevent AIR from starting, even in fully configured groups? What steps can I take to troubleshoot or escalate this to ensure consistent AIR functionality? Your insights and suggestions would be greatly appreciated! Thank you.MarnikJan 15, 2025Brass Contributor10Views0likes0CommentsWeb content filtering and indicator aren't working on third party browser
Hi, we have just noticed that web content filtering and customized indicators are not working on third party browsers after upgraded defender for endpoint to 4.18.23050.3, the issue has happened to both Win10 and Win11 machines. Has anyone else got the same issue?Spark ZhangJan 15, 2025Brass Contributor27KViews5likes81CommentsMS Defender for Endpoint - List machines API
Is it possible to use below API to retrieve Machines with Onboarding status as 'Can be onboarded' ? We are hitting this API from ServiceNow & it seems that it is only returning Onboarded machines. https://api.security.microsoft.com/api/machines Reference: https://learn.microsoft.com/en-us/defender-endpoint/api/get-machinesajitmundhekarJan 15, 2025Copper Contributor19Views0likes0CommentsWEB content filtering
Hello everyone, For a few days now, the “WEB content filtering” feature has not been performing its role of filtering web content by category, even though the rule is still in place and correctly configured. What surprises me is that this rule has been working for at least 2 years. I've deleted and re-created the rule several times, without success. Have you seen this behavior before? Do you know how to correct this problem?AzeddineJOUMARJan 14, 2025Copper Contributor59Views0likes2Comments
Resources
Tags
- Defender14 Topics
- Defender for Endpoint13 Topics
- MDATP13 Topics
- defender atp10 Topics
- ATP10 Topics
- security7 Topics
- microsoft defender for endpoint6 Topics
- MDE5 Topics
- Microsoft Defender ATP5 Topics