Forum Widgets
Latest Discussions
Using MDE (Passive Mode) with Palo Alto Cortex XDR to enable Defender for IoT (Enterprise IoT)
Hi everyone! I’m working with a customer that uses Palo Alto Cortex XDR as their primary EDR. We want to leverage Microsoft Defender for IoT specifically for Enterprise IoT (not OT/ICS). I have a few questions: MDE in Passive Mode as a sensor: Can Microsoft Defender for Endpoint (MDE) running in Passive mode act as a sensor to enable Enterprise IoT discovery/monitoring for Defender for IoT? Are there any feature limitations when MDE is not the primary EDR? Appliance sensor in Enterprise IT: If we cannot use the MDE agent, is it supported to deploy the Defender for IoT appliance sensor in an enterprise IT network (e.g., offices/campuses) to cover Enterprise IoT use cases? Coexistence / Complementary sensors: Is it possible (and recommended) to run the appliance sensor alongside MDE (sensor) to complement coverage/features? Any guidance on architecture, data overlap/deduplication, or licensing implications?
MS Defender setting
Hello, I have a question. I'm not an English-speaking country, so please understand any shortcomings. I'm trying to block or alert on specific URLs in Microsoft Defender > Settings > Endpoint > Rules > Indicators. I've completed the setup, but I'd like to customize the screen that appears on the webpage when an alert is triggered. Is there a way to do this? Thank you in advance for your help.
Latest Threat Intelligence (December 2025)
Microsoft Defender for IoT has released the December 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 5c642a16bf56cb6d98ef8b12fdc89939 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Microsoft Defender for Endpoint for Vulnerability Management and Reporting
Hi All, We’re currently using Rapid7 for vulnerability management and reporting, but we’re actively evaluating the possibility of moving to Microsoft Defender for Endpoint going forward. We’d like to better understand how to properly leverage Defender for Endpoint for vulnerability management and reporting. If this means using custom reports—such as building dashboards in Power BI—we’re definitely open to that approach. At a high level, we’re looking for guidance on best practices and the right direction to meet the following requirements: Ongoing vulnerability tracking and remediation Clearer reporting on vulnerability trends and areas needing improvement Breakdown of vulnerabilities by severity (Critical, High, Medium, Low), grouped by aging buckets (e.g., 30, 60, 90 days) Defender Secure Score reporting over time (30, 60, and 90-day views) Visibility into non-compliant devices in Intune, including devices in grace period and PCs that have checked in within the last 14 days Any recommendations, examples, or pointers to documentation or reporting approaches would be greatly appreciated. Thanks in advance, Dilan
Correct firewall log names to be included in a Defender investigation package?
Hi - first time poster, I work in a SecOps team using Defender for Endpoint. I noticed that when we collect an investigation package from a device in Defender that the firewall logs aren't being found. The advice on Microsoft Learn articles seems to be contradictory as to what firewalls should be named as: https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts FirewallExecutionLog.txt and pfirewall.log The pfirewall.log file must exist in %windir%\system32\logfiles\firewall\pfirewall.log, so it's included in the investigation package. For more information on creating the firewall log file, see https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging?tabs=intune. This section implies for the firewall log to be collected it has to be called "pfirewall.log" but on the linked page it is recommended to change the log file names: For each profile (Domain, Private, and Public) change the default log file name from %windir%\system32\logfiles\firewall\pfirewall.log to: %windir%\system32\logfiles\firewall\pfirewall_Domain.log %windir%\system32\logfiles\firewall\pfirewall_Private.log %windir%\system32\logfiles\firewall\pfirewall_Public.log We have tested the changed names and they are not found by the investigation package. Which one is recommended and is the logic used in the Defender investigation package correct?Investigating Excel-Initiated Email Activity Without Sent Items Trace
Two days ago, three emails were sent from a user’s inbox without leaving any copies in the Sent Items folder. The user did not send these emails manually—this is confirmed by the presence of the SimpleMAPI flag in Outlook. What I know: Email Characteristics: All three emails contained a Word attachment. No body text was present. The subject line matched the attachment file name. Two of the emails were identical. Recipients: Emails were sent to colleagues who originally created the attached documents. Attachment Details: One attachment appeared to be a temporary file (e.g., a3e6....). System Behavior: No suspicious logins detected before or after the event. Emails were sent via the Outlook.exe process on the user’s machine. Excel.exe was identified as the parent initiating process according to Microsoft Defender endpoint logs. In Defender's Endpoint logs I found this under Typed Details (related to the firing of the 3 emails): 1. -Downloaded file: 2057_5_0_word_httpsshredder-eu.osi.office.net_main.html Path: C:\Users\s***s\AppData\Local\Microsoft\Office\16.0\TapCache\2057_5_0_word_httpsshredder-eu.osi.office.net_main.html 2. Downloaded file: ~$rmalEmail.dotm Path: C:\Users\s***s\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm I am seeking assistance to replicate this issue and accurately determine how these three emails were triggered.
KQL query to report on Audit/Block status of Network Protection
Anyone know how to run a query using KQL in the defender portal to return the status of Network Protection - Audit or Block mode? The following query returns the results but "IsCompliant" = 1 when Network Protection is on in either Audit or Block mode. I thought the context might help but for this SCID it is always empty. DeviceTvmSecureConfigurationAssessment | where ConfigurationId == "scid-96" The information is available within the portal when you drill into the device - configuration management - effective settings - but this is not scalable when needing to check across a large estate. How could you query this via KQL or another way to generate on a report on overall estate health and configuration? Long term would be great to report on this in a powerBi dashboard. Thanks
MS Defender 101.25102 update error
I have been trying to update MS Defender for several days now and without luck. I am on a iMac M3 with macOS 26.1. I tried removing and reinstalling the app, but it seems that the uninstall script does not remove the app at all. Yes, I did restart the machine. Does anyone have a solution?
