Recent Discussions
Full Automation Capabilities in Linux OS
Hello eveyone, We have configured Defender to detect viruses, and our goal is that if one of our assets downloads or encounters a virus, it is automatically hidden or removed. Based on the documentation regarding the automation levels in Automated Investigation and Remediation capabilities, we have set it to "Full - remediate threats automatically." While this works correctly on Windows devices, we have noticed that on Linux devices, the defender still detect the virus but it was not prevented. I was wondering if anyone has encountered this issue and, if so, how it was resolved? Additionally, as I am new to the Defender platform, I wanted to ask if could this issue potentially be resolved through specific Linux policies or functionalities? Best regards Mathiew
Newly Created DfE Device Groups not immediately usable
I created a device group via https://security.microsoft.com/securitysettings/endpoints/machine_groups to apply a custom Indicator URL block for a single device based on an exact device name match. I ensured that the device is matched with the group rule using the Preview Device feature. Immediately after creating the device group, I clicked on Apply Changes on the device group page but after an hour, the device group still shows 0 device members and is not yet visible when creating the custom TI URL rule. It's extremely frustrating when we need to respond quickly to threats but have to wait for back-end replication/scripts to run just for creating and using a Defender device group.Investigating ASR Alert: Tracing the Source URL for C&C Activity
Hello everyone I encountered an alert in Microsoft Defender indicating that a URL was blocked as a Command and Control activity. While investigating, I noticed multiple URLs accessed prior to the flagged one, including ad traffic. However, I am unable to identify the source URL that triggered this activity. Could anyone suggest advance hunting queries or any other investigative approaches to help trace the Source URL? I am particularly interested in methods to correlate this URL with preceding network events or processes. ThanksDeviceLogonEvents & IdentityLogonEvents
Hey, I'm trying to fetch login events via these 2 tables DeviceLogonEvents & IdentityLogonEvents, Advanced Hunting. which events will appear in the DeviceLogonEvents vs IdentityLogonEvents? are there events that will appear in DeviceLogonEvents and not in IdentityLogonEvents? or wise versa? as I understood, these table are based on Windows logon events? If yes, what is the mapping from the windows event to these tables? On DeviceLogonEvents, when Upn appears on the event? because sometimes it appears on Additional Info map and sometimes on AccountName, and sometimes it doesn't appear at all (some times weird username appear on the AccountName column) Thank you for your assistanceRoadmap for TVM network devices?
I see that agent based scanning for network devices is being deprecated for Defender TVM in November this year. It's not clear what the replacement solution to this will be - while the product support is not exhaustive, for perimeter devices getting TVM information as part of the Defender for Cloud for Servers license is a valuable addition. Is there any roadmap information, or documentation that outlines how we'll be able to achieve the same outcome of TVM information for network devices for weaknesses and threats? I've been looking but cannot find a clear direction on this or whether I'll need to start looking at 3rd party for TVM on network devices.
Copilot on-prem?
Hi all, I am doing a bit of research about Copilot in Microsoft Defender XDR. I was looking at how this could benefit different companies with their day-to-day tasks and in-depth analysis. It looks promising, but how about companies that deal with sensitive information? Yes, all companies have sensitive data, but what about medical facilities and government agencies? I’ve seen that Copilot adheres to several standards like ISO 27001, 27017, 27018, and a few more, but the data is still shared with Microsoft. I have looked at the possibility of hosting an AI tool on-prem, but Copilot only enables on-prem integration with data sources of M365 services. The reason why this isn’t available on-prem is because it would require significant computational resources. Another reason (I assume) is the daily updates that Copilot would need to keep its database of known threats up-to-date. So what I’m interested in is: What would it take to host Copilot on-prem? Is on-prem hosting for Copilot going to be enabled in the near future? For companies that work in a Microsoft environment and want to help their security analysts but don’t want to share sensitive information, what options does Microsoft offer (besides courses and training)?Automated Attack Disruption Testing
In the past I vaguely remember seeing attack simulation walkthroughs for MDE and there still is a link in the MDE onboarding to explore simulations and tutorials but that now just takes me to the XDR homepage. There are cases where we're talking to customers about the capability of Defender XDR and want to showcase in a safe way, without endangering demo devices. With Automated Attack Disruption announcements at Ignite 2024, I'd like to be able to showcase this particularly in the area of Ransomware protection, similar to the case study "protecting against ransomware when others couldn't" from the Ignite AI-driven Ransomware Protection session. Does anyone have an updated link to the attack simulation walkthroughs that were available and also any similar walkthoughs for Automated Attack Disruption?
Blocking domain for group of users/or devices
Hi all, I am trying to find a way to block youtube for a group of users. We are using M365 E5 Security so can use Defender for endpoint or Defender for cloud apps. However, cant find a way to implement this. My idea was to create an INDICATOR in Endpoint that will be blocked, however I cannot select any group and "all devices" are included there in default. So not sure if this is a way. Neither Web Content Filtering cannot be used for my scenario Another idea was to use Defender for cloud apps. This looks promising but I am not sure how to target only specific users or devices? I managed to mark an app as "unsanctioned" but it applies for all devices. Any idea ? Thank you.'Require User to sign in again option' missing from remediation actions
Hello everyone, I am encountering an issue with the Microsoft 365 Defender portal, specifically regarding the option in the remediation actions drop-down menu on the User Page. It is missing this 'Require user to sign in again' option and only displays the following – Any help would be appreciated.
Clarification on AADSignInEventsBeta vs. IdentityLogonEvents Logs
Hey everyone, I’ve been reading up on the AADSignInEventsBeta table and got a bit confused. From what I understand, the AADSignInEventsBeta table is in beta and is only available for those with a Microsoft Entra ID P2 license. The idea is that the sign-in schema will eventually move over to the IdentityLogonEvents table. What I’m unsure about is whether the data from the AADSignInEventsBeta table has already been migrated to the IdentityLogonEvents table, or if they’re still separate for now. Can anyone clarify this for me? Thanks in advance for your help!
Whitelisting Pentesting tools
Hello everyone. I'm coming to you with a question that I think is pertinent. We use a pentesting tool in our environment. It generates a lot of incidents and alerts in Microsoft Defender. We have on-prem accounts (one user, one admin) so that the tool can perform this pentesting. Do you have any ideas on how to whitelist incidents linked to this user, these actions or the node machine he uses to initiate connections? So that it no longer generates or the incidents linked to these activities are automatically resolved. Thank you for your help. HKN
Are critical asset management rules incompatible with Entra ID?
I am trying to create some custom asset management rules based on filters like logged on username, user criticality, and user groups. No matter what I try no assets show up. Even if I use the format azuread\<username>, no assets are returned by the filter. Are these filters incompatible with Entra ID? Do they only work with on-premise AD?Defender XDR Unified Audit Logs
Hi, There used to be Unified Audit Logs -option in Defender XDR Settings under "Endpoints". This option has now disappeared. Trying to search for Defender XDR events, such as isolating devices etc. using the Purview Audit search, I don't get any results. From the XDR Action center history I can see that isolation actions have been performed. I have Security Administrator permissions. Is there a way to enable/disable the XDR auditing from Defender XDR or Purview portals?
Disabling Security Copilot Embedded Experience in Microsoft Defender XDR
We are currently trialing Microsoft Security Copilot for specific use cases within our organization. However, due to our RBAC setup, many of our security administrators have default access to the embedded Copilot experience in Microsoft Defender XDR. This is consuming SCUs unnecessarily. Is it possible to disable or limit the embedded Security Copilot experience in XDR for certain users or roles while still maintaining access to other XDR features? We would like to optimize SCU usage while ensuring that only authorized personnel can utilize Copilot's capabilities.Issue with log collection from Microsoft XDR to Azure storage
Hello, We are currently facing an issue with collecting logs from Microsoft XDR and forwarding them to Azure Storage. We are aware of below two methods for forwarding logs from Microsoft XDR to Azure: Forward events to Azure Storage Forward events to Azure Event Hub Issue Details: Method 1: When using the "Forward events to Azure Storage" approach, we end up with different containers being created for each event, but we would prefer to have all the events stored in a single container. Method 2: When using the "Forward events to Azure Event Hub" approach, we are able to store all the events in a single container, but in this case, the logs are stored in Avro format instead of JSON, which is not our desired format. Our goal is to store all event logs in one single container in JSON format. Has anyone faced this issue or found a way to achieve this setup? Any guidance or solution would be greatly appreciated. Thank you!Defender Deception Advance Lures - verification
Hello everyone, I'm looking to deploy defender deception in our environment. I've successfully tested and verified the basic lures, but I'm having trouble with the advanced lures/decoys. Specifically, I can't find a way to verify the account-planted cached credentials. Initially, I thought dumping LSASS would show some reference, but I found nothing. Has anyone tried this, and what were the results? Additionally, from an attacker's perspective, how would these account decoys be discovered? Thank you in advance.
Recent Blogs
- Protecting your organization against cybersecurity threats is more challenging than ever before. As part of our 2025 Microsoft Secure cybersecurity conference announcements, we’re sharing new product...Mar 24, 2025
- Over the past two years, nation-state attacks using OAuth apps have surged. To combat this threat and to help customers focus on the most important exposure points, Microsoft Defender for Cloud Apps ...Mar 24, 2025
