Recent Discussions
How does Defender detect file version limit default changes?
Hi all, I am currently reviewing a historic article that mentions a Cloud Ransomware attack where attackers can change the default number of file versions saved by default. They change this from the default 500 to 1 and then save over your files to make them unrecoverable. Apparently this doesn't need admin credentials, a standard user can do this themselves. All of the Microsoft guidance says that Microsoft is protected against cloud ransomware attacks of this type because of the file versioning feature, as well as being able to contact Microsoft for 14 days after such an incident and they can retrieve your data. My questions are: Where do I find what the current settings are for file version limit defaults? Is it in the OneDrive/SharePoint admin centres? How do I find out whether such a change has been made? Is there an alert already configured in Defender to detect such a change? If not, does anyone know how to set one up, e.g., KQL and a custom detection? I tried asking Copilot, but it just sends me to the official Microsoft documentation, so any help is greatly appreciated.21Views0likes2CommentsDynamic Blocklist in Microsoft Defender XDR
Hello Community, I have one question, and i think that is a request that could be useful to everyone. We have a Dynamic list that are published over internet in read-only (into this list we put ioc like malicious domain or bad ip reputation) is a txt file. There are a possibility from MDE o MDC to block all connection to this ioc ? or MDE and MDC not support Dynamic BLocklist ? Regards, GuidoSolved25Views0likes2CommentsDefender Deception Advance Lures - verification
Hello everyone, I'm looking to deploy defender deception in our environment. I've successfully tested and verified the basic lures, but I'm having trouble with the advanced lures/decoys. Specifically, I can't find a way to verify the account-planted cached credentials. Initially, I thought dumping LSASS would show some reference, but I found nothing. Has anyone tried this, and what were the results? Additionally, from an attacker's perspective, how would these account decoys be discovered? Thank you in advance.27Views0likes1CommentMissing auditability on use of Explorer and Advanced Hunting
Considering Defender for Office's Explorer and Advanced Hunting can be used to get insight into very sensitive data we assumed this activity is auditable, but unfortunately not. A Microsoft Support request confirmed it's not, and we're confused as to why and would highly request Microsoft to implement audit tracking for any user, including queries used. Explorer gives access to email subjects and Advanced Hunting can be used to view users files etc so from a GDPR and tracking point of view we need to be able to audit our SOC team and other admins on when they access potential personal information.31Views0likes1CommentScanning of Archive files
When scanning of archive files, we find that depending on the amount of archive files present (say on SQL server backups) the system disk space is used to unpack and scan the file. This can cause the system drive to run out of disk space, and cause the scanning to fail or system to fail. At the moment there does not seem to be any configuration on where to extract the temporary files for scanning. Can we add an option for this?1View0likes0CommentsEDR Exclusions - file extensions with square brackets
Background: We applied for, and received the ability to access EDR Exclusions for our tenant due to some performance problems we were seeing. I think this might still be an early preview feature but am not 100% sure... Here is a screenshot of what I am referring to: We have found a few other applications that had issues, including one that uses many different file extensions. Some of those files use square brackets in the extension name. This are valid files. However when I try to add them to our EDR Exclusions, I get an error "a valid extension must be specified"... which is frustrating because it is a valid extension. Does anyone have a solution for this or know how to get Microsoft to fix this? ThanksSolved53Views0likes1CommentMS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?Weird updates "Security Threat Intelligence" on desktop
Hi guys, my name is Mo and I am new to the XRD community 🥰 I m observing anomalous device behavior. Upon login or wake-up, multiple virtual machines are active, some exhibiting headless screen reader functionality. This issue emerged following the installation of Microsoft security threat intelligence updates. Considering Windows Defender's machine learning and predictive maintenance capabilities, I question the deployment of these updates to my system. Is this update a standard Windows component? The associated URL is currently inaccessible. I acknowledge the potential of XR, CDN, and Hologres technologies (and other Azure/cloud-enabled features) to alter user experience. Could someone provide clarification regarding these iterative security updates? My usage is limited to cloud platforms and reputable open-source software; I do not utilize malicious websites. Thank you. #misclassification?50Views0likes2CommentsBlocking domain for group of users/or devices
Hi all, I am trying to find a way to block youtube for a group of users. We are using M365 E5 Security so can use Defender for endpoint or Defender for cloud apps. However, cant find a way to implement this. My idea was to create an INDICATOR in Endpoint that will be blocked, however I cannot select any group and "all devices" are included there in default. So not sure if this is a way. Neither Web Content Filtering cannot be used for my scenario Another idea was to use Defender for cloud apps. This looks promising but I am not sure how to target only specific users or devices? I managed to mark an app as "unsanctioned" but it applies for all devices. Any idea ? Thank you.55Views0likes1CommentHow to Get the Most Out of MDVM Webinar - Q&A Overflow
This page is to address the questions that we did not have time to get to in our latest webinar: How to Get the Most Out of Microsoft Defender for Vulnerability Management (MDVM) on February 12, 2025. We will be posting answers to all questions that were submitted, so make sure to bookmark this page and check it regularly over the next week or so as we continue to update this space with answers. Thanks for your participation in our call! Check out the recording of this call here: https://youtu.be/dQL9CRKzVa834Views0likes1CommentData at rest Europe
Why in the world would MDE and XDR default ro Europe when our entire cloud services host oir of eastus? Data at rest shows Europe instead of eastus which is oue default tenant. Also the fact that XDR setup failed to ask set region is biggest bug in this stack along with MDE. what would have caused these two to get setup in europe and is thia configurable somewhere defender portal or other portal? I have read all the docs with only option would be to redo the entire setup. If we decided to start from beginning who holds the key to set desired region for all these modules? Is this EA, Tenant Admin, Microsoft Support? also streaming logs inter continental from Europe to log analytics in eastus, whats the cost ingestion? I show several pricing model but with my use case i need ti know dollar amount per gig for both. Not happy how illusive defender operates if not careful during initial setup from admin perspective or it could have been microsoft that managed to click through without looking64Views0likes5CommentsAdvanced Hunting along with a Custom Detection Rule
Good afternoon, I need some help setting up a KQL query in Advanced Hunting along with a Custom Detection Rule to automatically isolate devices where a virus or ransomware is detected. The rule must run at NRT (Near Real-Time) frequency. We are using Microsoft Defender for Business, which is included in the Microsoft 365 Business Premium license. Would any kind community member be able to provide me with a starting point for this? Thank you in advance!Solved106Views1like2CommentsStop Defender isolating Domain Controllers
Recently we have experienced Defender isolating our Domain Controllers. It is always the same rule which causes the isolation "Suspected AD FS DKM key read". I edited the rule and set it to auto resolve if triggered by the DCs. I assumed this would then release the DCs from isolation but this doesn't seem to be the case. Manual intervention is still required. I either need to stop Defender alerting this particular rule against my DCs (not ideal) or i need to stop the rule isolating the DCs. Any help would be appreciated.88Views0likes6CommentsReplacement for Windows Authenticated Scanning
For cost saving, we were looking at replacing our existing vulnerability scanner with Defender and using device scanning. Due to the nature of some of our systems, we can't enroll all of them in Defender and had hoped to use Windows Authenticated Scanning for the unmanaged devices. It looks like that is being deprecated, and the FAQ page indicates that there is currently no direct replacement. While the number of systems we have that can't be enrolled in relatively minimal, is there any kind of scanning I'm missing as part of the product that would allow remote scans of Windows devices as opposed to enrolling? It doesn't look like it. Seems like taking away a component that gives some kind of feature parity without another option is a bad idea, but maybe I'm just missing something.45Views0likes1CommentVulnerability Management: Why don't tags show up on exposed devices?
In Vulnerability Management's Security Recommendations, there's a "tags" column for the exposed devices, but it isn't populated. Why? Wouldn't this screen be one of the most useful places to see tags? "Let's see, I need to update the software on these twenty machines. One machine has the "user on leave" tag, another one has the "pending reboot" tag - better contact that user." I shouldn't have to drill down into the devices table to check out each machine in the exposed list.51Views0likes3CommentsDefender XDR Unified Audit Logs
Hi, There used to be Unified Audit Logs -option in Defender XDR Settings under "Endpoints". This option has now disappeared. Trying to search for Defender XDR events, such as isolating devices etc. using the Purview Audit search, I don't get any results. From the XDR Action center history I can see that isolation actions have been performed. I have Security Administrator permissions. Is there a way to enable/disable the XDR auditing from Defender XDR or Purview portals?92Views0likes1CommentCustom critical filter for EDR/XDR
Hello everyone, i would like to ask if somebody is trying to make a unique "critical" filter for alerts/incidents that need to be done as fast as possible? We have many high alerts and we are trying to figure one to have prio list with important notifications. Have you any ideas? Thank you.57Views0likes4CommentsDefender MDO permissions broken (again)
Defender wasn't letting me approve pending AIR remediation options, something I do every day, with my usual custom RBAC role checked out. Nor could I move or delete emails. I also had Security Operator checked out. I checked out Security Admin and tried again, no dice. It wasn't until I checked out Global Admin until I got the permissions I needed.26Views0likes0CommentsAre critical asset management rules incompatible with Entra ID?
I am trying to create some custom asset management rules based on filters like logged on username, user criticality, and user groups. No matter what I try no assets show up. Even if I use the format azuread\<username>, no assets are returned by the filter. Are these filters incompatible with Entra ID? Do they only work with on-premise AD?19Views0likes1Comment
Recent Blogs
- 5 MIN READMicrosoft Defender XDR Monthly news February 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we rele...Feb 03, 20251.9KViews2likes0Comments
- The world has never seen technology adopted at the pace of AI. While AI increases productivity and is deeply integrated into business processes, it can also come with risks in terms of security, priv...Jan 31, 20254.7KViews1like1Comment