Recent Discussions
Defender is missing logs for files copied to USB device on Mac devices
Hello, I am currently facing an issue with Defender not logging files copied to USBs. Using the KQL below, I can only see .exe files copied, but nothing when it comes to .pdf, .docx. .zip and other standard file extensions. Has someone come across this issue before? Any help is greatly appreciated let UsbDriveMount = DeviceEvents | where ActionType=="UsbDriveMounted" | extend ParsedFields=parse_json(AdditionalFields) | project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=TimeGenerated, ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer | order by DeviceId asc, MountTime desc; let FileCreation = DeviceFileEvents | where InitiatingProcessAccountName != "system" | where ActionType == "FileCreated" | where FolderPath !startswith "C:\\" | where FolderPath !startswith "\\" | project ReportId,DeviceId,InitiatingProcessAccountDomain, InitiatingProcessAccountName,InitiatingProcessAccountUpn, FileName, FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied | order by DeviceId asc, TimeGenerated desc; FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId | where FolderPath startswith DriveLetter | where TimeGenerated >= MountTime | partition hint.strategy=native by ReportId ( top 1 by MountTime ) | order by DeviceId asc, TimeGenerated desc | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName) | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "") | extend FileHashAlgorithm = 'SHA256'18Views0likes0Comments"Something went wrong. Primary and secondary data missing" when viewing email submission
Does anyone know what causes the "Something went wrong. Primary and secondary data missing" error when viewing an email submission in Microsoft Defender? It happens sporadically, but on I would guess 5% - 10% of our submissions.150Views0likes1CommentAdvanced Hunting Query Help
Hey y'all, I'm trying to write a query that can be used to determine the number of times an each IOC generated an alert (file hash, URL, IP, etc). I'm using the query builder tool within Defender, and I'm looking into the AlertInfo and AlertEvidence tables, but I'm not seeing where the link exists between each of these alert records and the corresponding IOC. For instance. If I submit a custom indicator, to Block a file identified by a sha256 hash, and that file gets correctly blocked, I want to see a count for the number of times that IOC value (the hash in this instance) triggered an alert. I'm hoping the community can help me determine whether I'm missing something glaringly obvious or if there's some documentation I haven't read yet. Thanks for reading!32Views0likes1CommentLack of alerts in Sentinel
Hello, I am troubleshooting a lack of alerts and incidents in my Sentinel deployment. When I look at the Micrsoft Defender XDR connector, I see plenty of events like DeviceEvents, DeviceInfo, IdentityLogonEvents, etc. However, the entries for: SecurityIncident-- SecurityAlert-- AlertInfo-- AlertEvidence-- all show grey with a disconnected connector showing. I've been over the onboarding documentation several times and can't find what I'm missing. Has anyone else experienced this who can point me in the right direction of what to check? Thanks!403Views0likes6CommentsMSSP Multi-Tenant Handling with Lighthouse and Defender XDR
Hello, As far as I know an MSSP providers, leverages Azure Lighthouse to call and access multiple customer workspaces, which allows to manage analytics across tenants. My questions are: In the case of moving to Defender XDR, how would this be possible in a multi-tenant MSSP scenario? Even with Lighthouse, how does Defender XDR avoid merging incidents/alerts across different customers when the same entities are involved? How does Defender XDR differentiate identical IOCs (same IP, hash, etc.) that appear in multiple customers? Can MSSPs customize correlation logic to prevent false cross-tenant merges? Content Ownership & Sharing Most MSSPs do not want to share their proprietary content (custom rules, detections, playbooks, analytics, etc.) with customers. How is Defender XDR approaching this requirement to ensure MSSPs can operate without exposing their intellectual property? Example: Customer Test 1 has a port scan incident from IP 10.10.10.10. Customer Test 2 also has a port scan incident from the same IP 10.10.10.10. In Sentinel today, these would remain separate. But in Defender XDR, would these two alerts risk being merged into a single incident because the same entity is detected across tenants? Thanks in advance for any clarification.176Views0likes1CommentDeep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?Error getting Device Data
Have an issue with Device data not displaying in the Defender XDR portal. On the Assets/Devices menu I can search and find a device, but when I click in it to see the properties- the page displays only 50% of the time. Mostly it stays loading for about 30 secs then displays the error "Error getting Device Data" Occurs regardless of what permissions are applied, occurs regardless of the browser or incognito modes, regardless of who is logged in. Done basic troubleshooting from MS and even MS support cannot find the answer so far. Has anyone seen this before? CheersSolved264Views0likes2CommentsFirewall Rules programming with Defender XDR
We have our devices onboarded to Defender for Endpoint, and want to program Firewall Policy and Firewall Rules Policy using Defender Onboarding. We know that we can onboard devices to Intune and use Intune MDM to program rules. But, we don't want a full blown MDM setup or license for just firewall programming. Is there a deployment scenario where we can do firewall programming just using defender machines. Any help is really appreciated.Solved245Views0likes1CommentImporting Purview roles into XDR RBAC
I want to activate Email & collaboration into XDR RBAC, so in XDR RBAC, I go and "choose roles to import" and I see the built-in Purview eDiscovery Manager role. Ok, fine, so I choose to import it into XDR RBAC and assume that my two groups of users in that role group (eDiscovery Managers (Sally and Sue) and eDiscovery Admins (Bob)) would be different. Sally and Sue can only manage their own cases and Bob can manage all cases. Different roles. But after it imports, there's only 1 role: eDiscovery Manager and all my users are in there - Sally, Sue and Bob with "Raw data (Email & collaboration) " - both read permissions are selected. But that's it. Question 1) I'm confused on why the eDiscovery role is being imported into XDR RBAC and if that means that over in Purview, after I activate the "Defender for Office365" workload in XDR RBAC - will something change with what Sally and Sue and Bob can do in Purview eDiscovery? Will I still be managing my eDiscovery users in Purview roles for when I need to add Billy to the list of eDiscovery Admins? Question 2) I see that the other Purview role groups I have users assigned (Audit Manager and Organization Management as well as a custom "Search and Purge" role group) were also imported into XDR RBAC permissions and roles but yet aren't applicable until I activate the workload. Wondering what exactly will happen when I activate the Email & collaboration workload. Will anything negative happen to the PIM groups I gave the Purview role groups to? Would I then need to clean anything up over in Purview roles after I activate the workload in XDR RBAC? This isn't clear at all what to do after I activate the email and collaboration workload and can I just undo it if it messes anything up?Solved204Views0likes1CommentUnable to view certain defender alerts
Hi Team, We are unable to view certain defender alerts from defender portal. We are able to pool alerts using graph api and from the output -> using alertWebUrl we tried to view the alert. We observed "You can't access this section" error message. (Sorry, you can't access this section. Check with your administrator for the role-based access permissions to see the data). But we are able to view other alerts, (Ex: Above error is for XDR alert, but we are able to view other XDR alerts). Is it possible to allow access to view only few XDR alerts?Solved223Views0likes1CommentMDE Device Control – USB stick still accessible even after blocking policy applied
Hey everyone, I’m currently testing MDE Device Control (Device Installation Restrictions) to block all USB removable storage except for explicitly allowed devices. Here’s what I did: Created a Device Control policy in Intune Set “Allow installation of devices that match any of these device IDs” = Enabled Added my test USB stick’s Device Instance ID (from Device Manager → Properties → Details → Hardware IDs, e.g. USBSTOR\Disk&Ven_Intenso&Prod_Basic_Line&Rev_2.00\[masked_serial]&0 Deployed to test machine But: I can still access the USB stick and read/write files as usual. So my questions are: Am I using the correct ID (Device Instance ID vs. Hardware ID vs. Class GUID)? Do Device Installation Restrictions only prevent new driver installations and not access to already installed devices? Should I be using the newer Device Control (Removable Storage Access Control) instead of Device Installation Restrictions for this scenario? Any advice from people who successfully blocked/allowed USB sticks via Intune would be greatly appreciated! Thanks in advance220Views0likes2CommentsOpenSSL
We have the recommendation to update OpenSSL. However, we can not figure out how to actually do this. There seems to be no installed location of OpenSSL so how can we update this? I have found a few posts/comments that have led me to this page New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud - Microsoft Community Hub but this doesn't actually help you at all. Going to OpenSSL's site for download just gives you a repository of files that don't actually update anything. So what are we supposed to do to get this remediated?12KViews1like5CommentsAdvanced Hunting Custom detection rule notification cannot be customized
Hello, We have a case with both Microsoft and US cloud about the custom detection rule created by a query. The problem that we have is that I want to send the rule's notification to an email group. However, after about 2 months of investigations, I was advised below: "We can go one of two routes. Either the alerts from Defender can be ingested into sentinel based on the custom detection rule you created, or the Entra Sign-in logs can be ingested allowing Sentinel to check the logs itself." Could you please help us find an easier solution for the notification or create a feature request so that we could have the configuration of notification for custom detection rules when creating the alert?113Views0likes1CommentDisable Defender for Cloud Apps alerts
Hi all, we just enabled Defender for Cloud Apps in our environment (about 500 clients). We started with setting about 300 apps to "Unsanctioned". Now we get flooded with alerts. Mainly "Connection to a custom network indicator on one endpoint" and "Multi-stage incident on multiple endpoints" when an URL is blocked on more clients. Is there a possibility to disable the alerts for this kind of blocks? I tried creating a supression rules, but didnt manage to get it working. Dont know if it is not possible or if I made a mistake. As the Defender for Cloud Apps just creates a Indicator for every app i want to block I could click every single Indicator and disable the alert there. But thats a few hundred Indicators and we plan to extend the usage. Can I centrally disable alerts for custom indicators? Thanks & Cheers3.5KViews0likes3CommentsTenant Allow/Block Lists Versus Anti-spam List
Hello, I am an unsophisticated administrator for my account. So if I am posting this information in the wrong location, please forgive me and let me know where it should be posted. I have been getting inundated with financial spam or phishing emails. This spammer creates new domain names on a daily or weekly basis, and then sends new spam from these new domains. I typically get about thirty spam emails a day. And my guess is that, although they come from different domains, there is one organization behind all of them. Often, I get more than one email per domain per day. Fortunately, most of these emails end up in my junk folder. I want to stop these spammers from even reaching my Junk folder in Outlook. I want to keep them completely out of my email system. At first, I went to Microsoft 365 Defender > Email & collaboration > Policies & Rules > Threat policies and added their emails and domains to “Tenant Allow/Block Lists.” While that captured most of the known spam emails, one got through to my Junk folder. Being curious, I contacted Microsoft. I was told to add the spammers’ email addresses and domains to the “Anti-spam” list. I am not sure if this change will solve my concern. My question is as follows: What is the difference between these two lists? And why should I choose one over the other? My recommendations are as follows: For the Anti-spam list, it would be helpful to allow users to add more than one email address or domain name at a time. At present, it is painful manually adding many entries. For the Anti-spam list, it would be helpful to add the date each entry was added and allow for a comment section, similar to the Tenant Allow/Block list. It would be great if users or admins could right mouse click on a spam or phishing email in their Outlook programs and then have that email address or domain name blocked from reaching Outlook in the future. Because this affects the organization, perhaps it is best if this ability is restricted to administrators.3.7KViews0likes5CommentsUnable to add Endpoints and Vulnerability management in XDR Permissions
Hi, I have defender for endpoint running on obver 400 devices. I have 10 with Bus Premium, 5 with E5, and the rest E3. I am getting incidents for DFE, and this is being sent to my SOAR platform for analysis, but when I pivot back using client-sync, I cannot see DFE incidents. I have gone into Settings > XDR > Workload settings, and can only see the below There does not appear to be the option to grant the roles I have provided for my SOAR user the ability to see Endpoint and Vulnerability management. Really scratching my head here. Help?234Views0likes3CommentsUnable to query logs in Advanced Hunting
Hi Community, Recently, I turned off the ingestion of some of the Device* tables to Sentinel via Microsoft XDR Data connector. Ever since the ingestion is stopped in Sentinel, the TimeGenerated or Timestamp column usage in KQL is not working in Microsoft XDR Advanced Hunting at all. Example KQL in Advanced Hunting below: DeviceImageLoadEvents | where Timestamp >= ago(1h) | limit 100 The above yields no results in AdvancedHunting pane. However, if you use ingestion_time() you see the results which also gives TimeGenerated/Timestamp but cannot filter on that in the KQL. It seems like a bug to me. Does anyone face the same issue or can someone help? Thanks138Views0likes1CommentHow to Connect MS Secure Scores to Power Query?
The Microsoft 365 Defender Portal (https://security.microsoft.com/) has a 'Secure Score' page, which contains the following: An overall secure score which is then broken down by Identity, Data, Device, and Application secure scores. I would like to be able to pull these four scores into a Power BI report; however, I have had some difficulty in putting together a solution. This data seems like it could be found in the Microsoft Graph API, but https://learn.microsoft.com/en-us/power-query/connecting-to-graph. I've tried other Defender APIs, but they all seem either outdated or out of scope for what I'm trying to pull. Can anyone advise? Thanks for reading.2.7KViews0likes2Comments
Events
Recent Blogs
- We are pleased to announce that local data residency support in the UAE is now generally available for Microsoft Defender for Endpoint and Microsoft Defender for Identity. This announcement reinf...Oct 01, 2025321Views1like0Comments
- 5 MIN READMicrosoft Defender Monthly news - October 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Def...Oct 01, 2025505Views0likes0Comments