Forum Widgets
Latest Discussions
"Something went wrong. Primary and secondary data missing" when viewing email submission
Does anyone know what causes the "Something went wrong. Primary and secondary data missing" error when viewing an email submission in Microsoft Defender? It happens sporadically, but on I would guess 5% - 10% of our submissions.
Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?
Error getting Device Data
Have an issue with Device data not displaying in the Defender XDR portal. On the Assets/Devices menu I can search and find a device, but when I click in it to see the properties- the page displays only 50% of the time. Mostly it stays loading for about 30 secs then displays the error "Error getting Device Data" Occurs regardless of what permissions are applied, occurs regardless of the browser or incognito modes, regardless of who is logged in. Done basic troubleshooting from MS and even MS support cannot find the answer so far. Has anyone seen this before? Cheers
MDE Device Control – USB stick still accessible even after blocking policy applied
Hey everyone, I’m currently testing MDE Device Control (Device Installation Restrictions) to block all USB removable storage except for explicitly allowed devices. Here’s what I did: Created a Device Control policy in Intune Set “Allow installation of devices that match any of these device IDs” = Enabled Added my test USB stick’s Device Instance ID (from Device Manager → Properties → Details → Hardware IDs, e.g. USBSTOR\Disk&Ven_Intenso&Prod_Basic_Line&Rev_2.00\[masked_serial]&0 Deployed to test machine But: I can still access the USB stick and read/write files as usual. So my questions are: Am I using the correct ID (Device Instance ID vs. Hardware ID vs. Class GUID)? Do Device Installation Restrictions only prevent new driver installations and not access to already installed devices? Should I be using the newer Device Control (Removable Storage Access Control) instead of Device Installation Restrictions for this scenario? Any advice from people who successfully blocked/allowed USB sticks via Intune would be greatly appreciated! Thanks in advanceAdvanced Hunting Custom detection rule notification cannot be customized
Hello, We have a case with both Microsoft and US cloud about the custom detection rule created by a query. The problem that we have is that I want to send the rule's notification to an email group. However, after about 2 months of investigations, I was advised below: "We can go one of two routes. Either the alerts from Defender can be ingested into sentinel based on the custom detection rule you created, or the Entra Sign-in logs can be ingested allowing Sentinel to check the logs itself." Could you please help us find an easier solution for the notification or create a feature request so that we could have the configuration of notification for custom detection rules when creating the alert?Unable to add Endpoints and Vulnerability management in XDR Permissions
Hi, I have defender for endpoint running on obver 400 devices. I have 10 with Bus Premium, 5 with E5, and the rest E3. I am getting incidents for DFE, and this is being sent to my SOAR platform for analysis, but when I pivot back using client-sync, I cannot see DFE incidents. I have gone into Settings > XDR > Workload settings, and can only see the below There does not appear to be the option to grant the roles I have provided for my SOAR user the ability to see Endpoint and Vulnerability management. Really scratching my head here. Help?Unable to query logs in Advanced Hunting
Hi Community, Recently, I turned off the ingestion of some of the Device* tables to Sentinel via Microsoft XDR Data connector. Ever since the ingestion is stopped in Sentinel, the TimeGenerated or Timestamp column usage in KQL is not working in Microsoft XDR Advanced Hunting at all. Example KQL in Advanced Hunting below: DeviceImageLoadEvents | where Timestamp >= ago(1h) | limit 100 The above yields no results in AdvancedHunting pane. However, if you use ingestion_time() you see the results which also gives TimeGenerated/Timestamp but cannot filter on that in the KQL. It seems like a bug to me. Does anyone face the same issue or can someone help? Thanks
