Forum Widgets
Latest Discussions
Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?
MDE Device Control – USB stick still accessible even after blocking policy applied
Hey everyone, I’m currently testing MDE Device Control (Device Installation Restrictions) to block all USB removable storage except for explicitly allowed devices. Here’s what I did: Created a Device Control policy in Intune Set “Allow installation of devices that match any of these device IDs” = Enabled Added my test USB stick’s Device Instance ID (from Device Manager → Properties → Details → Hardware IDs, e.g. USBSTOR\Disk&Ven_Intenso&Prod_Basic_Line&Rev_2.00\[masked_serial]&0 Deployed to test machine But: I can still access the USB stick and read/write files as usual. So my questions are: Am I using the correct ID (Device Instance ID vs. Hardware ID vs. Class GUID)? Do Device Installation Restrictions only prevent new driver installations and not access to already installed devices? Should I be using the newer Device Control (Removable Storage Access Control) instead of Device Installation Restrictions for this scenario? Any advice from people who successfully blocked/allowed USB sticks via Intune would be greatly appreciated! Thanks in advance
Advanced Hunting Custom detection rule notification cannot be customized
Hello, We have a case with both Microsoft and US cloud about the custom detection rule created by a query. The problem that we have is that I want to send the rule's notification to an email group. However, after about 2 months of investigations, I was advised below: "We can go one of two routes. Either the alerts from Defender can be ingested into sentinel based on the custom detection rule you created, or the Entra Sign-in logs can be ingested allowing Sentinel to check the logs itself." Could you please help us find an easier solution for the notification or create a feature request so that we could have the configuration of notification for custom detection rules when creating the alert?Unable to add Endpoints and Vulnerability management in XDR Permissions
Hi, I have defender for endpoint running on obver 400 devices. I have 10 with Bus Premium, 5 with E5, and the rest E3. I am getting incidents for DFE, and this is being sent to my SOAR platform for analysis, but when I pivot back using client-sync, I cannot see DFE incidents. I have gone into Settings > XDR > Workload settings, and can only see the below There does not appear to be the option to grant the roles I have provided for my SOAR user the ability to see Endpoint and Vulnerability management. Really scratching my head here. Help?Unable to query logs in Advanced Hunting
Hi Community, Recently, I turned off the ingestion of some of the Device* tables to Sentinel via Microsoft XDR Data connector. Ever since the ingestion is stopped in Sentinel, the TimeGenerated or Timestamp column usage in KQL is not working in Microsoft XDR Advanced Hunting at all. Example KQL in Advanced Hunting below: DeviceImageLoadEvents | where Timestamp >= ago(1h) | limit 100 The above yields no results in AdvancedHunting pane. However, if you use ingestion_time() you see the results which also gives TimeGenerated/Timestamp but cannot filter on that in the KQL. It seems like a bug to me. Does anyone face the same issue or can someone help? ThanksTVM still showing outdated vulnerabilities despite applications being up to date
Hi everyone, we’re using Microsoft Defender for Endpoint with Threat & Vulnerability Management (TVM) enabled. Lately, we've noticed that certain vulnerabilities (e.g., CVEs in browsers or third-party software) continue to be flagged on devices, even though the affected applications have been updated weeks ago. Example scenario: The device is actively onboarded and reporting to Defender XDR The application has been updated manually or via software deployment The correct version appears under Software Inventory However, the CVE still shows up under Weaknesses Has anyone experienced similar behavior? Are there any best practices to trigger a re-evaluation of vulnerabilities or force a TVM scan refresh? Would a device reboot or restarting the MDE service help in this case? Any insights, suggestions, or known workarounds would be greatly appreciated. Thanks in advance!DeviceNetworkEvents table, UDP and IGMP events
Does DeviceNetworkEvents table get all network events or are there any caveats. Want to know if Defender Agents on the Machines collect all the TCP/UDP/ICMP/IGMP events or there are any specific events which are collected or not collected. We don't see most of UDP events. For example, we have a server listening on UDP, and when a client makes UDP connection to the server, we expect to see UDP connection events in the DeviceNetworkEvents table. We only see mostly DNS UDP events. Same thing with ICMP and IGMP. We don't see IGMP events at all. Can somebody throw light on how these things work.
Lack of alerts in Sentinel
Hello, I am troubleshooting a lack of alerts and incidents in my Sentinel deployment. When I look at the Micrsoft Defender XDR connector, I see plenty of events like DeviceEvents, DeviceInfo, IdentityLogonEvents, etc. However, the entries for: SecurityIncident-- SecurityAlert-- AlertInfo-- AlertEvidence-- all show grey with a disconnected connector showing. I've been over the onboarding documentation several times and can't find what I'm missing. Has anyone else experienced this who can point me in the right direction of what to check? Thanks!
