Forum Widgets
Latest Discussions
Error getting Device Data
Have an issue with Device data not displaying in the Defender XDR portal. On the Assets/Devices menu I can search and find a device, but when I click in it to see the properties- the page displays only 50% of the time. Mostly it stays loading for about 30 secs then displays the error "Error getting Device Data" Occurs regardless of what permissions are applied, occurs regardless of the browser or incognito modes, regardless of who is logged in. Done basic troubleshooting from MS and even MS support cannot find the answer so far. Has anyone seen this before? CheersSolvedDan_ReichenbachAug 31, 2025Copper Contributor186Views0likes2CommentsUnable to view certain defender alerts
Hi Team, We are unable to view certain defender alerts from defender portal. We are able to pool alerts using graph api and from the output -> using alertWebUrl we tried to view the alert. We observed "You can't access this section" error message. (Sorry, you can't access this section. Check with your administrator for the role-based access permissions to see the data). But we are able to view other alerts, (Ex: Above error is for XDR alert, but we are able to view other XDR alerts). Is it possible to allow access to view only few XDR alerts?Solvedesanya2280Jul 09, 2025Copper Contributor168Views0likes1CommentFirewall Rules programming with Defender XDR
We have our devices onboarded to Defender for Endpoint, and want to program Firewall Policy and Firewall Rules Policy using Defender Onboarding. We know that we can onboard devices to Intune and use Intune MDM to program rules. But, we don't want a full blown MDM setup or license for just firewall programming. Is there a deployment scenario where we can do firewall programming just using defender machines. Any help is really appreciated.SolvedthisisbhaskarJun 20, 2025Copper Contributor172Views0likes1CommentAttack Surface Reduction - Problem Enforcement
Hello Community, for a customer i deploy Microsoft Defender for Endpoint with Security Management Features of MDE. All works fine but for "Attack Surface Reduction Rule" i have some problem, device are 1.8K and attack surface reduction only apply for 304 devices that have the same policy of other. But from Security Portal So i don't understand because in some device asr works correctly and in the other device not. Has anyone the same problem ? Regards, GuidoSolvedGuidoImpeJun 04, 2025Brass Contributor193Views2likes3CommentsCannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?
I tried to create custom detection rule from KQL query in Defender XDR: Advance Hunting by custom various variable to be able to submit, but for this query to be able to go through remediation setting of detection rule, I need the entity identifiable columns like AccountUpn, that I need to union with IdentityInfo schema. But detection rule seems not support the union * thing as the attached pic: I searched for the same problems that seems to be occurred in all system using KQL including in Microsoft Sentinel Logs but has no workaround to bypass. So, is there any way to get through this objective without strucking with union * problem?Solved244Views0likes4CommentsImporting Purview roles into XDR RBAC
I want to activate Email & collaboration into XDR RBAC, so in XDR RBAC, I go and "choose roles to import" and I see the built-in Purview eDiscovery Manager role. Ok, fine, so I choose to import it into XDR RBAC and assume that my two groups of users in that role group (eDiscovery Managers (Sally and Sue) and eDiscovery Admins (Bob)) would be different. Sally and Sue can only manage their own cases and Bob can manage all cases. Different roles. But after it imports, there's only 1 role: eDiscovery Manager and all my users are in there - Sally, Sue and Bob with "Raw data (Email & collaboration) " - both read permissions are selected. But that's it. Question 1) I'm confused on why the eDiscovery role is being imported into XDR RBAC and if that means that over in Purview, after I activate the "Defender for Office365" workload in XDR RBAC - will something change with what Sally and Sue and Bob can do in Purview eDiscovery? Will I still be managing my eDiscovery users in Purview roles for when I need to add Billy to the list of eDiscovery Admins? Question 2) I see that the other Purview role groups I have users assigned (Audit Manager and Organization Management as well as a custom "Search and Purge" role group) were also imported into XDR RBAC permissions and roles but yet aren't applicable until I activate the workload. Wondering what exactly will happen when I activate the Email & collaboration workload. Will anything negative happen to the PIM groups I gave the Purview role groups to? Would I then need to clean anything up over in Purview roles after I activate the workload in XDR RBAC? This isn't clear at all what to do after I activate the email and collaboration workload and can I just undo it if it messes anything up?SolvedKayZeeBeeApr 29, 2025Copper Contributor127Views0likes1CommentAdvanced Hunting Visualize Results
Hello, I have some queries in Advanced Hunting and I want to visualize the results in Azure Dashboard for other users and better readibility. Is there any possibility or are there other options? Kind regards NicoleSolved__Nicole__Apr 18, 2025Copper Contributor134Views0likes4CommentsDeception Not Deployed on Devices
Hi all, I created a deception rule and tried to deploy it on all devices (Windows server 2022). Unfortunately, the device count remains to 0... (status: in progress) PS: the deployement has been created... 2 months ago. Any idea ? Regards, HASolvedHA13029Mar 15, 2025Brass Contributor215Views0likes3CommentsDynamic Blocklist in Microsoft Defender XDR
Hello Community, I have one question, and i think that is a request that could be useful to everyone. We have a Dynamic list that are published over internet in read-only (into this list we put ioc like malicious domain or bad ip reputation) is a txt file. There are a possibility from MDE o MDC to block all connection to this ioc ? or MDE and MDC not support Dynamic BLocklist ? Regards, GuidoSolvedGuidoImpeFeb 26, 2025Brass Contributor150Views0likes2Comments
Resources
Tags
- microsoft defender for endpoint351 Topics
- microsoft defender for office 365225 Topics
- threat hunting114 Topics
- alerts108 Topics
- investigation95 Topics
- incident management76 Topics
- automation70 Topics
- learning50 Topics
- microsoft sentinel46 Topics
- threat intelligence43 Topics