Microsoft Defender XDR | Microsoft Community Hub

Forum Widgets

Latest Discussions

Error getting Device Data
Have an issue with Device data not displaying in the Defender XDR portal. On the Assets/Devices menu I can search and find a device, but when I click in it to see the properties- the page displays only 50% of the time. Mostly it stays loading for about 30 secs then displays the error "Error getting Device Data" Occurs regardless of what permissions are applied, occurs regardless of the browser or incognito modes, regardless of who is logged in. Done basic troubleshooting from MS and even MS support cannot find the answer so far. Has anyone seen this before? Cheers
Solved
Dan_Reichenbach
Copper Contributor
Aug 31, 2025
microsoft defender for endpoint
196Views
0likes
2Comments
Unable to view certain defender alerts
Hi Team, We are unable to view certain defender alerts from defender portal. We are able to pool alerts using graph api and from the output -> using alertWebUrl we tried to view the alert. We observed "You can't access this section" error message. (Sorry, you can't access this section. Check with your administrator for the role-based access permissions to see the data). But we are able to view other alerts, (Ex: Above error is for XDR alert, but we are able to view other XDR alerts). Is it possible to allow access to view only few XDR alerts?
Solved
esanya2280
Copper Contributor
Jul 09, 2025
accessibility
175Views
0likes
1Comment
Firewall Rules programming with Defender XDR
We have our devices onboarded to Defender for Endpoint, and want to program Firewall Policy and Firewall Rules Policy using Defender Onboarding. We know that we can onboard devices to Intune and use Intune MDM to program rules. But, we don't want a full blown MDM setup or license for just firewall programming. Is there a deployment scenario where we can do firewall programming just using defender machines. Any help is really appreciated.
Solved
thisisbhaskar
Copper Contributor
Jun 20, 2025
automation
microsoft defender for endpoint
183Views
0likes
1Comment
Attack Surface Reduction - Problem Enforcement
Hello Community, for a customer i deploy Microsoft Defender for Endpoint with Security Management Features of MDE. All works fine but for "Attack Surface Reduction Rule" i have some problem, device are 1.8K and attack surface reduction only apply for 304 devices that have the same policy of other. But from Security Portal So i don't understand because in some device asr works correctly and in the other device not. Has anyone the same problem ? Regards, Guido
Solved
GuidoImpe
Brass Contributor
Jun 04, 2025
microsoft defender for endpoint
193Views
2likes
3Comments
Cannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?
I tried to create custom detection rule from KQL query in Defender XDR: Advance Hunting by custom various variable to be able to submit, but for this query to be able to go through remediation setting of detection rule, I need the entity identifiable columns like AccountUpn, that I need to union with IdentityInfo schema. But detection rule seems not support the union * thing as the attached pic: I searched for the same problems that seems to be occurred in all system using KQL including in Microsoft Sentinel Logs but has no workaround to bypass. So, is there any way to get through this objective without strucking with union * problem?
Solved
Saran_Sarah_Hansakul
MCT
May 13, 2025
alerts
incident management
microsoft defender for endpoint
threat hunting
245Views
0likes
4Comments
Importing Purview roles into XDR RBAC
I want to activate Email & collaboration into XDR RBAC, so in XDR RBAC, I go and "choose roles to import" and I see the built-in Purview eDiscovery Manager role. Ok, fine, so I choose to import it into XDR RBAC and assume that my two groups of users in that role group (eDiscovery Managers (Sally and Sue) and eDiscovery Admins (Bob)) would be different. Sally and Sue can only manage their own cases and Bob can manage all cases. Different roles. But after it imports, there's only 1 role: eDiscovery Manager and all my users are in there - Sally, Sue and Bob with "Raw data (Email & collaboration) " - both read permissions are selected. But that's it. Question 1) I'm confused on why the eDiscovery role is being imported into XDR RBAC and if that means that over in Purview, after I activate the "Defender for Office365" workload in XDR RBAC - will something change with what Sally and Sue and Bob can do in Purview eDiscovery? Will I still be managing my eDiscovery users in Purview roles for when I need to add Billy to the list of eDiscovery Admins? Question 2) I see that the other Purview role groups I have users assigned (Audit Manager and Organization Management as well as a custom "Search and Purge" role group) were also imported into XDR RBAC permissions and roles but yet aren't applicable until I activate the workload. Wondering what exactly will happen when I activate the Email & collaboration workload. Will anything negative happen to the PIM groups I gave the Purview role groups to? Would I then need to clean anything up over in Purview roles after I activate the workload in XDR RBAC? This isn't clear at all what to do after I activate the email and collaboration workload and can I just undo it if it messes anything up?
Solved
KayZeeBee
Copper Contributor
Apr 29, 2025
microsoft defender for office 365
136Views
0likes
1Comment
Advanced Hunting Visualize Results
Hello, I have some queries in Advanced Hunting and I want to visualize the results in Azure Dashboard for other users and better readibility. Is there any possibility or are there other options? Kind regards Nicole
Solved
__Nicole__
Copper Contributor
Apr 18, 2025
microsoft defender for endpoint
134Views
0likes
4Comments
Deception Not Deployed on Devices
Hi all, I created a deception rule and tried to deploy it on all devices (Windows server 2022). Unfortunately, the device count remains to 0... (status: in progress) PS: the deployement has been created... 2 months ago. Any idea ? Regards, HA
Solved
HA13029
Brass Contributor
Mar 15, 2025
microsoft defender for endpoint
216Views
0likes
3Comments
Dynamic Blocklist in Microsoft Defender XDR
Hello Community, I have one question, and i think that is a request that could be useful to everyone. We have a Dynamic list that are published over internet in read-only (into this list we put ioc like malicious domain or bad ip reputation) is a txt file. There are a possibility from MDE o MDC to block all connection to this ioc ? or MDE and MDC not support Dynamic BLocklist ? Regards, Guido
Solved
GuidoImpe
Brass Contributor
Feb 26, 2025
microsoft defender for endpoint
150Views
0likes
2Comments
DeviceRegistryEvents table
Couldn’t find any documentation on what is logged or not logged in this table. Is there any documentation available on what registry entries are logged by defender? Is there a way to suggest some registry events to be logged to Microsoft?
Solved
Sreenath15
Copper Contributor
Feb 18, 2025
microsoft defender for endpoint
Search
threat hunting
119Views
0likes
1Comment

Resources

Tags

microsoft defender for endpoint351 Topics
microsoft defender for office 365225 Topics
threat hunting114 Topics
alerts108 Topics
investigation95 Topics
incident management76 Topics
automation70 Topics
learning50 Topics
microsoft sentinel46 Topics
threat intelligence43 Topics