Forum Widgets
Latest Discussions
Advanced Hunting Visualize Results
Hello, I have some queries in Advanced Hunting and I want to visualize the results in Azure Dashboard for other users and better readibility. Is there any possibility or are there other options? Kind regards Nicole__Nicole__Apr 18, 2025Copper Contributor2Views0likes0CommentsHow to use KQL to associate alerts with incidents?
There is no method I'm aware of to use KQL to query from an alertID to an incident or vice versa. Please provide kql examples for querying between XDR incidents and alerts. These queries should be independent of the SecurityIncident table which is only available when Sentinel is connected to XDR. Thank you.SocInABoxApr 17, 2025Iron Contributor43Views0likes1CommentCan I get productName in Microsoft Graph API incident response?
When using Microsoft Graph Security API, is it possible to get the productName field directly in the incident response (e.g., from /security/incidents endpoint)? Or is it only available at the alert level via /security/incidents/{id}/alerts?esanya2280Apr 11, 2025Copper Contributor14Views0likes0CommentsWin 11 Multi-Session AVDs Not Reporting Device Health & Security Info to Defender for Endpoint
Hello everyone, I’m trying to figure out if others are experiencing the same issue with Windows 11 multi-session Azure Virtual Desktop (AVD) instances and Microsoft Defender for Endpoint. Since March 27, I’ve noticed that these multi-session VMs successfully onboard to Defender, but they don’t consistently report health status, vulnerability details, or security recommendations in the Defender portal. Previously, the same AVDs were working fine, but now we’re facing this issue, making it difficult to track their security posture properly. Has anyone else faced this? If so, were you able to resolve it? Would love to hear any insights or workarounds. Even if it’s working fine on your end, please let me know—just trying to confirm if this is a broader issue or something specific to our setup. thanks!!Greedy_AuthorApr 10, 2025Copper Contributor123Views2likes2CommentsMicrosoft Defender for cloud and XDR integration
🚨 Need Help! 🚨 I’m currently facing a challenge with Microsoft Defender for Cloud. I’ve created sample alerts, but when I check in Microsoft Defender XDR, the alerts aren’t showing up. 😕 I’ve already checked all possible configurations, permissions, and integration settings but haven’t been able to pinpoint the cause. Has anyone experienced something similar? Any suggestions on additional things to check or troubleshooting steps that might help resolve this? I was following a Udemy instructor’s video tutorial from 2024, where it worked fine for him, but unfortunately, it didn’t work for me.ALEMPR1Apr 09, 2025Copper Contributor53Views0likes1Comment"Security Operations Admin User" Predefined Critical Asset classification
In our XDR instance, the new "Security Operations Admin User" predefined Critical Asset classification (introduced last month) contains a few non-privileged users. I can't figure out by what logic they were added to this classification. It seems that the users may be using laptops that are classified as "Security Operations Admin Devices," but I can't figure out why those devices are grouped that way, either. If it were a matter of an IT user logging onto one of the machines for support, there would inevitably a lot MORE users and devices in these groups. Does anyone know what kind of activity Microsoft uses to classify users and devices as "security operations admins?"SKadishApr 08, 2025Brass Contributor28Views0likes0CommentsAre critical asset management rules incompatible with Entra ID?
I am trying to create some custom asset management rules based on filters like logged on username, user criticality, and user groups. No matter what I try no assets show up. Even if I use the format azuread\<username>, no assets are returned by the filter. Are these filters incompatible with Entra ID? Do they only work with on-premise AD?SKadishApr 08, 2025Brass Contributor73Views0likes4CommentsHow to get access to Move or Delete e-mail?
So this week I had some phishing e-mails that made it past Defender's filtering and were delivered to user mailboxes. I wanted to pull them back, so I found the relevant message the Defender XDR portal, and clicked on Take Action, but the only option available to me there was Submit to Microsoft for review. All the others, including Move or Delete, which is what I wanted, were grayed out. I'll add that was doing this using my Global Admin account. Did some research and supposedly assigning my account the Data Investigator role or creating a custom role with Search and Purge capability would provide the desired access So I put my account into both of those groups, and I still can't access Move or Delete. Anybody know what I am missing here? I’d be grateful for any information.Joseph_MoranApr 08, 2025Copper Contributor85Views0likes4CommentsDeception Not Deployed on Devices
Hi all, I created a deception rule and tried to deploy it on all devices (Windows server 2022). Unfortunately, the device count remains to 0... (status: in progress) PS: the deployement has been created... 2 months ago. Any idea ? Regards, HASolvedHA13029Apr 01, 2025Brass Contributor96Views0likes3CommentsFull Automation Capabilities in Linux OS
Hello eveyone, We have configured Defender to detect viruses, and our goal is that if one of our assets downloads or encounters a virus, it is automatically hidden or removed. Based on the documentation regarding the automation levels in Automated Investigation and Remediation capabilities, we have set it to "Full - remediate threats automatically." While this works correctly on Windows devices, we have noticed that on Linux devices, the defender still detect the virus but it was not prevented. I was wondering if anyone has encountered this issue and, if so, how it was resolved? Additionally, as I am new to the Defender platform, I wanted to ask if could this issue potentially be resolved through specific Linux policies or functionalities? Best regards Mathiewmathiewh11Mar 27, 2025Copper Contributor36Views1like0Comments
Resources
Tags
- microsoft defender for endpoint333 Topics
- microsoft defender for office 365218 Topics
- threat hunting111 Topics
- alerts102 Topics
- investigation94 Topics
- incident management73 Topics
- automation69 Topics
- learning48 Topics
- microsoft sentinel41 Topics
- threat intelligence41 Topics