Forum Widgets
Latest Discussions
Secure Score - Vulnerability Exceptions Not Registering
I have followed the guide to configure the proper permissions to manage within Defender. Device groups have been created based off tags we applied to the devices, and the device groups register the expected number of devices. We apply an exception to the vulnerability recommendation based off the device group, looking at the individual device pages we can confirm the recommendation is excluded and it all appears to work as intended up to this point. The problem starts on the vulnerability dashboard. The recommendation shows it is in partial exception status however none of the statistics or data reflect this including our secure score. I can confirm making a global exception works as expected and we can see the score adjust properly. Has anyone experienced this before or have any pointers? We have been working at this for weeks trying different things without luck, we are ensuring to leave adequate sync times.AppleJaxApr 23, 2025Copper Contributor8Views0likes0CommentsAdvanced Hunting Visualize Results
Hello, I have some queries in Advanced Hunting and I want to visualize the results in Azure Dashboard for other users and better readibility. Is there any possibility or are there other options? Kind regards Nicole__Nicole__Apr 23, 2025Copper Contributor30Views0likes2CommentsIntegrate Defender for Cloud Apps w/ Azure Firewall or VPN Gateway
Hello, Recently I have been tasked with securing our openAI implementation. I would like to marry the Defender for Cloud Apps with the sanctioning feature and the Blocking unsanctioned traffic like the Defender for Endpoint capability. To do this, I was only able to come up with: creating a windows 2019/2022 server, with RRAS, and two interfaces in Azure, one Public, and one private. Then I add Defender for Endpoint, Optimized to act as a traffic moderator, integrated the solution with Defender for cloud apps, with BLOCK integration enabled. I can then sanction each of the desired applications, closing my environment and only allowing sanctioned traffic to sanctioned locations. This solution seemed : difficult to create, not the best performer, and the solution didn't really take into account the ability of the router to differentiate what solution was originating the traffic, which would allow for selective profiles depending on the originating source. Are there any plans on having similar solutions available in the future from: VPN gateway (integration with Defender for Cloud Apps), or Azure Firewall -> with advanced profile. The Compliance interface with the sanctioning traffic feature seems very straight forward .JRobbins1280Apr 22, 2025Copper Contributor11Views0likes0CommentsHow to use KQL to associate alerts with incidents?
There is no method I'm aware of to use KQL to query from an alertID to an incident or vice versa. Please provide kql examples for querying between XDR incidents and alerts. These queries should be independent of the SecurityIncident table which is only available when Sentinel is connected to XDR. Thank you.SocInABoxApr 17, 2025Iron Contributor49Views0likes1CommentCan I get productName in Microsoft Graph API incident response?
When using Microsoft Graph Security API, is it possible to get the productName field directly in the incident response (e.g., from /security/incidents endpoint)? Or is it only available at the alert level via /security/incidents/{id}/alerts?esanya2280Apr 11, 2025Copper Contributor19Views0likes0CommentsWin 11 Multi-Session AVDs Not Reporting Device Health & Security Info to Defender for Endpoint
Hello everyone, I’m trying to figure out if others are experiencing the same issue with Windows 11 multi-session Azure Virtual Desktop (AVD) instances and Microsoft Defender for Endpoint. Since March 27, I’ve noticed that these multi-session VMs successfully onboard to Defender, but they don’t consistently report health status, vulnerability details, or security recommendations in the Defender portal. Previously, the same AVDs were working fine, but now we’re facing this issue, making it difficult to track their security posture properly. Has anyone else faced this? If so, were you able to resolve it? Would love to hear any insights or workarounds. Even if it’s working fine on your end, please let me know—just trying to confirm if this is a broader issue or something specific to our setup. thanks!!Greedy_AuthorApr 10, 2025Copper Contributor149Views2likes2CommentsMicrosoft Defender for cloud and XDR integration
🚨 Need Help! 🚨 I’m currently facing a challenge with Microsoft Defender for Cloud. I’ve created sample alerts, but when I check in Microsoft Defender XDR, the alerts aren’t showing up. 😕 I’ve already checked all possible configurations, permissions, and integration settings but haven’t been able to pinpoint the cause. Has anyone experienced something similar? Any suggestions on additional things to check or troubleshooting steps that might help resolve this? I was following a Udemy instructor’s video tutorial from 2024, where it worked fine for him, but unfortunately, it didn’t work for me.ALEMPR1Apr 09, 2025Copper Contributor57Views0likes1Comment"Security Operations Admin User" Predefined Critical Asset classification
In our XDR instance, the new "Security Operations Admin User" predefined Critical Asset classification (introduced last month) contains a few non-privileged users. I can't figure out by what logic they were added to this classification. It seems that the users may be using laptops that are classified as "Security Operations Admin Devices," but I can't figure out why those devices are grouped that way, either. If it were a matter of an IT user logging onto one of the machines for support, there would inevitably a lot MORE users and devices in these groups. Does anyone know what kind of activity Microsoft uses to classify users and devices as "security operations admins?"SKadishApr 08, 2025Brass Contributor32Views0likes0CommentsAre critical asset management rules incompatible with Entra ID?
I am trying to create some custom asset management rules based on filters like logged on username, user criticality, and user groups. No matter what I try no assets show up. Even if I use the format azuread\<username>, no assets are returned by the filter. Are these filters incompatible with Entra ID? Do they only work with on-premise AD?SKadishApr 08, 2025Brass Contributor76Views0likes4CommentsHow to get access to Move or Delete e-mail?
So this week I had some phishing e-mails that made it past Defender's filtering and were delivered to user mailboxes. I wanted to pull them back, so I found the relevant message the Defender XDR portal, and clicked on Take Action, but the only option available to me there was Submit to Microsoft for review. All the others, including Move or Delete, which is what I wanted, were grayed out. I'll add that was doing this using my Global Admin account. Did some research and supposedly assigning my account the Data Investigator role or creating a custom role with Search and Purge capability would provide the desired access So I put my account into both of those groups, and I still can't access Move or Delete. Anybody know what I am missing here? I’d be grateful for any information.Joseph_MoranApr 08, 2025Copper Contributor92Views0likes4Comments
Resources
Tags
- microsoft defender for endpoint335 Topics
- microsoft defender for office 365218 Topics
- threat hunting111 Topics
- alerts102 Topics
- investigation94 Topics
- incident management73 Topics
- automation69 Topics
- learning49 Topics
- threat intelligence42 Topics
- microsoft sentinel41 Topics