Forum Widgets
Latest Discussions
XDR advanced hunting region specific endpoints
Hi, I am exploring XDR advanced hunting API to fetch data specific to Microsoft Defender for Endpoint tenants. The official documentation (https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) mentions to switch to Microsoft Graph advanced hunting API. I had below questions related to it: 1. To fetch the region specific(US , China, Global) token and Microsoft Graph service root endpoints(https://learn.microsoft.com/en-us/graph/deployments#app-registration-and-token-service-root-endpoints ) , is the recommended way to fetch the OpenID configuration document (https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#fetch-the-openid-configuration-document) for a tenant ID and based on the response, the region specific SERVICE/TOKEN endpoints could be fetched? Since using it, there is no need to maintain different end points for tenants in different regions. And do we use the global service URL https://login.microsoftonline.com to fetch OpenID config document for a tenantID in any region? 2. As per the documentation, Microsoft Graph Advanced hunting API is not supported in China region (https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http). In this case, is it recommended to use Microsoft XDR Advanced hunting APIs(https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) to support all region tenants(China, US, Global)?XDR Advanced hunting API region availability
Hi, I am exploring XDR advanced hunting API to fetch data specific to Microsoft Defender for Endpoint tenants. The official documentation (https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) mentions to switch to Microsoft Graph advanced hunting API. I had below questions related to it: To fetch the region specific(US , China, Global) token and Microsoft Graph service root endpoints(https://learn.microsoft.com/en-us/graph/deployments#app-registration-and-token-service-root-endpoints ) , is the recommended way to fetch the OpenID configuration document (https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri) for a tenant ID and based on the response, the region specific SERVICE/TOKEN endpoints could be fetched? Using it, there is no need to maintain different end points for tenants in different regions. And do we use the global service URL https://login.microsoftonline.com to fetch OpenID config document for a tenantID in any region? As per the documentation, Microsoft Graph Advanced hunting API is not supported in China region (https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http). In this case, is it recommended to use Microsoft XDR Advanced hunting APIs(https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) to support all region tenants(China, US, Global)?
Defender for Endpoint | Deception
Hi Everyone, I hope this topic is going to help someone. I want to know after 31 of October 2025 Does that mean that no one can run Deceptions and policy rules, etc? As at the moment I'm experiencing this: It would be good to know if I have to deal with it and look into what the issue is, as I'm using Zscaler. The issue is definitely there after running a number of commands to check the reg key, etc. Can someone provide me with any documentation if this will be fully retired or will still be functioning to some point?
Question malware autodelete
A malware like Trojan:Win32/Wacatac.C!ml can download other malware, this other malware can perform the malicious action, this malware can delete itself and in the next scan of antivirus free this malware that deleted itself will not have any trace and will not be detected by the scan?
MTO Portal MFA Prompt Not Loading
Hi We are using the mto portal to hunt across multiple tenants. My team get the "loading completed with errors" message and the prompt for "MFA Login Required". When they select this the window to authenticate opens and then closes instantly. When selecting the tenant name they can authenticate in a new tab directly to Defender in this tenant without any issue (but this does not carry over to the MTO portal). The old behaviour was that they selected "MFA Login Required" and they could authenticate to the tenants they needed to at that time. Is this happening to anyone else? Does anyone have any tips for managing multiple Defender instances using MTO? Thanks
Bug using streaming API related to new type of event 'CloudProcessEvents'
Hi community, recently i've been trying to send XDR events/logs to a storage account via streaming API option. The problem comes when this bad request appears: This problem is related with a new schema that have been added recently to XDR Advanced Hunting. As you can see the new type of event 'CloudProcessEvents' is not supported via API but it doesnt appear in type of event at the configuration to unselect it. Can someone help?
SecureScore bugs
There needs to be a way to submit feedback for SecureScore. There's so many outdated links within the 'implementation' tab, and so many quirks. For example, the 'enable safe attachments' policy will fail if you use a custom Quarantine policy, even if it IS admin-only. Feels kinda sketchy to be setting these to 'Resolved through Alternate Mitigation' when you actually haven't. Another example - the Outbound Spam filter specifies no limits for emails. However the documentation DOES. This should be part of the SecureScore recommendation, no? Not sure if this is the right hub - but this is where the doc links for feedback.
Secure score not improving after implementing ASR
I need some help on the following; Improving secure score for one of our customers. For example, the secure score is improving for identity. I implemented user risk and sign in risk CA policies on the 14th and on the 18th defender is increasing the secure score However i also implemented ASR rules 23rd of september but it still says ASR are recommended actions. Etcetera. I powershelled into one of the targeted endpoints and confirmed the ASR rules are active on the machine. Connector is on The are using Crowdstrike as primary AV. Can the 2 AVs work together so the score gets updated for device? Would i need to manually create exeptions for every rule? I hope not.. Thank you in advance. Regards, Andrew
