Forum Widgets
Latest Discussions
How to use KQL to associate alerts with incidents?
There is no method I'm aware of to use KQL to query from an alertID to an incident or vice versa. Please provide kql examples for querying between XDR incidents and alerts. These queries should be independent of the SecurityIncident table which is only available when Sentinel is connected to XDR. Thank you.
Can I get productName in Microsoft Graph API incident response?
When using Microsoft Graph Security API, is it possible to get the productName field directly in the incident response (e.g., from /security/incidents endpoint)? Or is it only available at the alert level via /security/incidents/{id}/alerts?
Win 11 Multi-Session AVDs Not Reporting Device Health & Security Info to Defender for Endpoint
Hello everyone, I’m trying to figure out if others are experiencing the same issue with Windows 11 multi-session Azure Virtual Desktop (AVD) instances and Microsoft Defender for Endpoint. Since March 27, I’ve noticed that these multi-session VMs successfully onboard to Defender, but they don’t consistently report health status, vulnerability details, or security recommendations in the Defender portal. Previously, the same AVDs were working fine, but now we’re facing this issue, making it difficult to track their security posture properly. Has anyone else faced this? If so, were you able to resolve it? Would love to hear any insights or workarounds. Even if it’s working fine on your end, please let me know—just trying to confirm if this is a broader issue or something specific to our setup. thanks!!
Microsoft Defender for cloud and XDR integration
🚨 Need Help! 🚨 I’m currently facing a challenge with Microsoft Defender for Cloud. I’ve created sample alerts, but when I check in Microsoft Defender XDR, the alerts aren’t showing up. 😕 I’ve already checked all possible configurations, permissions, and integration settings but haven’t been able to pinpoint the cause. Has anyone experienced something similar? Any suggestions on additional things to check or troubleshooting steps that might help resolve this? I was following a Udemy instructor’s video tutorial from 2024, where it worked fine for him, but unfortunately, it didn’t work for me.
"Security Operations Admin User" Predefined Critical Asset classification
In our XDR instance, the new "Security Operations Admin User" predefined Critical Asset classification (introduced last month) contains a few non-privileged users. I can't figure out by what logic they were added to this classification. It seems that the users may be using laptops that are classified as "Security Operations Admin Devices," but I can't figure out why those devices are grouped that way, either. If it were a matter of an IT user logging onto one of the machines for support, there would inevitably a lot MORE users and devices in these groups. Does anyone know what kind of activity Microsoft uses to classify users and devices as "security operations admins?"Are critical asset management rules incompatible with Entra ID?
I am trying to create some custom asset management rules based on filters like logged on username, user criticality, and user groups. No matter what I try no assets show up. Even if I use the format azuread\<username>, no assets are returned by the filter. Are these filters incompatible with Entra ID? Do they only work with on-premise AD?How to get access to Move or Delete e-mail?
So this week I had some phishing e-mails that made it past Defender's filtering and were delivered to user mailboxes. I wanted to pull them back, so I found the relevant message the Defender XDR portal, and clicked on Take Action, but the only option available to me there was Submit to Microsoft for review. All the others, including Move or Delete, which is what I wanted, were grayed out. I'll add that was doing this using my Global Admin account. Did some research and supposedly assigning my account the Data Investigator role or creating a custom role with Search and Purge capability would provide the desired access So I put my account into both of those groups, and I still can't access Move or Delete. Anybody know what I am missing here? I’d be grateful for any information.
Full Automation Capabilities in Linux OS
Hello eveyone, We have configured Defender to detect viruses, and our goal is that if one of our assets downloads or encounters a virus, it is automatically hidden or removed. Based on the documentation regarding the automation levels in Automated Investigation and Remediation capabilities, we have set it to "Full - remediate threats automatically." While this works correctly on Windows devices, we have noticed that on Linux devices, the defender still detect the virus but it was not prevented. I was wondering if anyone has encountered this issue and, if so, how it was resolved? Additionally, as I am new to the Defender platform, I wanted to ask if could this issue potentially be resolved through specific Linux policies or functionalities? Best regards Mathiew
