Microsoft Defender XDR | Microsoft Community Hub

Forum Widgets

Latest Discussions

Defender is missing logs for files copied to USB device on Mac devices
Hello, I am currently facing an issue with Defender not logging files copied to USBs. Using the KQL below, I can only see .exe files copied, but nothing when it comes to .pdf, .docx. .zip and other standard file extensions. Has someone come across this issue before? Any help is greatly appreciated let UsbDriveMount = DeviceEvents | where ActionType=="UsbDriveMounted" | extend ParsedFields=parse_json(AdditionalFields) | project DeviceId, DeviceName, DriveLetter=ParsedFields.DriveLetter, MountTime=TimeGenerated, ProductName=ParsedFields.ProductName,SerialNumber=ParsedFields.SerialNumber,Manufacturer=ParsedFields.Manufacturer | order by DeviceId asc, MountTime desc; let FileCreation = DeviceFileEvents | where InitiatingProcessAccountName != "system" | where ActionType == "FileCreated" | where FolderPath !startswith "C:\\" | where FolderPath !startswith "\\" | project ReportId,DeviceId,InitiatingProcessAccountDomain, InitiatingProcessAccountName,InitiatingProcessAccountUpn, FileName, FolderPath, SHA256, TimeGenerated, SensitivityLabel, IsAzureInfoProtectionApplied | order by DeviceId asc, TimeGenerated desc; FileCreation | lookup kind=inner (UsbDriveMount) on DeviceId | where FolderPath startswith DriveLetter | where TimeGenerated >= MountTime | partition hint.strategy=native by ReportId ( top 1 by MountTime ) | order by DeviceId asc, TimeGenerated desc | extend HostName = iff(DeviceName has '.', substring(DeviceName, 0, indexof(DeviceName, '.')), DeviceName) | extend DnsDomain = iff(DeviceName has '.', substring(DeviceName, indexof(DeviceName, '.') + 1), "") | extend FileHashAlgorithm = 'SHA256'
Solved
Tendo77
Copper Contributor
Sep 28, 2025
automation
microsoft defender for endpoint
playbooks
siem
75Views
0likes
2Comments
"Something went wrong. Primary and secondary data missing" when viewing email submission
Does anyone know what causes the "Something went wrong. Primary and secondary data missing" error when viewing an email submission in Microsoft Defender? It happens sporadically, but on I would guess 5% - 10% of our submissions.
Solved
RSKadish
Brass Contributor
Sep 17, 2025
microsoft defender for office 365
submissions
219Views
0likes
4Comments
Error getting Device Data
Have an issue with Device data not displaying in the Defender XDR portal. On the Assets/Devices menu I can search and find a device, but when I click in it to see the properties- the page displays only 50% of the time. Mostly it stays loading for about 30 secs then displays the error "Error getting Device Data" Occurs regardless of what permissions are applied, occurs regardless of the browser or incognito modes, regardless of who is logged in. Done basic troubleshooting from MS and even MS support cannot find the answer so far. Has anyone seen this before? Cheers
Solved
Dan_Reichenbach
Copper Contributor
Aug 31, 2025
microsoft defender for endpoint
319Views
0likes
2Comments
Unable to view certain defender alerts
Hi Team, We are unable to view certain defender alerts from defender portal. We are able to pool alerts using graph api and from the output -> using alertWebUrl we tried to view the alert. We observed "You can't access this section" error message. (Sorry, you can't access this section. Check with your administrator for the role-based access permissions to see the data). But we are able to view other alerts, (Ex: Above error is for XDR alert, but we are able to view other XDR alerts). Is it possible to allow access to view only few XDR alerts?
Solved
esanya2280
Copper Contributor
Jul 09, 2025
accessibility
244Views
0likes
1Comment
Firewall Rules programming with Defender XDR
We have our devices onboarded to Defender for Endpoint, and want to program Firewall Policy and Firewall Rules Policy using Defender Onboarding. We know that we can onboard devices to Intune and use Intune MDM to program rules. But, we don't want a full blown MDM setup or license for just firewall programming. Is there a deployment scenario where we can do firewall programming just using defender machines. Any help is really appreciated.
Solved
thisisbhaskar
Copper Contributor
Jun 20, 2025
automation
microsoft defender for endpoint
261Views
0likes
1Comment
Attack Surface Reduction - Problem Enforcement
Hello Community, for a customer i deploy Microsoft Defender for Endpoint with Security Management Features of MDE. All works fine but for "Attack Surface Reduction Rule" i have some problem, device are 1.8K and attack surface reduction only apply for 304 devices that have the same policy of other. But from Security Portal So i don't understand because in some device asr works correctly and in the other device not. Has anyone the same problem ? Regards, Guido
Solved
GuidoImpe
Brass Contributor
Jun 04, 2025
microsoft defender for endpoint
204Views
2likes
3Comments
Cannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?
I tried to create custom detection rule from KQL query in Defender XDR: Advance Hunting by custom various variable to be able to submit, but for this query to be able to go through remediation setting of detection rule, I need the entity identifiable columns like AccountUpn, that I need to union with IdentityInfo schema. But detection rule seems not support the union * thing as the attached pic: I searched for the same problems that seems to be occurred in all system using KQL including in Microsoft Sentinel Logs but has no workaround to bypass. So, is there any way to get through this objective without strucking with union * problem?
Solved
Saran_Sarah_Hansakul
MCT
May 13, 2025
alerts
incident management
microsoft defender for endpoint
threat hunting
264Views
0likes
4Comments
Importing Purview roles into XDR RBAC
I want to activate Email & collaboration into XDR RBAC, so in XDR RBAC, I go and "choose roles to import" and I see the built-in Purview eDiscovery Manager role. Ok, fine, so I choose to import it into XDR RBAC and assume that my two groups of users in that role group (eDiscovery Managers (Sally and Sue) and eDiscovery Admins (Bob)) would be different. Sally and Sue can only manage their own cases and Bob can manage all cases. Different roles. But after it imports, there's only 1 role: eDiscovery Manager and all my users are in there - Sally, Sue and Bob with "Raw data (Email & collaboration) " - both read permissions are selected. But that's it. Question 1) I'm confused on why the eDiscovery role is being imported into XDR RBAC and if that means that over in Purview, after I activate the "Defender for Office365" workload in XDR RBAC - will something change with what Sally and Sue and Bob can do in Purview eDiscovery? Will I still be managing my eDiscovery users in Purview roles for when I need to add Billy to the list of eDiscovery Admins? Question 2) I see that the other Purview role groups I have users assigned (Audit Manager and Organization Management as well as a custom "Search and Purge" role group) were also imported into XDR RBAC permissions and roles but yet aren't applicable until I activate the workload. Wondering what exactly will happen when I activate the Email & collaboration workload. Will anything negative happen to the PIM groups I gave the Purview role groups to? Would I then need to clean anything up over in Purview roles after I activate the workload in XDR RBAC? This isn't clear at all what to do after I activate the email and collaboration workload and can I just undo it if it messes anything up?
Solved
KayZeeBee
Copper Contributor
Apr 29, 2025
microsoft defender for office 365
214Views
0likes
1Comment
Advanced Hunting Visualize Results
Hello, I have some queries in Advanced Hunting and I want to visualize the results in Azure Dashboard for other users and better readibility. Is there any possibility or are there other options? Kind regards Nicole
Solved
__Nicole__
Copper Contributor
Apr 18, 2025
microsoft defender for endpoint
142Views
0likes
4Comments
Deception Not Deployed on Devices
Hi all, I created a deception rule and tried to deploy it on all devices (Windows server 2022). Unfortunately, the device count remains to 0... (status: in progress) PS: the deployement has been created... 2 months ago. Any idea ? Regards, HA
Solved
HA13029
Brass Contributor
Mar 15, 2025
microsoft defender for endpoint
226Views
0likes
3Comments

Resources

Tags

microsoft defender for endpoint357 Topics
microsoft defender for office 365228 Topics
threat hunting118 Topics
alerts112 Topics
investigation100 Topics
incident management78 Topics
automation73 Topics
learning51 Topics
microsoft sentinel49 Topics
threat intelligence45 Topics