Recent Discussions
Welcome to the Virtual Ninja Show’s Ninja Cat giveaway!
We are so excited to announce there will be NINE opportunities across Season 3 of the Ninja Show to earn your very own plush ninja cat and give it a new beloved home and we have many plush ninja cats looking for a new home! It works like this: for each episode there is a task to accomplish related to the topic in that show. You can complete each episode’s task for an opportunity to win! When you receive a LIKE on your response (from me, Heike) make sure you check your messages here in Tech Community for a message (from me, Heike ) with next steps. If you do not receive a like, don’t worry - come back and keep trying! For each episode, you have a new chance to win a kitty! Though we do limit one ninja cat per person, please! Click on any episode conversation below to access the various tasks! Episode specific conversations will be posted after their live broadcast is finished. Once you’ve submitted your response, and received my like, I will reach out for the last few details to get your ninja cat on its way! P.S. You have time to put your raffle ticket in the basket (for any episode) until April 14 th ! > Episode 2 | Mastering email authentication and slashing overrides: Part 2 (March 9 th 9 AM PT) > Episode 3 | Microsoft Sentinel Integration (March 14 th 9 AM PT) > Episode 4 | Defender Experts for Hunting Overview (March 16 th 9 AM PT) > Episode 5 | Mobile Threat Defense (March 20 th 9 AM PT) > Episode 6 | SaaS security posture management (SSPM) (March 21 st 9 AM PT) > Episode 7 | Defender for Identity and Defender for Endpoint: Better Together (March 23 rd 9 AM PT) > Episode 8 | Get to know Microsoft Defender Vulnerability Management Premium (March 27 th 9 AM PT) > Episode 9 | Attack disruption (March 29 th 9 AM PT) > Episode 10 | Identity Threat Detection and Response (March 30 th 9 AM PT) Good luck! Heike and the Ninja Show crew This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.Ninja Cat Giveaway: Episode 3 | Sentinel integration
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.Ninja Cat Giveaway: Episode 2 | Mastering email authentication and slashing overrides: Part 2
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: Did you spot ninja cat throughout episode? Mention your favorite on-screen ninja cat appearance in this episode along with one thing you’ve learned from this episode of the Ninja Show! This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.Share Your Hunting Challenges!
Hello world! Tali Ash and I would love your input on anything you would like demo'ed in future webcasts! Want to see us demonstrate a specific hunting capability? Got a query challenge on your mind? Reply with your idea or like a reply from the community - we'll pick some of the popular ideas and put together future webcasts on the topics. Also, if you are looking for a great introduction to advanced hunting in MTP and KQL, be sure to check out our four part series Tracking the Adversary at http://aka.ms/securitywebinars, or download the query files to practice on your own MTP instance at https://aka.ms/TrackingTheAdversary. Happy hunting!
Explorer permission to download an email
Global Admin is allegedly not sufficient access to download an email. So I have a user asking for a copy of her emaill, and I'm telling her 'sorry, I don't have that permission', I'm only global admin' What? The documentation basically forces you to use the new terrible 'role group' system. I see various 'roles' that you need to add to a 'role group' in order to do this.. Some mention Preview, some mention Security Administrator, some mention Security Operator. I've asked copilot 100 different times, and he keeps giving me made up roles. But then linking to the made up role. How is such a basic functionality broken? It makes 0 sense. I don't want to submit this email - it's not malware or anything. I just want to download the **bleep** thing, and I don't want to have to go through the whole poorview process. This is really basic stuff. I can do this on about 10% of my GA accounts. There's no difference in the permissions - it just seems inconsistent.
Defender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,
Change service account to avoid cached password in windows registry
Hi , In Microsoft 365 defender > secure score there's a recommendation for me saying "Change service account to avoid cached password in windows registry" , and I can see multiple MSSQL services falling into this recommendations . But the remediation is not very clear , what should I need to do in here ? Thanks ,
Date/time display format in the Microsoft 365 Defender portal
Display of dates and times in the correct regional format remains inconsistent in the Defender portal. Being UK-based with UK language and region settings set, we are still seeing US-formatted timestamps (M/D/Y AM/PM) in both the Defender portal and MCAS. 1) Is this an acknowledged issue and does Microsoft plan to fix it so that dates are shown consistently in the appropriate regional format? 2) Is there any possibility of getting all date and time stamps to show in ISO8601 format across all pages? M/D/Y vs D/M/Y causes ambiguity and confusion. This is worse for non-US users who are not used to working w
MS Secure Score Create an OAuth app policy to notify you about new OAuth applications
Analyzing my Secure Score pending action, it says I need to Create an OAuth app policy to notify you about new OAuth applications. The implementation instructions are vague and when i try to create a policy there is no filter for newly created Oauth Apps. Anyone have success setting this policy?Microsoft Azure and Microsoft 365 Security - my defense in depth strategy!
Dear Microsoft Azure and Microsoft 365 security friends, Who is interested in my (small) company? We don't have anything to protect and we don't have any money. Besides, we have a firewall. Furthermore, Mr. Wechsler, you are a bit paranoid with your security thinking. These are the first sentences I always hear when it comes to IT (Cloud) security. But the attacker is also interested in a small company and that is to use their system as a bot. It's not always about money and data. What about the reputation a company has to lose? It takes years to build a good reputation but only one event to damage the reputation. What about the employees, the trust in the company? Do you want to put this at risk as a company, I don't think so! Yes! Extended protection mechanisms always cost extra, I am absolutely aware of that. But I also pay monthly for car insurance and accident and health insurance. I'm grateful every day when I don't need the insurance. That's exactly how it should feel when it comes to IT (cloud) security. Let's start with my IT/Cloud security strategy. I am absolutely aware that this list is not exhaustive. There are so many components to consider, plus every infrastructure/company is always different. I'll try to give you a little help here. We start with Microsoft 365, as a first additional measure, use all policies that start with "Anti-". You can find all the information in the Microsoft 365 Security Center. https://security.microsoft.com/threatpolicy The next step is to use the policies that start with "Safe". You can also find this information in the Microsoft 365 Security Center. Multi factor authentication is a key element to further protect your identities/users. You can set this up per user or with a Conditional Access Policy (my preferred way). Azure Active Directory helps you integrate this protection. https://portal.azure.com If you are subject to a regulatory agency, the Microsoft 365 Compliance Center can help. Here you can set up data loss prevention policies, audits, eDiscovery and much more. https://compliance.microsoft.com/homepage In this day and age of bring your own device and work from home, it's a good idea to include the Endpoint Manager. With it you have the possibility to manage endpoints (Mobile Device Management - MDM) and applications (Mobile Application Management - MAM). https://endpoint.microsoft.com/ Get visibility into your cloud apps using sophisticated analytics to identify and protect against cyberthreats, detect Shadow IT, and control how your data travels. https://portal.cloudappsecurity.com/ The Cloudapp Security Portal provides you with the best possible support. Here you can allow or sanction cloud app, configure anti-ransomware policies, data loss prevention policies and much more. Do you want to know how your Windows Active Directory is doing? Then Microsoft Defender for Identity will help you. With this tool you can transfer the local information to the cloud. With an interface to the CloudApp Security Portal. https://yourtenant.atp.azure.com/timeline No person should always work with elevated rights. Only work with elevated rights when it is really necessary. This is where Azure Privileged Identity Management (PIM) comes in. With this tool you can configure the access as you need it for your needs. https://portal.azure.com With Azure Identity Protection do you have a tool that allows organizations to accomplish three key tasks: 1. Automate the detection and remediation of identity-based risks. 2. Investigate risks using data in the portal. 3. Export risk detection data to third-party utilities for further analysis. https://portal.azure.com Just in time access for administrators, this is also possible for virtual machines with Just in time VM Access. In Microsoft Defender for Cloud you can configure this feature (and much more). Microsoft Sentinel helps you keep track of the health of your organization. A SIEM (Security Information and Event Management) and SOAR (Security Orchestration Automation and Response) tool that should not be missing from your portfolio. The tool offers many connectors (98 at the moment) so that you can connect the most diverse portals to Sentinel. There is still so much to show, I wasn't talking about Role Based Access Control (RBAC) now or Network Security Group (NSG), etc. I know some of you are thinking, hey there is a lot more. I am aware of that. My goal is to give you some positive signals on how you can integrate additional security into your organization. Thank you for taking the time to read this article. Kind regards, Tom WechslerAttack Surface Reduction - Problem Enforcement
Hello Community, for a customer i deploy Microsoft Defender for Endpoint with Security Management Features of MDE. All works fine but for "Attack Surface Reduction Rule" i have some problem, device are 1.8K and attack surface reduction only apply for 304 devices that have the same policy of other. But from Security Portal So i don't understand because in some device asr works correctly and in the other device not. Has anyone the same problem ? Regards, GuidoSecureScore bugs
There needs to be a way to submit feedback for SecureScore. There's so many outdated links within the 'implementation' tab, and so many quirks. For example, the 'enable safe attachments' policy will fail if you use a custom Quarantine policy, even if it IS admin-only. Feels kinda sketchy to be setting these to 'Resolved through Alternate Mitigation' when you actually haven't. Another example - the Outbound Spam filter specifies no limits for emails. However the documentation DOES. This should be part of the SecureScore recommendation, no? Not sure if this is the right hub - but this is where the doc links for feedback.
Win 11 Multi-Session AVDs Not Reporting Device Health & Security Info to Defender for Endpoint
Hello everyone, I’m trying to figure out if others are experiencing the same issue with Windows 11 multi-session Azure Virtual Desktop (AVD) instances and Microsoft Defender for Endpoint. Since March 27, I’ve noticed that these multi-session VMs successfully onboard to Defender, but they don’t consistently report health status, vulnerability details, or security recommendations in the Defender portal. Previously, the same AVDs were working fine, but now we’re facing this issue, making it difficult to track their security posture properly. Has anyone else faced this? If so, were you able to resolve it? Would love to hear any insights or workarounds. Even if it’s working fine on your end, please let me know—just trying to confirm if this is a broader issue or something specific to our setup. thanks!!
KQL script report last reboot/reset endpoint devices (Workstations/Laptops)
Hello everyone, I'm reaching out for assistance with a challenge I'm facing in Microsoft Defender. In my organization, we have numerous endpoint devices with vulnerabilities, and I suspect that the issues may stem from either inadequate patching or misconfigured Group Policy Object (GPO) settings preventing updates or reboots. To investigate further, I need a KQL script that can generate a report showing when each endpoint device was last rebooted or reset, along with the computer name and the last user who logged in to that device. I've attempted to use the following KQL script in different ways without success: DeviceEvents | where ActionType == "Restarted" or ActionType == "Shutdown" | summarize LastReboot = max(EventTime) by DeviceName Despite trying various approaches and searching through online forums, I haven't been able to obtain the desired results. I'm unsure if this information can be retrieved through Defender or if there's an alternative method I should explore. Any guidance or suggestions would be greatly appreciated as I work to identify and resolve these issues. Thank you for your assistance! Best regards, Sergio
New Email Response Actions in Microsoft Defender XDR
Hi, Can Microsoft please allow the use of punctuation when adding a new Rule Name or in the description for this functionality. Example below is when adding a new rule name, but using a hyphen (so that on first look, a user can see that the rule was created for a manual action) In the description, it doesn't allow you to use any commas, or any full stops (periods)MS Defender for Endpoint Onboarding Method Overview
Finding it hard to protect all your devices with Microsoft Defender for Endpoint? Maybe you are just not aware yet of all the methods available to onboard new devices! In this blogpost, I'll provide a high-level overview of all the methods available: Microsoft Intune Onboarding packages or scripts Device Discovery Personal Devices Azure Azure Arc Direct Onboarding (NEW) After reading this, you are able to choose the perfect MDE onboarding method for your situation! https://myronhelgering.com/mde-onboarding-method-overview/Defender Slowness Issue
Hi Team, Developers have been experiencing extreme slowness lately. When we give an exclusion to C as in the below screenshot, It goes back to normal. Exclude C is like saying don't touch C at all. As you know, this is not the correct solution. Is there anything we can optimize this situation for?Also, you find the Defender Performance Analyzer results in the attached files. Thanks in advance for your support.
Recent Blogs
- 6 MIN READMicrosoft Defender Monthly news - December 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our De...Dec 04, 2025
- This Ignite we are focused on giving security teams the edge they need to meet adversaries head on in the era of AI. The modern Security Operations Center (SOC) is undergoing a fundamental transforma...Nov 18, 2025
