Recent Discussions
Welcome to the Virtual Ninja Show’s Ninja Cat giveaway!
We are so excited to announce there will be NINE opportunities across Season 3 of the Ninja Show to earn your very own plush ninja cat and give it a new beloved home and we have many plush ninja cats looking for a new home! It works like this: for each episode there is a task to accomplish related to the topic in that show. You can complete each episode’s task for an opportunity to win! When you receive a LIKE on your response (from me, Heike) make sure you check your messages here in Tech Community for a message (from me, Heike ) with next steps. If you do not receive a like, don’t worry - come back and keep trying! For each episode, you have a new chance to win a kitty! Though we do limit one ninja cat per person, please! Click on any episode conversation below to access the various tasks! Episode specific conversations will be posted after their live broadcast is finished. Once you’ve submitted your response, and received my like, I will reach out for the last few details to get your ninja cat on its way! P.S. You have time to put your raffle ticket in the basket (for any episode) until April 14 th ! > Episode 2 | Mastering email authentication and slashing overrides: Part 2 (March 9 th 9 AM PT) > Episode 3 | Microsoft Sentinel Integration (March 14 th 9 AM PT) > Episode 4 | Defender Experts for Hunting Overview (March 16 th 9 AM PT) > Episode 5 | Mobile Threat Defense (March 20 th 9 AM PT) > Episode 6 | SaaS security posture management (SSPM) (March 21 st 9 AM PT) > Episode 7 | Defender for Identity and Defender for Endpoint: Better Together (March 23 rd 9 AM PT) > Episode 8 | Get to know Microsoft Defender Vulnerability Management Premium (March 27 th 9 AM PT) > Episode 9 | Attack disruption (March 29 th 9 AM PT) > Episode 10 | Identity Threat Detection and Response (March 30 th 9 AM PT) Good luck! Heike and the Ninja Show crew This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.Ninja Cat Giveaway: Episode 3 | Sentinel integration
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: what was your favorite feature Javier presented? Oh and what does UEBA stand for? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.MITRE ATT&CK Coverage
Morning from the UK! I am trying to better understand how Defender \ Sentinel protect against the MITRE ATT&CK framework. I am particularly interested in mapping to the tactics \ techniques that tools such as Bloodhound and PingCastle highlight for Active Directory \ Azure Active Directory, but am struggling to see what is available in the product and what is still on the roadmap: https://www.pingcastle.com/PingCastleFiles/ad_hc_rules_list.html In terms of what coverage exists within a Tenant, I know there is improvements planned in the roadmap to the current MITRE coverage in Microsoft Sentinel, but is there any way that I could use a Graph query to get what is currently covered?Resources for Automatic attack disruption
Hi all, because this topic is really HOT, I thought I am sharing a collection of resources with you. Recordings: Microsoft Secure (free registration required): - How XDR defends against ransomware across the entire kill chain with Corina Feuerstein - Ask the Experts: How XDR defends against ransomware across the entire kill chain Ninja Show episode Attack disruption, with Hadar Feldman Ignite announcement: What’s new in SIEM and XDR: Attack disruption and SOC empowerment - Events | Microsoft Learn Blogs: Automatic disruption of Ransomware and BEC attacks with Microsoft 365 Defender XDR attack disruption in action – Defending against a recent BEC attack Documentation: Configure automatic attack disruption capabilities in Microsoft 365 Defender | Microsoft Learn What do you think about this new and exciting capability? Do you have any questions on how it works that we didn't refer to? If so feel free to start a conversation here! 🙂 Oh and if I missed another resource, let me know too! HeikeNinja Cat Giveaway: Episode 5 | Mobile Threat Defense
For this episode, your opportunity to win a plush ninja cat is the following - Reply to this thread with: After assessing this discussion with Yuji, tell us what are at least 3 common attack vectors on mobile devices? This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.Ninja Cat Giveaway: Episode 7 | Defender for Identity and Defender for Endpoint: Better to together
For this episode, your opportunity to win a plush ninja cat is the following - Tell us about an alert that started either from Defender for Endpoint or Defender for Identity and what additional information from the other product (Defender for Endpoint or Defender for Identity) helped you get more details about that alert? Or share your favorite KQL query with tables from both products. This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
Unable to apply ASR rules for Windows servers (2012R2,2016, 2019 and 2022) via SCCM
Hi, I have onboarded servers 2012 R2, 2016, 2019 and 2022 into the Microsoft Defender for Endpoint via a unified solution (I am not using MMA or AMA), All statuses are Active and onboarded in the www.security.microsoft.com console. These servers are managing through the SCCM and I could deploy the Antimalware policy for all servers. Still, I am unable to deploy ASR rules for the onboarded servers, I have tried manually configure rules into the servers. Still, when I run Get-MpPreference powershell command there are blank fields for ASR components. Any solution for this? Note: These servers are not joined AAD.Ninja Cat Giveaway: Episode 9 | Attack disruption
For this episode, your opportunity to win a plush ninja cat is the following – Explain what attack disruption means and one reason why it is critical to any organization. This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14 th , 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
ASR rule exclusion issue
It looks like i cannot get ASR exclusions to works for files on my Network Shares. It works fine for local files. Investigating further i found the block was happening at the local level: Path: C:\Users\*\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B39EF45B.xlsm (eventID1121) This above location is where the network file is opened from on the local device. Can someone confirm the network share exclusions do not work?
Boost your Security Posture with a New Password Spray Detection Alert in Microsoft 365 Defender
Microsoft Defender alert policies are crucial for organizations to monitor and detect suspicious activities that may lead to cyber-attacks and data loss. These prebuilt policies help forensic investigators, security teams, and IT admins to detect and respond to potential threats promptly in their organization. What’s new? Microsoft has introduced a new alert to detect ‘Password spray attack originating from single ISP’. This new alert is absolutely a game-changer in cybersecurity, providing an additional layer of security to defend against such attacks. By identifying possible indicators of password spray attacks, organizations can take proactive measures to prevent potential breaches. Check out the blog to know more about how to identify the possible indicators of password spray attacks and the remediation actions. https://blog.admindroid.com/password-spray-attack-detection-with-new-microsoft-365-defender-alert/New blog post | Part 2: Uncovering Trackers Using the Defender EASM API
Thanks for joining me for the second installment on leveraging Trackers in Microsoft Defender External Attack Surface Management (Defender EASM) to find and manage risk in your organization. This blog post is part two of this series, building on the concepts introduced in part one about discovering your attack surface and applying this valuable inventory data to inform your security efforts at scale. As a quick refresher, in part one, we defined Trackers in Defender EASM and learned how to search for them in the User Interface (UI). This blog post will closely examine the Defender EASM Application Program Interface (API). Part 2: Uncovering Trackers Using the Defender EASM API - Microsoft Community HubJoin our Attack Disruption in Microsoft 365 Defender AMA on May 3rd!
Join us on Wednesday 5/3 at 9:00AM PST for an AMA (Ask Microsoft Anything) with the Attack Disruption team! This will be a text-based live hour of answering all your questions relating to the product. This January we announced the public preview of automatic attack disruption in Microsoft 365 Defender. The built-in attack disruption capabilities in Microsoft 365 Defender help stop the progression of advanced attacks like ransomware and business email campaigns (BEC) with advanced AI capabilities that automatically isolate compromised devices and user accounts. If you have any questions about this, come ask us! Note: If you are unable to attend the live hour, you can ask your question at any time on the event page below and the team will get to it during the event. Join here: aka.ms/AttackDisruptionAMA
Update OpenSSL recommendation
Hi all, I've been trying to find out how to deal with "openssl" recommendation that I get on almost all end user computers in Defender. I'm just not sure how to deal with it... It doesn't seem to be a particular app or so.... From what I see when I check the "software inventory" page of the devices, there are many references to different files/dll?? See some few examples below: c:\program files\windowsapps\e046963f.aimeetingmanager_3.1.18.0_x64__k1h2ywk1493x8\aimeetingmanager\libcrypto-3-x64.dll c:\program files\zoom\bin\libcrypto-3-zm.dll c:\program files\dell\dell peripheral manager\libcrypto-1_1-x64.dll c:\windows\system32\driverstore\filerepository\udcdriver.inf_amd64_d70e6df8e9ed1889\x64\service\libssl-1_1-x64.dll How you deal with it? .. is that something that can be pushed via Intune..?
No email queries available
First of all: Thanks for the great webinars about MTP/Sentinel etc. I hope my question is right here. We use an E5 license in the company. But the MTP does not offer me the possibility to check emails. All options that refer to mails are not offered to me. Unfortunately I can't find a check mark to activate this area (or I don't know in which portal I should find it) I'm pretty sure that I could see the corresponding menu items last week.
Microsoft 365 Defender - Can you whitelist sites to keep messages out of quarantine
I've been using an Exchange 365 Online server for several years, and I also support several linux servers. In Exchange, I have a rule setup to whitelist the linux servers using SCL=-1 to bypass spam checking on the messages sent from the servers. All of the mail traffic from the servers are reports and/or backup output. At a glance every morning I can quickly tell if the servers are having problems. This has been working without problems for years. Starting on August 10th, some of the messages started going missing. After a bit of research I discovered that Microsoft 365 Defender began putting some of the messages into quarantine: Threats: Phish / High, Spam Delivery action: Blocked The emails being blocked are backup output from the app used on the server. It's very generic text output that mainly consists of the file names being processed by the backup. This is the first time I've even looked at Microsoft 365 defender. Is there a way to white list the servers so that the emails I'm concerned about do not end up in quarantine? Thanks, Don
Recent Blogs
- This milestone streamlines the deployment of on-premises identity security by unifying our endpoint and identity protection into a single sensor, pre-installed and ready for activation on Domain Cont...Oct 23, 2025
- 4 MIN READAs generative AI becomes a core part of enterprise productivity—especially through tools like Microsoft 365 Copilot—new security challenges are emerging. One of the most prevalent attack techniques i...Oct 06, 2025
