Recent Discussions
MDI AD CS sensor not switching from removed DC
We are in the process of replacing our Domain Controllers. What I found is that the MDI sensor on our PKI server is still stuck with a domain controller which has been demoted and removed from the domain. (Sensor version: 2.250.18972.18405) I guess, if I reinstall the sensor, it will find a new domain controller - but what if it finds a DC that is to be decommissioned? Should I reinstall the sensor until it choses a "new" DC? Thank you in advance, Daniel
Unified detection rule management
Hi, I attended the webinar yesterday regarding the new unified custom detection rules in Defender XDR. I was wondering about the management of a library of rules. As with any SOC, our solution has a library of custom rules which we manage in a release cycle for a number of clients in different Tenants. To avoid having to manage rules individually we use the JSON approach, importing the library so it will update rules that we need to tune. Currently I'm not seeing an option to import unified detection rules in Defender XDR via JSON. Is that a feature that will be added? Thanks ZivMicrosoft Sentinel device log destination roadmap
I just attended the 11/5/2025 Microsoft webinar "Adopting Unified Custom Detections in Microsoft Sentinel via the Defender Portal: Now Better Than Ever" and my question posted to Q&A was not answered by the team delivering the session. The moderator told us that if our question was not answered we were to post the question in this forum. Here is the question again: "Will firewall and other device logs continue to go to Azure Log Analytics indefinitely? By Indefinitely I mean not changing in the roadmap to something else like Data Lake or Event Grid/Service Bus, etc." Thank you, JohnCan’t Remove Defender Tag After Asset Rule Was Deleted
Hi all, I’m facing an issue where a rule-based tag in Microsoft Defender for Endpoint remains visible on devices even after I deleted the original asset rule. The rule was disabled and deleted months ago, but the tag still appears under Rule-based tags in the device details. Even using the API or PowerShell doesn’t show or remove it. Is there any supported way to force a tag refresh or clear orphaned rule-based tags from the Defender portal? Thanks in advance, Luca
Survey: Microsoft Purview Retention Labels in Outlook Mobile (iOS/Andriod)
We need your input! Today, in Outlook for Windows, Outlook for the Web, and (currently rolling out) Outlook for Mac, end-users can manually apply Microsoft Purview retention labels and MRM personal tags to individual emails and non-default (user-created) folders. The Outlook and Data Lifecycle Management product groups are interested in learning from our customers how important that same functionality would be in Outlook for Mobile (iOS/Android). Please consider filling out and sharing the following survey to let us know how this feature would or would not be useful to you and your organization: https://aka.ms/RetentionLabels-OutlookMobile Please note that your responses will remain anonymous unless you choose to provide contact information at the end of the survey.Defender for Endpoint Firewall Rules Not Applying to Devices
Hello Security Experts, I’m currently deploying Microsoft Defender for Business and trying to enforce firewall configurations directly from the Defender portal. However, I’ve noticed that the settings are not applying to any of the onboarded devices — nothing changes on the endpoints. Do firewall rules in Defender for Endpoint require Intune to be enforced, or should they work standalone? And if Intune isn’t used, what’s the best approach to apply consistent Defender firewall rules across devices? Thanks, LucaQuestion malware detected Defender for Windows 10
Why did my Microsoft Defender detect a malicious file in AppData\Roaming\Secure\QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml) during a full scan and the Kaspersky Free and Malwarebytes Free scans didn't detect it? Was it maliciously modifying, corrupting, or deleting various files on my PC before detection? I sent it to Virus Total, the hash: 935cd9070679168cfcea6aea40d68294ae5f44c551cee971e69dc32f0d7ce14b Inside the same folder as this DLL, there's another folder with a suspicious file, Caller.exe. I sent it to Virus Total, and only one detection from 72 antivirus programs was found, with the name TrojanPSW.Rhadamanthys. VT hash: d2251490ca5bd67e63ea52a65bbff8823f2012f417ad0bd073366c02aa0b3828Question many malwares types and files
What are the names of types of malware that acess, modify, delete, or corrupt PC hdd and ssd files (Windows files and personal files, games, music, executables, ISO, IMG, RAR, ZIP, 7Z)? Does all malware have the potential to do this? In this case, how are the malware QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml), Caller.exe (DrWeb detects Trojan.DownLoader47.36298), and Caller.exe (VBA32 detects TrojanPSW.Rhadamanthys) classified?
Azure AD PIM token lifetimes
Does anyone know if Azure AD PIM has any impact on token lifetimes? I know an access token remains valid for 1 hour whereas a refresh token can have long life. Does this mean if user activates their role for only 30mins, they will continue to have privileged access for at least one hour unless user explicitly logs-out of the session.Using Microsoft Graph Security API for Custom Security Automations
Hi Security Experts, I’ve recently started exploring the Microsoft Graph Security API to centralize and automate security operations across different Microsoft 365 services. The idea is to build a single automation layer that can: Collect alerts from Defender for Endpoint, Defender for Cloud, and Identity Protection; Enrich them with context (user, device, and location data); And automatically push them to an external system like Jira, n8n, or a custom SOAR workflow. I was able to authenticate and list alerts using the endpoint: “GET https://graph.microsoft.com/v1.0/security/alerts” However, I’m still trying to understand the best practices for handling rate limits, pagination, and permissions — especially when integrating continuous polling or real-time ingestion into external tools. Has anyone here implemented Graph Security API automations in production? I’d love to hear about your experiences — specifically around performance, alert filtering, and authentication (App Registration vs Managed Identity). Thanks in advance, LucaHigh CPU Usage by Microsoft Defender (MsMpEng.exe) on Azure Windows Server 2019
Hi everyone, I’ve been seeing consistent CPU spikes from MsMpEng.exe (Antimalware Service Executable) on several Windows Server 2019 Datacenter VMs hosted in Azure. The usage reaches 100% for about 10–15 minutes daily, always around the same time. No manual scans are scheduled, and limiting CPU usage with Set-MpPreference -ScanAvgCPULoadFactor didn’t help. Could this be related to Defender’s cloud protection update cycle, or possibly a backend maintenance task from Defender for Cloud? Is there a recommended way to throttle or schedule these background Defender tasks in production environments? Appreciate any insights, LucaDefender for Endpoint Conflicting with Internal Firewall Authentication
Hi Security Experts, After onboarding a few devices into Defender for Endpoint, I noticed that those machines started having connection drops to the company’s internal firewall. They constantly re-authenticate before regaining web access. Devices not onboarded into Defender don’t experience this issue. Could Defender’s network protection or proxy policies be interfering with the internal firewall authentication flow? Any recommendations on how to keep Defender active while keeping the internal firewall as the primary control point? Thanks for any suggestions, LucaAutomating Defender Alerts with CISA KEV and n8n – Has anyone tried similar workflows?
Hi everyone, I’ve been experimenting with n8n automation to improve vulnerability management. I created a workflow that cross-references Microsoft Defender for Endpoint vulnerabilities with the CISA Known Exploited Vulnerabilities (KEV) catalog, and then automatically creates Jira tickets for remediation. The flow takes about 16 seconds to run and prioritizes only the CVEs that are both present in the environment and listed in KEV. Has anyone here built similar automation (maybe with Logic Apps, Power Automate, or Sentinel playbooks)? Would love to hear how others handle vulnerability prioritization or ticket creation!Automação de Alertas do Defender com o Catálogo KEV da CISA usando n8n
Overview Recently, I decided to explore how automation could help simplify daily security operations, especially in vulnerability management. While studying n8n, an open-source automation platform, I saw the opportunity to connect it with Microsoft Defender for Endpoint and the CISA Known Exploited Vulnerabilities (KEV) Catalog. The goal was simple: build an automated workflow that identifies which vulnerabilities detected in Defender are actively exploited in the wild, and then create actionable tickets in Jira for remediation teams — automatically and with full context. Why I Built This Most security teams deal with thousands of vulnerabilities every week, but only a small portion are actually being exploited. I wanted to find a way to prioritize what truly matters without adding more manual work. Defender for Endpoint already provides strong vulnerability data, but by combining it with the CISA KEV catalog, we can instantly highlight high-risk CVEs that need urgent attention. This project was also a great opportunity to test n8n’s flexibility and API-handling capabilities in a real-world cybersecurity scenario.
Little warning on the new Purview suite for M365BP
Microsoft introduced a highly needed and expected compliance suite add-on for Microsoft 365 Business Premium. Microsoft Purview Suite for Business Premium: $10/user/month Microsoft 365 BP are unable to add Microsoft 365 E5 Compliance suite $12/user/month and forced to move to M365E3 to be able to add this product. So as a Microsoft partner I was delighted to see that Microsoft introduced this new product and made it possible to give SMB customers the tools they need to comply with all kinds of regulations. BUT: What a disappointment it is, this new product. It is a lame strip down version of the E5 Compliance suite and missing essential functionality that regulated SMB customers badly need. What the was going on in de mind of the product manager who is responsible for this product. Besides missing crucial functionality like Compliance Manager, Compliance Portal and Privilege Access Management it also misses in product features. Some examples: Data Loss Prevention: Great for protection your sensitive information leaking out of your organisation, but with a little more investigation, I found out that Administrative Units is not supported Information Protection: Automatic Labels is not supported Insider Risk management: No Adaptive Protection Compliance Manager: No Policies, No Alerts DSPM for AI: No Policies So, Microsoft come on, you can do better than this and embrace SMB’s more seriously and make E5 compliance available like you did with E5 security for M365BP users and stop with this lame and incomplete product. My recommendation to M365BP customers who need Compliance add-on, don’t buy this new suite, unless you don’t need the above functionality.How to Resolve Microsoft Authenticator App Issues
The Microsoft Authenticator app is a critical tool for securing accounts through multi-factor authentication (MFA). However, users may sometimes experience issues such as login failures, missing notifications, or app crashes. This guide will walk you through troubleshooting and resolving common Microsoft Authenticator app problems. https://dellenny.com/how-to-resolve-microsoft-authenticator-app-issues/
Recent Blogs
- Introduction Microsoft Sentinel is evolving rapidly, transforming to be both an industry-leading SIEM and an AI-ready platform that empowers agentic defense across the security ecosystem. In our re...Nov 05, 2025
- 4 MIN READThe cybersecurity threat landscape continues to evolve with novel attacks and techniques emerging each day. Microsoft Defender Experts for Hunting, included with Microsoft Defender Experts for XDR, h...Nov 03, 2025
