Forum Widgets
Latest Discussions
Unified detection rule management
Hi, I attended the webinar yesterday regarding the new unified custom detection rules in Defender XDR. I was wondering about the management of a library of rules. As with any SOC, our solution has a library of custom rules which we manage in a release cycle for a number of clients in different Tenants. To avoid having to manage rules individually we use the JSON approach, importing the library so it will update rules that we need to tune. Currently I'm not seeing an option to import unified detection rules in Defender XDR via JSON. Is that a feature that will be added? Thanks ZivMicrosoft Sentinel device log destination roadmap
I just attended the 11/5/2025 Microsoft webinar "Adopting Unified Custom Detections in Microsoft Sentinel via the Defender Portal: Now Better Than Ever" and my question posted to Q&A was not answered by the team delivering the session. The moderator told us that if our question was not answered we were to post the question in this forum. Here is the question again: "Will firewall and other device logs continue to go to Azure Log Analytics indefinitely? By Indefinitely I mean not changing in the roadmap to something else like Data Lake or Event Grid/Service Bus, etc." Thank you, JohnHow to Resolve Microsoft Authenticator App Issues
The Microsoft Authenticator app is a critical tool for securing accounts through multi-factor authentication (MFA). However, users may sometimes experience issues such as login failures, missing notifications, or app crashes. This guide will walk you through troubleshooting and resolving common Microsoft Authenticator app problems. https://dellenny.com/how-to-resolve-microsoft-authenticator-app-issues/Never Get Locked Out: The Importance of a Break Glass Admin Account
One of the simplest but most critical safeguards in Microsoft Entra ID is having a Break Glass Admin account. In my lab, I created a dedicated emergency account with: - Permanent Global Admin role (for emergencies only) - Excluded from Conditional Access policies - Strong password stored securely - Monitoring in place to detect any sign-in attempts This account is never used for daily operations — it exists only to guarantee access in case Conditional Access, MFA, or identity protection policies block all other admins. This setup prevents accidental lockouts and ensures continuity. Does your organization maintain a Break Glass Admin account, and how do you secure it?Share your experience with Microsoft Security Products on Gartner Peer Insights
At Microsoft, we believe the most valuable insights come from those who use our products every day. Your feedback helps other organizations make informed decisions and guides us in delivering solutions that truly meet your needs. We invite you to share your experiences with Microsoft Security products on Gartner Peer Insights. By leaving a review, you’ll help your peers confidently choose the right solutions and contribute to the ongoing improvement of our products and services. Why your review matters Empower others Your honest feedback helps fellow decision-makers understand how Microsoft Security products perform in real-world scenarios. Build community Sharing your experience fosters a community of practitioners who learn from each other’s successes and challenges. Drive innovation Your insights directly influence future product enhancements and features. How to participate Click on the Microsoft Security Product You would be prompted to log in or sign in to the site. Select the Microsoft Security product you know well. Share your experience, highlighting the features and outcomes that mattered most to you. It would take a few minutes to complete the survey. Rules and Guidelines Only Microsoft customers are eligible to submit reviews; partners and MVPs are not. Please refer to the Microsoft Privacy Statement and Gartner’s Community Guidelines and Gartner Peer Insights Review Guide for more information.
Getting Contextual Summary from SIT(Sensitive info types) via PowerShell cmd
Hi, I am using a PowerShell command(Export-ContentExplorerData) to extract data from an SIT. In the response, I am getting most of the data but I am interested in getting the matching primary element from Contextual summary(Content explorer) https://learn.microsoft.com/en-us/powershell/module/exchange/export-contentexplorerdata
Multiple CA on same domain
We're about to deploy a new two-tier Windows PKI in domain which already has a 1-tier Enterprise CA and wonder of possible impacts on the current configurations. Devices and Users are auto-enrolling with the current CA through GPO and what can be the impact of the new CA ? How will the users get the certificate from the old or the new CA selectively? Is it just managed by the template's security settings, which by default allow authenticated users/devices to enroll? What sort of impact can we expect ? thanks
Confusing content in several training modules
I have noticed the following content present in several training modules and I can only conclude that there are errors in the example URLs in the content. This slide is from the module called "Phishing website" but I have seen the same example in other modules. Note the following: the two example URLs in the slide are identical except for bold formatting, and this is confusing. Additionally, each example is confusing. In the section below Name, what point is served by the example URL? It seems as though the author wants the reader to understand the difference between URLs with replaced, additional, or missing characters. If we assume the reader believes their bank website may be mybanksite.net then a good example URL to illustrate an illegitimate site would be mybanksites.net, because this highlights the additional letter s in the address. But why highlight the other s in the address? And why include .135 in the example? In the section below Domain, it seems as though the author wants to teach the reader about domains (important parts of which one can find on both sides of the last period in a domain). If we assume the reader believes their bank website may be at my mybanksite.net then a good example URL to illustrate an illegitimate site would be mybanksite.135.net, because this highlights that 135.net is the part of the address that should receive the reader's focus. And what is the reader supposed to conclude from these two examples being identical? If the point is that the address is suspicious in two ways, then the slide should first introduce mybanksite.net as the correct URL. Most other slides in the training modules are excellent but I cannot feel good about assigning this misleading and confusing content to my users. Am I misunderstanding something?
Meet Your New Cybersecurity Sidekick - Microsoft Security Copilot Agents
Imagine if your security team had a super-smart assistant that never sleeps, learns from every task, and helps stop cyber threats before they become disasters. That’s exactly what Microsoft’s new Security Copilot Agents are designed to do. Why Do We Need Them? Cyberattacks are getting sneakier and faster many now use AI to trick people or break into systems. In fact, 67% of phishing attacks in 2024 used AI. Meanwhile, security teams are drowning in alerts 66 per day on average and 73% of experts admit they’ve missed important ones. That’s where Security Copilot comes in. It’s like having an AI-powered teammate that helps you investigate threats, fix issues, and stay ahead of attackers. What Are Security Copilot Agents? Think of these agents as mini digital coworkers. They’re not just chatbots they’re smart, adaptable tools that: Learn from your feedback Work with your existing Microsoft security tools Help you make faster, better decisions Keep you in control while they handle the heavy lifting They’re built to be flexible and smart unlike traditional automation that breaks when things change. Real-World Examples of What They Do Here are a few of the agents already available: Phishing Triage Agent: Automatically checks if a suspicious email is a real threat or just spam. It explains its reasoning in plain language and learns from your feedback. Alert Triage Agents (in Microsoft Purview): Helps prioritize which security alerts matter most, so your team can focus on the big stuff first. Conditional Access Optimization Agent (in Microsoft Entra): Keeps an eye on who has access to what and flags any gaps in your security policies. Vulnerability Remediation Agent (in Microsoft Intune): Spots the most urgent software vulnerabilities and tells you what to fix first. Threat Intelligence Briefing Agent: Gives you a quick, customized report on the latest threats that could affect your organization. Even More Help from Partners Microsoft is also teaming up with other companies to build even more agents. For example: OneTrust helps with privacy breach responses. Tanium helps analysts make faster decisions on alerts. Fletch helps reduce alert fatigue by showing what’s most important. Aviatrix helps diagnose network issues like VPN or gateway failures. BlueVoyant: helps to assess your SOC and recommends improvements. Why It Matters These agents don’t just save time they help your team stay ahead of threats, reduce stress, and focus on what really matters. They’re like having a team of AI-powered interns who never get tired and are always learning. Learn More 📢 Microsoft Security Blog: Security Copilot Agents Launch 🎥 https://aka.ms/SecurityCopilotAgentsVideo
