Recent Blogs
Today, Defender for Storage released, in public preview for Commercial Cloud, the feature Automated Remediation for Malware Detection. This is for both On-upload and On-demand malware scanning. The f...
Sep 17, 2025
While System for Cross-domain Identity Management (SCIM) is the best foundation for agent identity provisioning, key enhancements are needed, says Alex Simons, Corporate Vice President of Identity an...
Sep 16, 2025
Enhance your security strategy: Learn how to unify identity and network access through practical Zero Trust measures in our comprehensive three-part series.
Sep 16, 2025
Member: TysonPaul | Microsoft Community Hub
Enhance Your Data Protection Strategy with Azure Elastic SAN’s Newest Backup Options
Team Blog: Azure Storage
Author: adarsh_v
Published: 08/18/2...
Sep 16, 2025Recent Discussions
Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?
Ransomeware query
If any ransomware detection i need following query for advance hunting in defender Look for rapid file modification or creation or deletion 2. Rapid file encryption one 3. look for a ransom note 4. look for encryption algorithms 5. look for double extension 6. Also query for birth time of the fileRegistry modifications
If a file was downloaded, executed, and created a registry entry for persistence, is it enough to just delete the file from its original location? Or does the registry entry also need to be removed? What happens if it is not removed? If a malicious file created an entry under HKLM Run, HKCU Run, or RunOnce, and the file is later deleted but the registry entry is left behind, will the system still try to execute it at startup?
MDE-Onboarding issue
Hello Community, while i am trying to onboard a windows 10 machine into MDE where there is already another AV running which is Kaspersky, i am facing that issue that Microsoft AV is not able to revert its status from disabled into running state (passive mode). even if i am trying to start the service manually, it will revert itself back to the disable status. Did anyone experience that issue before between Defender AV and Kaspersky?
Single Rule for No logs receiving (Global + Per-device Thresholds)
Hi everyone, I currently maintain one Analytics rule per table to detect when logs stop coming in. Some tables receive data from multiple sources, each with a different expected interval (for example, some sources send every 10 minutes, others every 30 minutes). In other SIEM platforms there’s usually: A global threshold (e.g., 60 minutes) for all sources. Optional per-device/per-table thresholds that override the global value. Is there a recommended way to implement one global rule that uses a default threshold but allows per-source overrides when a particular device or log table has a different expected frequency? Also, if there are other approaches you use to manage “logs not received” detection, I’d love to hear your suggestions as well. This is a sample of my current rule let threshold = 1h; AzureActivity | summarize LastHeartBeat = max(TimeGenerated) | where LastHeartBeat < ago(threshold)
Little warning on the new Purview suite for M365BP
Microsoft introduced a highly needed and expected compliance suite add-on for Microsoft 365 Business Premium. Microsoft Purview Suite for Business Premium: $10/user/month Microsoft 365 BP are unable to add Microsoft 365 E5 Compliance suite $12/user/month and forced to move to M365E3 to be able to add this product. So as a Microsoft partner I was delighted to see that Microsoft introduced this new product and made it possible to give SMB customers the tools they need to comply with all kinds of regulations. BUT: What a disappointment it is, this new product. It is a lame strip down version of the E5 Compliance suite and missing essential functionality that regulated SMB customers badly need. What the was going on in de mind of the product manager who is responsible for this product. Besides missing crucial functionality like Compliance Manager, Compliance Portal and Privilege Access Management it also misses in product features. Some examples: Data Loss Prevention: Great for protection your sensitive information leaking out of your organisation, but with a little more investigation, I found out that Administrative Units is not supported Information Protection: Automatic Labels is not supported Insider Risk management: No Adaptive Protection Compliance Manager: No Policies, No Alerts DSPM for AI: No Policies So, Microsoft come on, you can do better than this and embrace SMB’s more seriously and make E5 compliance available like you did with E5 security for M365BP users and stop with this lame and incomplete product. My recommendation to M365BP customers who need Compliance add-on, don’t buy this new suite, unless you don’t need the above functionality.Data product search is broken: no results for partial terms
Searching for data products using partial terms returns zero results, despite the existence of data products with matching names. For example, searching for 'risk' yields no results even though we have three data products that have 'riskscores' in their names. I have created a support ticket, and was told that the PG has stated this behavior was by design. I just can't wrap my head around this statement. Search is the reason why data catalog tools are popular and help democratize data, and this type of searching doesn’t really help to make the data products discoverable. A feature request was created (3135) but I was also asked to post here for visibility. Here's some proof:Microsoft Entra Internet Access for iOS in Public Preview!
With the latest update to Microsoft Defender for Endpoint on iOS, Organisations licensed for Microsoft Entra Suite or Microsoft Entra Internet Access will have access to Microsoft's Secure Web Gateway (SWG) and traffic forwarding for HTTP/HTTPS traffic, with support for Web-Content Filtering. This has been a huge win for iOS Mobile Security. Previously, Defender for Endpoint on iOS has supported Phishing Protection, M365 Traffic, and Entra Private Access Traffic. Combined with Global Secure Access Threat Intelligence, which consumes indicators from Microsoft Intelligent Security Graph (ISG), Organisations can implement granular internet access controls on iOS devices with integrated, context aware protection against malicious threats. Excited to hear what you think! Release notes are available here
How to practice SC-200 content on an empty tenant
Hello, I am following the SC 200 course on Microsoft Learn. It is great and everything but my m365 business tenant is empty. I don't have VMs, logs, user activity or anything. I learned some KQL and microsoft provides some datasets for practice. Are there any such data I can load on my tenant for threat hunting and other SC-200 related practices or is there an isolated simulation environment I can use for learning?Bad quality of Defender / Intunesdocubannoying
Whenever i need learning.microsoft.com, i found their describing A) very often menulinks, which does not exist (guess its rearranged) B) very often mistakes happen: in this article https://learn.microsoft.com/en-us/defender-endpoint/android-configure-mam several parameters are described with an integer value and the same parameter a Seconds time at the same place as boolean. And so many mistakes morebi found. Well: some companies wanna earn money maybe doing training with their customers, which is necessary onlY, as the docu is unreadable or written so boring that you fall a sleep and understand nothing. Please do more qualityExclusion of Microsoft Edge Browser from Conditional Access Policies does not work
Hi, we've built a Conditional Access Policy in EntraID that forces MFA for all Cloud Apps. We want to exclude Microsoft Edge Browser so no Reauthentication is necessary for MS Edge Browser. Exclusion has been made for the "Microsoft Edge" application with the following App ID: ecd6b820-32c2-49b6-98a6-444530e5a77a However, reauthentication still pops up. No other conditional access policy is applied. It's this specific policy that requires reauthentication. What's the reason why the exclusion does not work? Is there something else necessary to be taken into consideration so the exclusion works fine? Many thanks in advance!
DLP Policy Blocking Invoices Containing Sensitive Info – Exception Not Working
Hello, I have implemented Microsoft Purview DLP policies in my organization to protect sensitive information such as Aadhaar Card, PAN Card, Driving License, and Credit Card numbers. The policies are working fine and successfully blocking sensitive data. However, I am facing an issue with invoices. When sending invoices internally or to clients, emails are getting blocked because they contain sensitive details like PAN or Aadhaar numbers. I tried adding an exception rule for invoices using the following regex in a Sensitive Info Type (SIT), and included this SIT in the NOT condition of the DLP policy: (?i)(invoice|bill|tax\s*invoice|gst\s*invoice|receipt)\s*(\b[0-9]{12}\b|[A-Z]{5}[0-9]{4}[A-Z]|[A-Z]{2}[0-9]{13}|\d{13,16}) Despite this, invoices are still getting blocked. Has anyone encountered this issue? What is the correct way to configure exceptions in DLP so that sensitive information detection continues to work but invoices containing sensitive info can still be sent? Any guidance or best practices would be greatly appreciated. Thanks in advance! DLP Policy configuration Screenshots.Need information on generating sample events for Threat Intelligence
Hi community, I am working on exploring MS Threat Intelligence and its features. But I am not able to generate sample data for this product, nor able to view the Threat Intelligence logs using Microsoft Management API following the schema - https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype I tried sending some mails from external email account to my organisation's test user containing EICAR files, and also tried with some safe but malicious test URLs. But still unable to get data inside Threat Intelligence. Can someone please help me here for generating events and viewing the content using Management APIs?user-reported phishing emails
Dear Community I have a technical question regarding user-reported emails. In Defender, under “Action and Submissions” -> “Submissions,” I can see the emails that users have reported under the “user reported” option. There, we have the option to analyze these emails and mark them as “no threats found,” “phishing,” or “spam.” The user is then informed. Question: Do these reported emails remain in the user's inbox when they report them? If not, do we have the option to return these reported emails to the user's inbox with the “No threats found” action? Because I don't see this option. In another tenant, under “Choose response Action,” I see “move or delete,” but the “inbox” option is grayed out. Why is that? Thank you very much!Safeguard data on third-party collaboration platforms
I am exploring options to safeguard sensitive data in third-party collaboration platforms like GitHub and Confluence. Does Microsoft Purview provide any native integration for these platforms? Do I need to rely on third-party connectors/integrations to extend Purview’s capabilities into these environments?
Events
We begin our webinar series with a review of the latest IDC whitepaper on secure access strategies for the AI era. The document examines how organizations are focusing on integrating identity and net...
Online
Security Compute Units (SCUs) are the required resource units that power Microsoft Security Copilot, ensuring dependable and consistent performance across both standalone and embedded product experie...
Online