Microsoft Defender for Endpoint | Microsoft Community Hub

Forum Widgets

Latest Discussions

AIR (Automated Investigation and Response) disables user in Active Directory, suspends in Entra ID
My organization saw an incident yesterday with a new-to-us behavior: Defender disabled the user access in Active Directory and suspended the user in Entra ID. It was an AitM (Attacker in the Middle) scenario, which we believe was delivered via phishing message and a shared OneDrive file. Defender correctly identified the malicious activity and disabled the account shortly after. I am curious because we have not seen this behavior before. Does anyone know if this is a new feature? Or possibly something that just hasn't hit our environment before (which seems unlikely)? I checked the following pages but didn't see anything that looked related: What's new in Microsoft Defender XDR What's new in Microsoft Defender for Identity What's new in Microsoft Defender for Endpoint I do see in security.microsoft.com under Settings - Microsoft Defender XDR -- Automation -- Identity automated response that we have the capability to exclude users from the automated response. It's possible this capability has been enabled for a while.
redherring
Occasional Reader
Jan 17, 2025
4Views
0likes
0Comments
Api's problem
All the other api's i use work properly, but these does not. "https://api.securitycenter.microsoft.com/api/users/{user_id}/machines" "https://api.securitycenter.microsoft.com/api/users/{user_id}/alerts" Always return empty set. Any idea?
Gerard Forcada Bigas
Copper Contributor
Jan 15, 2025
15Views
0likes
1Comment
No Automated Investigation Triggered for High Severity Incident
Hi Community, I’ve noticed an issue where no Automated Investigation and Response (AIR) was invoked for a high-severity incident and alert on a device that belongs to a device group configured with full AIR. This behavior contradicts the expected principle of AIR, as outlined in the documentation: How Automated Investigation Starts. Details: The device is part of a group with full AIR enabled. A high-severity alert/incident occurred but did not trigger any automated investigation. Manual actions were required to address the threat, despite AIR being enabled. Questions: Has anyone experienced similar behavior where AIR is not triggered for eligible devices/incidents? Are there known scenarios or conditions that might prevent AIR from starting, even in fully configured groups? What steps can I take to troubleshoot or escalate this to ensure consistent AIR functionality? Your insights and suggestions would be greatly appreciated! Thank you.
Marnik
Brass Contributor
Jan 15, 2025
7Views
0likes
0Comments
Web content filtering and indicator aren't working on third party browser
Hi, we have just noticed that web content filtering and customized indicators are not working on third party browsers after upgraded defender for endpoint to 4.18.23050.3, the issue has happened to both Win10 and Win11 machines. Has anyone else got the same issue?
Spark Zhang
Brass Contributor
Jan 15, 2025
27KViews
3likes
81Comments
MS Defender for Endpoint - List machines API
Is it possible to use below API to retrieve Machines with Onboarding status as 'Can be onboarded' ? We are hitting this API from ServiceNow & it seems that it is only returning Onboarded machines. https://api.security.microsoft.com/api/machines Reference: https://learn.microsoft.com/en-us/defender-endpoint/api/get-machines
ajitmundhekar
Copper Contributor
Jan 15, 2025
10Views
0likes
0Comments
Get Isolation Status through API
Is there any way to get a machine's current isolation status through API or even bulk isolation statuses of multiple machines?
yitzhakb
Copper Contributor
Jan 14, 2025
10Views
0likes
0Comments
WEB content filtering
Hello everyone, For a few days now, the “WEB content filtering” feature has not been performing its role of filtering web content by category, even though the rule is still in place and correctly configured. What surprises me is that this rule has been working for at least 2 years. I've deleted and re-created the rule several times, without success. Have you seen this behavior before? Do you know how to correct this problem?
AzeddineJOUMAR
Copper Contributor
Jan 14, 2025
38Views
0likes
2Comments
Integration of Microsoft Defender into SIEM Open Source via Syslog
Hello everyone, I have: Microsoft Defender central console Endpoints reporting to central console SIEM open source I need to be able to export all logs from Microsoft Defender central console to SIEM via Syslog. Could someone provide me with a guide or step by step configuration? Thanks in advance!
ciberociber
Copper Contributor
Jan 14, 2025
1View
0likes
0Comments
Defender for Linux clients?
Hi all, I wonder if someone could help answering this one as I can't get proper help from my organisation on this. I am a Ubuntu client platform developer in Sweden at a university and we wish to use MS Defender on Ubuntu desktop clients, but there seems to be very unclear here about the license regarding where this Defender is allowed to be run. We have it on our Windows and Mac clients today. We have a Defender package for Linux server, but can we run it? Our Windows team says it is only for Linux server and the Linux clients are excluded from the same license level as Windows and Mac clients reside on. I tried searching the internet on this, but there is none to find it seems. Please help
Jaxilian
Copper Contributor
Jan 10, 2025
1.5KViews
0likes
13Comments
How can I create an exception for a security recommendation for a specific device?
There are some security recommendations that I want to apply to some devices and create an exception for other devices. Is that possible? If so, how do I do that?
WillR
Copper Contributor
Jan 08, 2025
56Views
0likes
3Comments

Resources

Tags

Defender14 Topics
Defender for Endpoint13 Topics
MDATP13 Topics
ATP10 Topics
defender atp10 Topics
security7 Topics
microsoft defender for endpoint6 Topics
Defender Advanced Threat Protection6 Topics
MDE5 Topics
Microsoft Defender ATP5 Topics

Share