Forum Discussion
Solved
abnormal Behavior in Users Devices
hi security guys I am facing strange behaviors on Microsoft EDR that show in timeline Windows Defender Advanced Threat Protection\SenseIR.exe is using fake accounts which are not exist in Microso...
Hi ahmedamer ,
have you or someone on the team perhaps turned on the Defender for Endpoint deception features?
You can check the setting for Deception by going to your XDR dashboard > Settings > Endpoints > Advanced features and scroll to find the setting for “Deception” towards the bottom of the features list.
if it’s on, you can confirm that the user you’re seeing is apart of the deception identities by scrolling a bit more on the endpoints menu for the “Deception rules” tab under the Rules header. There may just be one Default rule there. Click it and you should see a list of deception identities.
see more here: Configure the deception capability in Microsoft Defender XDR
Best,
Dylan
Hi ahmedamer ,
have you or someone on the team perhaps turned on the Defender for Endpoint deception features?
You can check the setting for Deception by going to your XDR dashboard > Settings > Endpoints > Advanced features and scroll to find the setting for “Deception” towards the bottom of the features list.
if it’s on, you can confirm that the user you’re seeing is apart of the deception identities by scrolling a bit more on the endpoints menu for the “Deception rules” tab under the Rules header. There may just be one Default rule there. Click it and you should see a list of deception identities.
see more here: Configure the deception capability in Microsoft Defender XDR
Best,
Dylan
