Forum Discussion
How does Defender XDR work?
It´s not easy to compose the right question to get the answers you are looking for. Defender XDR is getting me crazy. I used a simple kql query to figure out which Windows machines in my network per...
Hi, Defender XDR processes endpoint logs with a delay (not real-time), so KQL queries might show no results initially and then populate later. Even if you’ve blocked Powershell.exe on ports 389/636, you may still see logs for “attempted connections.” Also, ensure your Intune firewall policies have actually been applied to all devices, and compare the event timestamps with ingestion times to confirm when events occurred vs. when they were processed.