Event banner
Event details
15 Comments
- Caroline_Lee
Microsoft
Hi all, we are super excited to participate in today's AMA, please keep in mind this AMA is focused on the most recent announcement on how Microsoft Defender for Endpoint can now disrupt human-operated attacks on its own." https://www.microsoft.com/en-us/security/blog/2023/10/11/microsoft-defender-for-endpoint-now-stops-human-operated-attacks-on-its-own/ Chat with you all in a few minutes! Thank you.- Caroline_Lee
Great question. From a licensing perspective, this specific feature is available for MDE P2, Defender for Business and included in the ME5. For attack disruption all up, it is included in E5. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2?view=o365-worldwide, To start benefitting from this feature, ensure that your devices are onboarded to MDE and your OS version is updated from at least March 2023. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#contain-user-from-the-network
- Trevor_Rusher
Community Manager
Hey all! I want to apologize for the inconvenience, but due to unforeseen circumstances, our Subject Matter Experts will not be able to make it today. In order to land the best event possible, we are going to have to reschedule this to the same time next week. Again, I am very sorry as I know everyone's time is valuable, but hope you all can attend then. Thanks.
- Thank you for the update.
- What causes inconsistency with smart screen? We're finding that sometimes smart screen works and blocks certain downloads, phishing sites, etc. immediately, and then within moments suddenly smart screen either doesn't work at all for those same situations, or takes much longer than expected to kick in. We can consistently reproduce smart screen's inconsistency with Microsoft's own demos at aka.ms/mde-demos.
- Can Incidents that trigger Attack Disruption (and their remediation events) be queried somehow in Advanced Hunting (or Sentinel)? I know that there is an "Attack Disruption" tag added to Incidents when viewed in the portal, but these tags don't seem to make it into the Advanced Hunting or Sentinel tables. My leadership would like a dashboard (workbook) showing all the incidents that trigged Attack Disruption and also all the remediation actions taken because of it, but I'm not able to find this info in the tables.
noam_hadashthank you George for your question. we currently do not enable querying for initiated disruption actions in Advanced Hunting. However, we are working to enable email notifications for cases where attack disruption was initiated to enable to have notification to its generation We will work with the team to explore the option to expose this data in Advanced Hunting as well
- When will Defender for Endpoint be officially supported on Linux workstation distributions? We have a lot of RHEL 8 and 9 workstations (not just servers), but the Microsoft documentation indicates only Linux for server distros are supported. Unfortunately, we can not proceed with migrating our massive Linux footprint to MDE until Microsoft officially supports MDE on Linux workstations. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-worldwide#system-requirements
- When will the Microsoft Defender for Endpoint security configuration management feature be available in GCC tenants?
Hi, can I know if there is any way to generate reports from the Microsoft 365 admin center portal, that can show device information to users who log in? I can't find such a report that has the device security status with the user who is logged in.
usually, I can access the Device health reports from the security portal >> reports >> Device Health page >> Microsoft Defender Antivirus health
but am unable to find a user login to the related device.
thanks and regards- yairts
Hi Raja, this functionality does not exist today. However, you can generate a report from Microsoft 365 Defender by querying Advanced Hunting to identify which users have been logged to which devices.
This information can be queried from either DeviceLogonEvents which are being logged by Microsoft Defender for Endpoint, or IdentityLogonEvents if you have Microsoft Defender for Identity in your environment.
AH query example:
DeviceLogonEvents| where ActionType == "LogonSuccess"| where AccountSid startswith "S-1-5-21" and DeviceName != AccountDomain // for domain users only| project Timestamp, DeviceId, DeviceName, LogonType, AccountSid, AccountDomain, AccountName
- Trevor_RusherI'm very excited to share this upcoming AMA with the Defender for Endpoint team next week! Remember to please ask your questions down here in a new comment thread. You can ask them at any time leading up to or during the event but the team won't be answering questions until the live hour. Thanks!
