Forum Widgets
Latest Discussions
Microsoft Defender for Endpoint and WDAC audit logs not include kernel audit/blocks
While testing WDAC on a fully patched Win11 pro machine - I noticed that kernel audit/block events do not get collected by MDE in the advanced hunting portal, only user mode audit/blocks are collected. Can anyone confirm they see this too and is this by design? My test case is to use a Strict Kernel Mode WDAC policy (as per: https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) which is active, using the global secure access client as my test, when the machine boots, the below event is generated locally on the machine: This event is never shown on the MDE advanced hunting portal, though user events do show. Examples of events that are coming through: Not receiving these events centrally for auditing would make deploying a kernel mode wdac control impossible. Would be amazing if Microsoft product team could look into this and resolve as these alerts should be captured as well please to facilitate deployment of more secure controls.
Ways to fetch quarantine files
We are working with quarantine files and have a few questions: 1. Is there a public API available to retrieve quarantined files from Microsoft Defender for Endpoint? 2. Is there a documented method to map an alert or a file SHA-1/SHA-256 hash to the corresponding object in the Defender quarantine store? 3. Is there a way to retrieve quarantined files other than using a PowerShell script through the Live Response API?
Understanding AI workloads on Linux
Hi everyone, I’m a PM working on security for Linux environments and trying to better understand how AI workloads are actually showing up in production today. Would appreciate hearing from folks here: Are you running any AI workloads on Linux today? Or actively exploring? What does your deployment/setup look like — e.g., model training/inference, agents, MCP servers, data pipelines, etc.? How are you thinking about securing this stack, if at all? If you’re open to a quick 30-min chat, I’d love to learn more from your experience as well. Thanks in advance — this will directly help shape where we invest next.
runHuntingQuery API and 'evaluate pivot'
Seem to have a problem where any request to the runHuntingQuery API with 'evaluate pivot' fails with error": { "code": "UnknownError", "message": "", Is this just a 'feature' ? The query happily runs trough the website/XDR portal. :-( Is there a way to simulate a pivot (easily) in powerapps ?
Larac2shell: Turning MDE Live Response into a near real-time shell We are the EDR!
https://github.com/akefallonitis/larac2shell Turning MDE live response into a near real time interactive shell beta version out Features: - Internal (Thanks to https://www.linkedin.com/in/fabianbader/ - https://www.linkedin.com/in/nathanmcnulty/ and xdrinternals research ) vs External api authentication - Arbitrary command execution via pre-uploaded base64 wrapper script - Cross-OS support PS Two MSRC bugs reported for direct command execution bypass waiting for Microsoft Response in order to publish them Coming SOON TM Full LaraC2 Post Exploitation OST framework over MDE as C2/C3 Channel - We are the EDR / No external Infra / Onboarding to your controlled tenant silencing MDE Happy testing 🥳 🎉Microsoft Defender VPN - Android Auto Communication error 21
Hi, Using Microsoft Defender for Endpoint VPN (com.microsoft.scmx) has caused connection issues with Android Auto, (See attached image) and users cannot get it to load. The only way it seems to get this to work is to turn off the VPN which we do not want to do as its an intuned corporate device which we want to have VPN always working on the device for security reasons. Has anyone got any solution? Users receive the following error: Communication error 21 - Being connected to a VPN may prevent Android Auto from starting. If you're using a VPN, turn it off and try reconnecting to Android Auto. Thanks, Mark
telemetryd_v2 High CPU in macOS
I've been seeing this process have consistently high CPU use. According to Activity Monitor, it's a child process of wdavdaemon_enterprise. I tried disabling realtime protection, but that did not decrease the CPU use. The other notable change that I can think of is that I downloaded the Chromium codebase yesterday and built it, so I'm wondering if that's causing the cloud submission process to go crazy. I looked at https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-support-perf?view=o365-worldwide, but it only discusses realtime scanning. Can anyone provide insight on what this specific process is responsible for? Thanks.Defender for Business - No alert after process lock out ?
Hello all, A few days ago, I have setup Defender for business server on a Windows Server 2019. I can see that server in the Microsoft security portail devices list. I have also tested the "suspicious" powershell command provided by Microsoft and it went all good. Powershell blocked, alert escaladed as incident in the security portal, email received, ... But the next day, I tried to install a service on that server that got blocked by Virus & Thread Protection because it was attempting to modify a lot of files. That was a good point for Defender (it was not a real thread and was later added as exception). My worry is that it was never escaladed to the security portal, I didn't received a alert email, .. The system blocked that "thread" multiple times during my attempt to deploy it and no incident were throw. What could be wrong ? Thank you.
Using MDE (Passive Mode) with Palo Alto Cortex XDR to enable Defender for IoT (Enterprise IoT)
Hi everyone! I’m working with a customer that uses Palo Alto Cortex XDR as their primary EDR. We want to leverage Microsoft Defender for IoT specifically for Enterprise IoT (not OT/ICS). I have a few questions: MDE in Passive Mode as a sensor: Can Microsoft Defender for Endpoint (MDE) running in Passive mode act as a sensor to enable Enterprise IoT discovery/monitoring for Defender for IoT? Are there any feature limitations when MDE is not the primary EDR? Appliance sensor in Enterprise IT: If we cannot use the MDE agent, is it supported to deploy the Defender for IoT appliance sensor in an enterprise IT network (e.g., offices/campuses) to cover Enterprise IoT use cases? Coexistence / Complementary sensors: Is it possible (and recommended) to run the appliance sensor alongside MDE (sensor) to complement coverage/features? Any guidance on architecture, data overlap/deduplication, or licensing implications?
