Forum Widgets
Latest Discussions
I have a query on cloud servers can be best managed by Intune / SCCM?
I have a query: can we onboard cloud servers to MS Defender and manage those servers via Intune? And do we have any limitations to manage via Intune? Also, what are the steps to onboard via Intune for cloud servers?madhusinha1Dec 26, 2024Copper Contributor65Views1like5CommentsCERTIFICATION PATH and EXAM CODE: Microsoft Defender for Endpoint
Hi Everyone Merry Christmas, I am interested in learning "Microsoft Defender for Endpoint" only. Could you please help with the certification path and Exam code for "Microsoft Defender for Endpoint" only. , I explored all the Microsoft documents and credential portals but its confusing or I am not able to understand.SIntuneDec 25, 2024Copper Contributor21Views0likes0CommentsLicense requirements for running MDE on RDSH or Citrix Xenapp (On-prem multi-session OS)
Hello, just wanted to know which MDE (Microsoft Defender for Endpoint) licenses I need to run MDE on on RDSH or Citrix Xenapp (On-prem multi-session OS). Can we also use user-based licenses (such as Microsoft Defender for Endpoint Plan 1 or 2 or M365 E5 licenses) or do we always need to use server-based license (Microsoft Defender for Servers)? brgds, joeriJoeriK1285Dec 24, 2024Copper Contributor18Views0likes1CommentFailed to create object ID in Intune for new onboarded device.
We are deploying Defender for Cloud with XDR onboarding. We are implementing Defender policy with Intune enforcement setting, everything is working for 98% of devices as well. But, for some devices like Arc enabled machines, after going through each step and Microsoft troubleshooting documentation. Some devices are not able to create the synthetic object in Intune to receive Defender XDR policies. No solution is provided in the documentation or in MDEclient parser. In the onboarding workflow, the synthetic object is normally created to apply the policy via Intune. But, when a device fails this process, we have no solution even after re-onboarding.SolvedEtienneFisetDec 18, 2024Brass Contributor42Views0likes2CommentssasValidHours parameter is not being applied in files import and SAS token is expiring in 1 hour
In Software vulnerabilities via files import machines/SoftwareVulnerabilitiesExport?$sasValidHours=5 , I set sasValidHours parameter to an integer and I see that the generated files still have 1 hour expiry time (checking from 'st' and 've' values in the generated file link). Additionally, the documentation says that 'The download URLs are only valid for 3 hours; otherwise, you can use the parameter', however they are not even available for 3 hours, just 1 hour.HerdaDec 18, 2024Copper Contributor30Views0likes0CommentsDevice onboarded successfully, but alerts are not showing up in the portal
Hi! I am trying to setup a test tenant, where I have onboarded a few Windows 11 Pro VMs with the local script method to the Defender Portal. And everything seems to be working, except that if I create a test scenario on the device (e.g. create an EICAR file), then the local antivirus catches it, but nothing is showing up on the portal in the Incidents & Alerts menu. What is even more strange, that through the Reports menu -> Security Report, the incidents are visible in the reports, but with a 2-3 hour delay. I have tried the following things so far: On the Alerts listing page, there is no filter set, so everything should be visible In the Alert service settings I set 'All alerts' I have run the MDEClientAnalyzer script, it didn't find any suspicious thing I checked the local Event logs on the VM, and nothing suspicious there as well The devices are also enrolled to Intune, I created an Antivirus policy there with the default values and also a Security baseline Additional info that might be useful: The Windows VMs are untouched, there isn't any other third party antivirus software installed. The onboarding detection script provided on the portal is unsuccessful as well (No alerts show up) On the Defender portal, on the device's page, the result of Security scans are visible normally though The devices are enrolled to Intune with Windows Autopilot with the Hardware hash method. Regarding licensing, I am in a Microsoft 365 E5 developer tenant, and I have activated the Defender trials on the portal. What is strange though, is when I go to Settings -> Endpoints -> Advanced features -> Microsoft Intune connection, then it says "A Microsoft Intune license was not found.", so I am not able to connect the two. Even though if I am correct, Intune is included in the developer license, and practically speaking I am also being able to use it. Do you have any idea what am I missing? Alerts should work out of the box theoretically😅.. Thank you for your help in advance: AdammekkelekDec 15, 2024Copper Contributor73Views0likes1CommentSchemas not visible in Defender in Advanced Hunting
We have defender for endpoint Plan 2 + Microsoft Business Premium + Entra ID P2 in our tenant. I need to hunt for a particular process or files across multiple devices. Also i need to hunt for device events. But i am not able to find the schemas in Advanced Hunting Section. The schemas not available in our tenant: DeviceEvents DeviceFileCertificateInfo DeviceFileEvents DeviceImageLoadEvents DeviceInfo DeviceLogonEvents DeviceNetworkEvents DeviceNetworkInfo DeviceProcessEvents . The mentioned schemas are not visible in advanced hunting section. Devices were onboarded using microsoft intune and at time of onboarding, there was already a third party antivirus tool installed on machines so Defender was working in EDR Block Mode. But now all third party antivirus are removed and defender is working as primary in active mode. Do i need to do any additional configuiration to get data in the mentioned schemas in advanced hunting sectionPoojan_ShahDec 15, 2024Copper Contributor25Views0likes1CommentHow to automaticaly block a user's account to send spam when an account takepver occurs.
Hi, Our organisation use MS 365 Exchange online sync with an on premise DC on Win Server 2019 Recently we got 2 accounts takeover which result thousands spam send by thoses accounts. I wonder if there is a way in Defender to set a rule saying for exemple that "if a user send 10 emails with the same object to 10 differents address in 1 minute, lock the account". This would prevent that the account send thousands mails before I could manually locked it. I checked on Microsoft learn. but didnt fin a way to acheive that. There is any way to do it? Thanks.mlapierreDec 15, 2024Copper Contributor32Views0likes1Comment
Resources
Tags
- Defender14 Topics
- Defender for Endpoint13 Topics
- MDATP13 Topics
- ATP10 Topics
- defender atp10 Topics
- security7 Topics
- microsoft defender for endpoint6 Topics
- MDE5 Topics
- Microsoft Defender ATP5 Topics