Forum Widgets
Latest Discussions
License requirements for running MDE on RDSH or Citrix Xenapp (On-prem multi-session OS)
Hello, just wanted to know which MDE (Microsoft Defender for Endpoint) licenses I need to run MDE on on RDSH or Citrix Xenapp (On-prem multi-session OS). Can we also use user-based licenses (such as Microsoft Defender for Endpoint Plan 1 or 2 or M365 E5 licenses) or do we always need to use server-based license (Microsoft Defender for Servers)? brgds, joeri
sasValidHours parameter is not being applied in files import and SAS token is expiring in 1 hour
In Software vulnerabilities via files import machines/SoftwareVulnerabilitiesExport?$sasValidHours=5 , I set sasValidHours parameter to an integer and I see that the generated files still have 1 hour expiry time (checking from 'st' and 've' values in the generated file link). Additionally, the documentation says that 'The download URLs are only valid for 3 hours; otherwise, you can use the parameter', however they are not even available for 3 hours, just 1 hour.
Device onboarded successfully, but alerts are not showing up in the portal
Hi! I am trying to setup a test tenant, where I have onboarded a few Windows 11 Pro VMs with the local script method to the Defender Portal. And everything seems to be working, except that if I create a test scenario on the device (e.g. create an EICAR file), then the local antivirus catches it, but nothing is showing up on the portal in the Incidents & Alerts menu. What is even more strange, that through the Reports menu -> Security Report, the incidents are visible in the reports, but with a 2-3 hour delay. I have tried the following things so far: On the Alerts listing page, there is no filter set, so everything should be visible In the Alert service settings I set 'All alerts' I have run the MDEClientAnalyzer script, it didn't find any suspicious thing I checked the local Event logs on the VM, and nothing suspicious there as well The devices are also enrolled to Intune, I created an Antivirus policy there with the default values and also a Security baseline Additional info that might be useful: The Windows VMs are untouched, there isn't any other third party antivirus software installed. The onboarding detection script provided on the portal is unsuccessful as well (No alerts show up) On the Defender portal, on the device's page, the result of Security scans are visible normally though The devices are enrolled to Intune with Windows Autopilot with the Hardware hash method. Regarding licensing, I am in a Microsoft 365 E5 developer tenant, and I have activated the Defender trials on the portal. What is strange though, is when I go to Settings -> Endpoints -> Advanced features -> Microsoft Intune connection, then it says "A Microsoft Intune license was not found.", so I am not able to connect the two. Even though if I am correct, Intune is included in the developer license, and practically speaking I am also being able to use it. Do you have any idea what am I missing? Alerts should work out of the box theoretically😅.. Thank you for your help in advance: Adam
Schemas not visible in Defender in Advanced Hunting
We have defender for endpoint Plan 2 + Microsoft Business Premium + Entra ID P2 in our tenant. I need to hunt for a particular process or files across multiple devices. Also i need to hunt for device events. But i am not able to find the schemas in Advanced Hunting Section. The schemas not available in our tenant: DeviceEvents DeviceFileCertificateInfo DeviceFileEvents DeviceImageLoadEvents DeviceInfo DeviceLogonEvents DeviceNetworkEvents DeviceNetworkInfo DeviceProcessEvents . The mentioned schemas are not visible in advanced hunting section. Devices were onboarded using microsoft intune and at time of onboarding, there was already a third party antivirus tool installed on machines so Defender was working in EDR Block Mode. But now all third party antivirus are removed and defender is working as primary in active mode. Do i need to do any additional configuiration to get data in the mentioned schemas in advanced hunting sectionHow to automaticaly block a user's account to send spam when an account takepver occurs.
Hi, Our organisation use MS 365 Exchange online sync with an on premise DC on Win Server 2019 Recently we got 2 accounts takeover which result thousands spam send by thoses accounts. I wonder if there is a way in Defender to set a rule saying for exemple that "if a user send 10 emails with the same object to 10 differents address in 1 minute, lock the account". This would prevent that the account send thousands mails before I could manually locked it. I checked on Microsoft learn. but didnt fin a way to acheive that. There is any way to do it? Thanks.
Microsoft Defender Vulnerability Management Trial API access error
I enrolled in the Microsoft Defender Vulnerability Management Trial standalone. Registered an app in my tenant. Granted all the permissions under WindowsDefenderATP for the app. Then I tried getting a token using the following: curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=<CLIENT_ID>" -d "client_secret=<CLIENT_SECRET>" -d "scope=https://api.securitycenter.microsoft.com/.default" -d "grant_type=client_credentials" "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token" JWT token { "typ": "JWT", "alg": "RS256", "x5t": "zxeg2WONpTkwN5GmeYcuTdtC6J0", "kid": "zxeg2WONpTkwN5GmeYcuTdtC6J0" }.{ "aud": "https://api.securitycenter.microsoft.com", "iss": "https://sts.windows.net/bfd56b27-9b4a-4137-9327-688be945eb6d/", "iat": 1734046366, "nbf": 1734046366, "exp": 1734050266, "aio": "k2BgYBBuZZgz0Z/xBc9yZoNOo6ctAA==", "app_displayname": "VulnMgmt-Single", "appid": "d0657b55-c822-46e9-bf1b-04af2f998df0", "appidacr": "1", "idp": "https://sts.windows.net/bfd56b27-9b4a-4137-9327-688be945eb6d/", "idtyp": "app", "oid": "2bb8ece7-d8fa-4bc7-a9ee-c8ff7af9c621", "rh": "1.AWEBJ2vVv0qbN0GTJ2iL6UXrbWUEePwXINRAoMUwcCJHG5JiAQBhAQ.", "roles": [ "Machine.Isolate", "Event.Write", "SecurityConfiguration.ReadWrite.All", "IntegrationConfiguration.ReadWrite", "Machine.Scan", "Ip.Read.All", "User.Read.All", "Machine.ReadWrite.All", "Machine.LiveResponse", "SecurityRecommendation.Read.All", "Machine.RestrictExecution", "Machine.StopAndQuarantine", "Alert.Read.All", "Software.Read.All", "SecurityConfiguration.Read.All", "File.Read.All", "Machine.CollectForensics", "Machine.Offboard", "SecurityBaselinesAssessment.Read.All", "Vulnerability.Read.All", "Library.Manage", "Machine.Read.All", "Score.Read.All", "RemediationTasks.Read.All", "Alert.ReadWrite.All", "AdvancedQuery.Read.All" ], "sub": "2bb8ece7-d8fa-4bc7-a9ee-c8ff7af9c621", "tenant_region_scope": "NA", "tid": "bfd56b27-9b4a-4137-9327-688be945eb6d", "uti": "FDXfroIpB0eXj3A4PrY7AA", "ver": "1.0", "xms_idrel": "14 7" }.[Signature] I tried the token to get the machines and vulnerabilities. For all APIs, { "error": { "code": "Unauthorized", "message": "Unauthorized request - reason of failure: Account mode is inactive", "target": "|be73530f-4500fd647a8fd1b9." } } I get the same error: "Unauthorized request - reason of failure: Account mode is inactive." I tried the health check API: https://api.securitycenter.microsoft.com/api/health It's working (200). I can see the vulnerabilities and the devices I onboarded in the Vulnerability Management portal. I can also access the API explorer and hit some APIs successfully (like vulnerabilities and software, though I get the same error while getting the machine list and alerts, etc). But the apis always gives this error. I have verified that Microsoft Defender Vulnerability Management Trial is Active in Microsoft 365 portal. I also tried switching the token URL to api.security instead of the security center. Not working. Any help is greatly appreciated.
