Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

XDR Deception

Copper Contributor



I need some assistance with deploying an XDR deception rule. Here's the situation:


I have created a deception rule with a specific tag, including 5 decoys and 2 lures. However, I'm encountering a problem with the deployment process. After 24 hours(deployment),  I'm facing the following issues:


- The rule has been deployed to only one tagged host out of a total of 4 hosts.
- Only one decoy has been created out of the 5 decoys I configured.

I've tried looking into the settings and redoing everything from scratch, but the issues persist.

Has anyone encountered a similar problem or have any insights on how to resolve this? Your assistance would be greatly appreciated!


Thanks in advance!

4 Replies

Hi @ansboss 

experienced a similar situation but it seemed to correct itself after another day. Can you confirm the lures landed in their expected locations?


TBH I could’ve done more to confirm whether it was an actual deployment issue or just a UI bug. I would give it another day, make sure those devices are on and checking in to Defender regularly.






I have used both {HOME}/ and C:\Users.

My fifth attempt to deploy is still in progress after over three days.

Any update from your side?

Thank you/\

Hey @ansboss,

I had success a few days later using {HOME}\ ,ensure you use a backslash, I see you may have used a forward slash above.


I’m actually looking right now and can confirm I have a UI bug where my test rule says it’s still “In progress” and deployed to 0 devices. Yet I can confirm that the lures have all been set on my device. This is a “Basic” deception rule so I wonder if there’s an issue with the decoys being configured in the rule but not pushed down to the system as it’s not advanced.

You can check out the rule I created and the working paths I used for the rule on my blog, here(Attack the SOC) . Will also put a change request for the MS Docs to include an example of how to properly format the {HOME} variable as I did the same thing you did.


- Dylan

Hi @ansboss,

wanted to check-in and see how things have gone for you.


How’s it all looking?


- Dylan