Microsoft Defender for Endpoint topics

Defender for Business - No alert after process lock out ?

karnalta — Tue, 27 Jan 2026 11:43:15 GMT

Hello all,

A few days ago, I have setup Defender for business server on a Windows Server 2019.

I can see that server in the Microsoft security portail devices list.

I have also tested the "suspicious" powershell command provided by Microsoft and it went all good. Powershell blocked, alert escaladed as incident in the security portal, email received, ...

But the next day, I tried to install a service on that server that got blocked by Virus & Thread Protection because it was attempting to modify a lot of files. That was a good point for Defender (it was not a real thread and was later added as exception).

My worry is that it was never escaladed to the security portal, I didn't received a alert email, .. The system blocked that "thread" multiple times during my attempt to deploy it and no incident were throw.

What could be wrong ?

Thank you.

Save the date - January 26, 2026 - AMA: Secure your endpoints with policy and Microsoft Defender

Pearl-Angeles — Tue, 20 Jan 2026 22:13:25 GMT

Save the date for January 26 at 8:00 AM PT! Have questions about using Microsoft Intune to enforce device compliance? Curious how to configure devices to help prevent security breaches and limit the impact of threats? Ask Microsoft Anything (AMA) about integrating Microsoft Defender for Endpoint with Microsoft Intune at Tech Community Live!

Product teams will be answering your questions live and in chat. Get tips using policy to onboard devices, define risk level, block non-compliant devices from accessing corporate resources, and more.

Go to aka.ms/AMA/SecureEndpoints to save the date and add this event to your calendar!

Defender for Identity health issues

zlate81 — Mon, 19 Jan 2026 11:31:19 GMT

When will the issues/alerts from defender for identity sensors be available to view via advanced hunting instead of the Graph API and "/security/identities/healthIssues"

Using MDE (Passive Mode) with Palo Alto Cortex XDR to enable Defender for IoT (Enterprise IoT)

gabpereira — Wed, 14 Jan 2026 13:56:04 GMT

Hi everyone!
I’m working with a customer that uses Palo Alto Cortex XDR as their primary EDR. We want to leverage Microsoft Defender for IoT specifically for Enterprise IoT (not OT/ICS). I have a few questions:

MDE in Passive Mode as a sensor:
Can Microsoft Defender for Endpoint (MDE) running in Passive mode act as a sensor to enable Enterprise IoT discovery/monitoring for Defender for IoT? Are there any feature limitations when MDE is not the primary EDR?
Appliance sensor in Enterprise IT:
If we cannot use the MDE agent, is it supported to deploy the Defender for IoT appliance sensor in an enterprise IT network (e.g., offices/campuses) to cover Enterprise IoT use cases?
Coexistence / Complementary sensors:
Is it possible (and recommended) to run the appliance sensor alongside MDE (sensor) to complement coverage/features? Any guidance on architecture, data overlap/deduplication, or licensing implications?

Alert tuning for Custom detection rules

mikhailf — Tue, 13 Jan 2026 18:40:36 GMT

undefined

MS Defender setting

sangbin — Mon, 12 Jan 2026 01:19:46 GMT

Hello, I have a question.

I'm not an English-speaking country, so please understand any shortcomings.

I'm trying to block or alert on specific URLs in Microsoft Defender > Settings > Endpoint > Rules > Indicators. I've completed the setup, but I'd like to customize the screen that appears on the webpage when an alert is triggered.

Is there a way to do this?

Thank you in advance for your help.

Grounds up

ozanwilliams — Wed, 07 Jan 2026 10:30:30 GMT

A business that respects others to help kis be business owners

Latest Threat Intelligence (December 2025)

Theo_Cohen — Mon, 29 Dec 2025 07:00:11 GMT

Microsoft Defender for IoT has released the December 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).

Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS.

The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown.

Guidance

Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices.

Update your system with the latest TI package

The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs.

MD5 Hash: 5c642a16bf56cb6d98ef8b12fdc89939

For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.

Microsoft Defender for Endpoint for Vulnerability Management and Reporting

dilanmic — Sat, 13 Dec 2025 21:05:29 GMT

Hi All,

We’re currently using Rapid7 for vulnerability management and reporting, but we’re actively evaluating the possibility of moving to Microsoft Defender for Endpoint going forward. We’d like to better understand how to properly leverage Defender for Endpoint for vulnerability management and reporting.

If this means using custom reports—such as building dashboards in Power BI—we’re definitely open to that approach. At a high level, we’re looking for guidance on best practices and the right direction to meet the following requirements:

Ongoing vulnerability tracking and remediation
Clearer reporting on vulnerability trends and areas needing improvement
Breakdown of vulnerabilities by severity (Critical, High, Medium, Low), grouped by aging buckets (e.g., 30, 60, 90 days)
Defender Secure Score reporting over time (30, 60, and 90-day views)
Visibility into non-compliant devices in Intune, including devices in grace period and PCs that have checked in within the last 14 days

Any recommendations, examples, or pointers to documentation or reporting approaches would be greatly appreciated.

Thanks in advance,

Dilan

Correct firewall log names to be included in a Defender investigation package?

BenDodson1 — Fri, 12 Dec 2025 14:57:54 GMT

Hi - first time poster,

I work in a SecOps team using Defender for Endpoint. I noticed that when we collect an investigation package from a device in Defender that the firewall logs aren't being found. The advice on Microsoft Learn articles seems to be contradictory as to what firewalls should be named as:

Take response actions on a device in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn

FirewallExecutionLog.txt and pfirewall.log

The pfirewall.log file must exist in %windir%\system32\logfiles\firewall\pfirewall.log, so it's included in the investigation package. For more information on creating the firewall log file, see Configure the Windows Firewall with Advanced Security Log.

This section implies for the firewall log to be collected it has to be called "pfirewall.log" but on the linked page it is recommended to change the log file names:

For each profile (Domain, Private, and Public) change the default log file name from %windir%\system32\logfiles\firewall\pfirewall.log to:

%windir%\system32\logfiles\firewall\pfirewall_Domain.log
%windir%\system32\logfiles\firewall\pfirewall_Private.log
%windir%\system32\logfiles\firewall\pfirewall_Public.log

We have tested the changed names and they are not found by the investigation package. Which one is recommended and is the logic used in the Defender investigation package correct?

Latest Threat Intelligence (November 2025)

Theo_Cohen — Fri, 12 Dec 2025 11:03:13 GMT

Microsoft Defender for IoT has released the November 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).

Guidance

Update your system with the latest TI package

MD5 Hash: 0ed5b864101c471d987b332fc8619551

For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.

Latest Threat Intelligence (October 2025)

Theo_Cohen — Fri, 12 Dec 2025 11:03:08 GMT

Microsoft Defender for IoT has released the October 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).

Guidance

Update your system with the latest TI package

MD5 Hash: 01757cbb8de8dfb10b140e0e6a1dfe41

For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.

Latest Threat Intelligence (September 2025)

Theo_Cohen — Mon, 29 Sep 2025 07:58:40 GMT

Microsoft Defender for IoT has released the September 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).

Guidance

Update your system with the latest TI package

MD5 Hash: 14bf7b135c8c6d61d39ba6c28991f300

For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.

Latest Threat Intelligence (August 2025)

Theo_Cohen — Fri, 12 Dec 2025 11:02:58 GMT

Microsoft Defender for IoT has released the August 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).

Guidance

Update your system with the latest TI package

MD5 Hash: 6d6cf3931c4e7ad160a74d4fad19a89c

For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.

Can't see any devices from the sensor inventory in Microsoft Defender Portal

Edgar Sosa — Wed, 06 Aug 2025 17:22:43 GMT

In theory Sensor inventory feeds site security inventory directly from the sensor to Microsoft Defender Portal but any device is shown just the Defender for Endpoint discovered OT devices, is there anything missing to enable integrated sensor and Defender for Endpoint OT inventory

Within Azure Defender for IoT device inventory from sensor is correctly shown but not in Defender Portal

Latest Threat Intelligence (July 2025)

Theo_Cohen — Fri, 12 Dec 2025 11:02:49 GMT

Microsoft Defender for IoT has released the July 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).

Guidance

Update your system with the latest TI package

MD5 Hash: 8581e1e0d30133191885115d73b38cf9

For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.

E5 Enterprise IoT

fgulus — Fri, 12 Dec 2025 11:02:44 GMT

We have Microsoft 365 E5 licenses, and all of them are properly assigned. However, Enterprise IoT is not showing up in Device Discovery. It was enabled before but disappeared. Is there any experience/suggestion how we can fix this?

Latest Threat Intelligence (June 2025)

Theo_Cohen — Fri, 12 Dec 2025 11:02:38 GMT

Microsoft Defender for IoT has released the June 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).

Guidance

Update your system with the latest TI package

MD5 Hash: 06f35a3010697d7978bf89a13f6ae27e

For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.

Latest Threat Intelligence (May 2025)

Theo_Cohen — Fri, 12 Dec 2025 11:02:32 GMT

Microsoft Defender for IoT has released the May 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file).

Guidance

Update your system with the latest TI package

MD5 Hash: d24a971301003c37622f21b7e30a80cb

For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.

Azure IoT Hub Defender Micro Agent on Yocto/STM32MP1 – No Defender Metrics in IoT Hub Portal

shreyaschandran — Fri, 12 Dec 2025 11:02:27 GMT

Hi all,

I'm currently running the Azure IoT Defender Micro Agent on a Yocto-based image (STM32MP1), and although the logs suggest the agent is working and sending data, no Defender metrics are visible in the Azure IoT Hub portal under Defender Metrics.

Setup Details:
Platform: STM32MP1 with Yocto Linux

Transport: AMQP

IoT Hub connection: Successful

Cloud messages: send_confirm_callback success and device twin updates with result 200

Collectors enabled: SBoM, NetworkActivity, Heartbeat, LogCollector, Process, FileSystem, Peripheral, Baseline, etc.

Observations:
Logs show telemetry batching with message sizes up to 101KB.

Agent attempts to read common paths like /etc/crontab fail with errno=[2] (file not found), which is expected given it's an embedded system.

Repeated logs like Failed to stat() on=/proc/[pid]/cmdline, not sure if it's a blocker.

Main Issue:
Even though the agent appears to be collecting data and successfully sending messages, the Defender Metrics tab in the IoT Hub Portal remains empty, making it hard to verify if Defender is actively evaluating device risk or just accepting telemetry blindly.

Questions:
Does IoT Hub Defender require a full Linux environment with tools like dmidecode, /boot/grub/grub.cfg, or cron directories to process and display metrics?

Are there any known limitations with Yocto-based minimal images that prevent Defender metrics from showing in the IoT Hub portal?

Is there a way to validate if metrics are actually reaching and being processed by the Defender backend beyond the send_confirm_callback log?

Any insights or guidance would be greatly appreciated.

Thanks in advance!