Microsoft Security Experts topics

Issues blocking DeepSeek

KevinJohnson1 — Thu, 26 Feb 2026 00:01:47 GMT

Hi all,

I am investigating DeepSeek usage in our Microsoft security environment and have found inconsistent behaviour between Defender for Cloud Apps, Defender for Endpoint, and IOC controls. I am hoping to understand if others have seen the same.

Environment

Full Microsoft security and management suite

What we are seeing

Defender for Cloud Apps

DeepSeek is classified as an Unsanctioned app

Cloud Discovery shows ongoing traffic and active usage

Multiple successful sessions and data activity visible

Defender for Endpoint Indicators

DeepSeek domains and URIs have been added as Indicators with Block action

Indicators show as successfully applied

Advanced Hunting and Device Timeline

Multiple executable processes are initiating connections to DeepSeek domains

Examples include Edge, Chrome, and other executables making outbound HTTPS connections

Connection status is a mix of Successful and Unsuccessful

No block events recorded

Settings

Network Protection enabled in block mode

Web Content Filtering enabled

SmartScreen enabled

File Hash Computation enabled

Network Protection Reputation mode set to 1

Has anyone else had similar issues when trying to block DeepSeek or other apps via Microsoft security suite?

I am currently working with Microsoft support on this but wanted to ask here as well.

High CPU Usage by Microsoft Defender (MsMpEng.exe) on Azure Windows Server 2019

Lucaraheller — Tue, 21 Oct 2025 17:07:24 GMT

Hi everyone,

I’ve been seeing consistent CPU spikes from MsMpEng.exe (Antimalware Service Executable) on several Windows Server 2019 Datacenter VMs hosted in Azure.

The usage reaches 100% for about 10–15 minutes daily, always around the same time.
No manual scans are scheduled, and limiting CPU usage with Set-MpPreference -ScanAvgCPULoadFactor didn’t help.

Could this be related to Defender’s cloud protection update cycle, or possibly a backend maintenance task from Defender for Cloud?

Is there a recommended way to throttle or schedule these background Defender tasks in production environments?

Appreciate any insights,
Luca

Defender for Endpoint Conflicting with Internal Firewall Authentication

Lucaraheller — Tue, 21 Oct 2025 17:06:06 GMT

Hi Security Experts,

After onboarding a few devices into Defender for Endpoint, I noticed that those machines started having connection drops to the company’s internal firewall.
They constantly re-authenticate before regaining web access.

Devices not onboarded into Defender don’t experience this issue.

Could Defender’s network protection or proxy policies be interfering with the internal firewall authentication flow?
Any recommendations on how to keep Defender active while keeping the internal firewall as the primary control point?

Thanks for any suggestions,
Luca

Can’t Remove Defender Tag After Asset Rule Was Deleted

Lucaraheller — Tue, 21 Oct 2025 17:05:05 GMT

Hi all,

I’m facing an issue where a rule-based tag in Microsoft Defender for Endpoint remains visible on devices even after I deleted the original asset rule.

The rule was disabled and deleted months ago, but the tag still appears under Rule-based tags in the device details.
Even using the API or PowerShell doesn’t show or remove it.

Is there any supported way to force a tag refresh or clear orphaned rule-based tags from the Defender portal?

Thanks in advance,
Luca

Defender for Endpoint Firewall Rules Not Applying to Devices

Lucaraheller — Tue, 21 Oct 2025 17:03:36 GMT

Hello Security Experts,

I’m currently deploying Microsoft Defender for Business and trying to enforce firewall configurations directly from the Defender portal.

However, I’ve noticed that the settings are not applying to any of the onboarded devices — nothing changes on the endpoints.

Do firewall rules in Defender for Endpoint require Intune to be enforced, or should they work standalone?
And if Intune isn’t used, what’s the best approach to apply consistent Defender firewall rules across devices?

Thanks,
Luca

Automating Defender Alerts with CISA KEV and n8n – Has anyone tried similar workflows?

Lucaraheller — Tue, 21 Oct 2025 17:02:29 GMT

Hi everyone,

I’ve been experimenting with n8n automation to improve vulnerability management. I created a workflow that cross-references Microsoft Defender for Endpoint vulnerabilities with the CISA Known Exploited Vulnerabilities (KEV) catalog, and then automatically creates Jira tickets for remediation.

The flow takes about 16 seconds to run and prioritizes only the CVEs that are both present in the environment and listed in KEV.

Has anyone here built similar automation (maybe with Logic Apps, Power Automate, or Sentinel playbooks)?
Would love to hear how others handle vulnerability prioritization or ticket creation!

Automação de Alertas do Defender com o Catálogo KEV da CISA usando n8n

Lucaraheller — Tue, 21 Oct 2025 16:43:26 GMT

Overview

Recently, I decided to explore how automation could help simplify daily security operations, especially in vulnerability management. While studying n8n, an open-source automation platform, I saw the opportunity to connect it with Microsoft Defender for Endpoint and the CISA Known Exploited Vulnerabilities (KEV) Catalog.

The goal was simple: build an automated workflow that identifies which vulnerabilities detected in Defender are actively exploited in the wild, and then create actionable tickets in Jira for remediation teams — automatically and with full context.

Why I Built This

Most security teams deal with thousands of vulnerabilities every week, but only a small portion are actually being exploited.
I wanted to find a way to prioritize what truly matters without adding more manual work.

Defender for Endpoint already provides strong vulnerability data, but by combining it with the CISA KEV catalog, we can instantly highlight high-risk CVEs that need urgent attention.

This project was also a great opportunity to test n8n’s flexibility and API-handling capabilities in a real-world cybersecurity scenario.

EDR logs explanation

FredSLN — Sat, 12 Apr 2025 06:36:47 GMT

Hello, would it be possible for an expert from this forum to analyze the EDR logs? Could you also explain to me in detail what happened? Furthermore, can you tell me if it is clearly established that the deleted files were deleted by someone physically present on the machine, or if there are other possible explanations? Thanks in advance.

Microsoft Defender for Cloud App and Managed identities

KV_MDCA — Tue, 07 Jan 2025 15:38:33 GMT

I would like to check if we can use Microsoft Managed Identities to enable App connectors connection in Microsoft Defender for Cloud App? If No, looking forward for the best practices for the service/integration accounts to be used in these integrations.

Unwanted Linked device

mahlanguthandeka966 — Sat, 02 Nov 2024 10:15:42 GMT

Hi
2 devices have access to my Microsoft account, sometimes when I log into my device it welcomes me as the other person vice versa. When we try creating a new alias on the other device it does not allow us (I don't even know what an alias is, all I know is it's in my name on another person's device)
Sometimes I find the other device linked to mine, I keep removing the device however it keeps linking itself.
Please help me because it turns out the other device has access to my cloud documents, regardless of whether I've logged in or not. I have to get this fixed within next 2 weeks otherwise I'm done for.

My laptop has been blocked by BitLocker.

rocio_yanez — Fri, 01 Nov 2024 16:09:42 GMT

However, there is no BitLocker recovery keys on my Microsoft account. I have tried to call Microsoft support, but I only get bot messages that take me to sites that asks me to go and check my Microsoft account.

Is there any way I can chat with a human that can actually help me how to get around this BitLocker?

thanks

Where shall I start if i would like to learn IT and move onto cybersecurity?

enyels — Tue, 01 Oct 2024 18:46:34 GMT

Which learning paths and certifications will be recommended for someone trying to learn cloud security for the SOC, IR ?

By the way hi my name is Enyel.

Defender Experts in-depth - running a modern SOC in the age of LLMs

Elisa_Lippincott — Wed, 06 Dec 2023 20:23:07 GMT

Did you miss the Defender Experts session held today (December 6, 2023) during the Microsoft Security Tech Accelerator event? See how our Defender Experts team runs a modern SOC and leverages LLMs and Copilots. You can catch the session on-demand here: https://aka.ms/Accelerate/ModernSOC

Defender Experts | Sentinel Automation based on Defender Experts Notifications (DENs)

Raae_ — Tue, 05 Dec 2023 04:14:57 GMT

Based on invaluable customer feedback, we're rolling out the first installment of our Defender Experts “cookbook”—a guide to enhance your experience with Sentinel automation based on Defender Experts Notifications (DENs). This customer-driven initiative reflects the importance our customers place on efficient SIEM automation to manage their operations effectively. This guide is a direct response to your insights. Think of it as a recipe book tailored to maximize the power of Defender Experts services. From optimizing DENs for automation to sharing pro tips, the guide is a collaborative effort to fortify our collective defense against evolving cyber threats.

This collaborative effort reflects our commitment to transforming customer input into actionable solutions, with each new “recipe” empowering customers to navigate the complexities of the cybersecurity terrain with the confidence that Microsoft Defender Experts have their back. We encourage users to experiment with these insights and share their experiences, contributing to an ongoing dialogue that strengthens collective defenses against evolving cyber threats. Your success and protection against advanced threats is at the heart of our mission, and we look forward to continuing this collaborative journey together.

Defender Experts | Sentinel Automation – NEW Defender Experts Notifications

In order to configure automation rules based on NEW Defender Experts Notifications (DENs), follow the conditions below:

Select Trigger When Incident is Created

Select If Incident provider Equals Microsoft Defender XDR

AND

Select Title Contains Defender Experts

Configure the relevant Actions you would like to enable based on the conditions selected above. For example, you can select a specific playbook to run or assign a particular owner to the Incident.

Screenshot of Sentinel Automation Rule Trigger and Conditions based on NEW Incidents issued as DENs

Defender Experts | Sentinel Automation – EXISTING Incidents that are upgraded to DENs

In order to configure automation rules based on EXISTING Incidents that are upgraded to Defender Experts Notifications (DENs), follow the conditions below:

Select Trigger When Incident is Updated

Select If Incident provider Equals Microsoft Defender XDR

AND

Select Alerts Added

AND

Select Title Contains Defender Experts

Configure the relevant Actions you would like to enable based on the conditions selected above. For example, you can select a specific playbook to run or assign a particular owner to the Incident.

Screenshot of Sentinel Automation Rule Trigger and Conditions based on EXISTING Incidents Upgraded to DENs

How are folks limiting what employees share with unauthorized LLMs?

JoeCicero — Wed, 29 Nov 2023 20:40:16 GMT

A common question I encounter is how companies are preventing their employees from sharing sensitive information with unauthorized LLMs. Some of the initial solutions include DLP (Data Loss Prevention) and modifying the network filter. I wonder what Windows offers in this regard, but more importantly - what are the best practices in the industry?

Microsoft Defender Application Guard can be configured to open specific LLM/chat-sites in a lock down browser and control how users interact with the content. With application guard you can block specific sites or limit clipboard, etc.

How do you prevent, control, or track your employees' access to unapproved LLM/chat-sites?

Are Any Defender Experts customers using Enhanced Phishing Protection in Microsoft Defender?

JoeCicero — Wed, 29 Nov 2023 20:25:38 GMT

If you are running Windows 11(version 22H2) in your environment, a newly introduced feature enhances phishing protection by prompting users to exercise caution before entering their passwords in potentially insecure spaces, such as on malicious websites.

If a user signs into Windows using a password, Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school password used to sign into Windows 11 in these ways:

If users type or paste their work or school password on any browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also alerts them to change their password so attackers can't gain access to their account.
Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and alert them to change their password.
Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
If users type their work or school password into a website or app that SmartScreen finds suspicious, Enhanced Phishing Protection can automatically collect information from that website or app to help identify security threats. For example, the content displayed, sounds played, and application memory.

Read more about Enhanced Phishing Protection in Microsoft Defender SmartScreen and how to deploy via Intune and/or GPO here: Enhanced Phishing Protection in Microsoft Defender SmartScreen - Windows Security | Microsoft Learn

Security Experts... Please advise the necessary people

bozzaman — Fri, 24 Nov 2023 15:31:25 GMT

I'm exploring this forum as a last resort, having exhausted all other options. My story involves a serious flaw in Microsoft's security framework, which has devastatingly impacted my once-thriving business. As a small yet vital enterprise of 15 employees, functioning as an MSP and Microsoft Silver Partner, I faced an unforeseen betrayal. During my absence for spinal surgery, a rogue Microsoft CSP Direct Partner, who was only supposed to manage my business temporarily, exploited their Microsoft affiliation. Utilizing social engineering and their insider status, they illegitimately transferred my company's goodwill and assets to themselves. This included the theft of two decades' worth of private data.

The gravity of their deception extends beyond my business; they now control my client base, mainly consisting of solicitors and accountants. Despite clear evidence of their phishing and scamming activities, Microsoft has remained passive, allowing the situation to deteriorate. The suppliers, duped by fraudulent documents, are now realizing their mistake but continue to deny my rights to my own business. This inaction, shared by both Microsoft and the suppliers, leaves me entangled in debt and potential litigation.

Interestingly, I am still aware of the physical whereabouts of these scammers. Moreover, I possess pages and pages of IOCs that further substantiate their illicit activities. If Microsoft genuinely engaged with this issue and worked collaboratively towards a resolution, perhaps we could transform this into a tale of rectification and justice. But, having pursued every possible channel without success, I am compelled to raise awareness on public forums. With nothing left to lose, I am calling for attention to this matter. Should you be able to assist, or know someone who can, please reach out. My contact details are linked to my forum ID, and Microsoft can easily access my tenant and phone information.

Regards,

bozzaman

Check out what's new with Microsoft Defender Experts for XDR

Elisa_Lippincott — Wed, 15 Nov 2023 18:53:00 GMT

The Defender Experts team has been busy helping customers and adding great features to the Defender Experts for XDR service. Read about the latest enhancements in our latest blog What’s new in Microsoft Defender Experts for XDR.

Welcome to the Microsoft Security Experts community!

Raae_ — Tue, 31 Oct 2023 16:06:13 GMT

We are thrilled to announce the launch of the Microsoft Security Experts community!

Whether you’re familiar with our services or just starting to explore what we offer, you’ll find this community a collaborative space where you can freely ask questions and share insights with our team. We hope to engage in constructive dialogue that fosters growth and innovation and build a resourceful hub that benefits everyone.

In addition to this community, we invite you to learn more about our services below and follow our blog for the latest news and insights:

Thank you for being a part of our community!