Unable to query logs in Advanced Hunting
Hi Community, Recently, I turned off the ingestion of some of the Device* tables to Sentinel via Microsoft XDR Data connector. Ever since the ingestion is stopped in Sentinel, the TimeGenerated or Timestamp column usage in KQL is not working in Microsoft XDR Advanced Hunting at all. Example KQL in Advanced Hunting below: DeviceImageLoadEvents | where Timestamp >= ago(1h) | limit 100 The above yields no results in AdvancedHunting pane. However, if you use ingestion_time() you see the results which also gives TimeGenerated/Timestamp but cannot filter on that in the KQL. It seems like a bug to me. Does anyone face the same issue or can someone help? ThanksBlocking and removing apps on Intune managed devices (Windows, iOS/iPadOS, Android and macOS)
By: Michael Dineen - Sr. Product Manager | Microsoft Intune This blog was written to provide guidance to Microsoft Intune admins that need to block or remove apps on their managed endpoints. This includes blocking the DeepSeek – AI Assistant app in accordance with government and company guidelines across the world (e.g. the Australian Government’s Department of Home Affairs Protective Policy Framework (PSPF) Direction 001-2025, Italy, South Korea). Guidance provided in this blog uses the DeepSeek – AI Assistant and associated website as an example, but you can use the provided guidance for other apps and websites as well. The information provided in this guidance is supplemental to previously provided guidance which is more exhaustive in the steps administrators need to take to identify, report on, and block prohibited apps across their managed and unmanaged mobile devices: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. iOS/iPadOS devices For ease of reference, the below information is required to block the DeepSeek – AI Assistant app: App name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Link to Apple app store page: DeepSeek – AI Assistant Publisher: 杭州深度求索人工智能基础技术研究有限公司 Corporate devices (Supervised) Hide and prevent the launch of the DeepSeek – AI Assistant app The most effective way to block an app on supervised iOS/iPadOS devices is to block the app from being shown or being launchable. Create a new device configuration profile and select Settings Catalog for the profile type. (Devices > iOS/iPadOS > Configuration profiles). On the Configuration settings tab, select Add settings and search for Blocked App Bundle IDs. Select the Restrictionscategory and then select the checkbox next to the Blocked App Bundle IDs setting. > Devices > Configuration profile settings picker = 'Blocked App Bundle IDs' Enter the Bundle ID: com.deepseek.chat Assign the policy to either a device or user group. Note: The ability to hide and prevent the launch of specific apps is only available on supervised iOS/iPadOS devices. Unsupervised devices, including personal devices, can’t use this option. Uninstall the DeepSeek – AI Assistant app If a user has already installed the app via the Apple App Store, even though they will be unable to launch it when the previously described policy is configured, it’ll persist on the device. Use the steps below to automatically uninstall the app on devices that have it installed. This policy will also uninstall the app if it somehow gets installed at any point in the future, while the policy remains assigned. Navigate to Apps > iOS/iPadOS apps. Select + Add and choose iOS store app from the list. Search for DeepSeek – AI Assistant and Select. > Apps > iOS/iPadOS > Add App searching for 'DeepSeek - AI Assistant' app Accept the default settings, then Next. Modify the Scope tags as required. On the Assignments tab, under the Uninstall section, select + Add group or select + Add all users or + Add all devices, depending on your organization’s needs. Click the Create button on the Review + create tab to complete the setup. Monitor the status of the uninstall by navigating to Apps > iOS/iPadOS, selecting the app, and then selecting Device install status or User install status. The status will change to Not installed. Personal Devices – Bring your own device (BYOD) Admins have fewer options to manage settings and apps on personal devices. Apple provides no facility on unsupervised (including personal) iOS/iPadOS devices to hide or block access to specified apps. Instead, admins have the following options: Use an Intune compliance policy to prevent access to corporate data via Microsoft Entra Conditional Access (simplest and quickest to implement). Use a report to identify personal devices with specific apps installed. Takeover the app with the user’s consent. Uninstall the app. This guide will focus on option 1. For further guidance on the other options refer to: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Identify personal devices that have DeepSeek – AI Assistant installed and prevent access to corporate resources You can use compliance policies in Intune to mark a device as either “compliant” or “not compliant” based on several properties, such as whether a specific app is installed. Combined with Conditional Access, you can now prevent the user from accessing protected company resources when using a non-compliant device. Create an iOS/iPadOS compliance policy, by navigating to Devices > iOS/iPadOS > Compliance policies > Create policy. On the Compliance settings tab, under System Security > Restricted apps, enter the name and app Bundle ID and select Next. Name: DeepSeek – AI Assistant Bundle ID: com.deepseek.chat Under Actions for noncompliance, leave the default action Mark device noncompliant configured to Immediately and then select Next. Assign any Scope tags as required and select Next. Assign the policy to a user or device group and select Next. Review the policy and select Create. Devices that have the DeepSeek – AI Assistant app installed are shown in the Monitor section of the compliance policy. Navigate to the compliance policy and select Device status, under Monitor > View report. Devices that have the restricted app installed are shown in the report and marked as “Not compliant”. When combined with the Require device to be marked as compliant grant control, Conditional Access blocks access to protected corporate resources on devices that have the specified app installed. Android devices Android Enterprise corporate owned, fully managed devices Admins can optionally choose to allow only designated apps to be installed on corporate owned fully managed devices by configuring Allow access to all apps in Google Play store in a device restrictions policy. If this setting has been configured as Block or Not configured (the default), no additional configuration is required as users are only able to install apps allowed by the administrator. Uninstall DeepSeek To uninstall the app, and prevent it from being installed via the Google Play Store perform the following steps: Add a Managed Google Play app in the Microsoft Intune admin center by navigating to Apps > Android > Add, then select Managed Google Play app from the drop-down menu. r DeepSeek – AI Assistant in the Search bar, select the app in the results and click Select and then Sync. Navigate to Apps > Android and select DeepSeek – AI Assistant > Properties > Edit next to Assignments. Under the Uninstall section, add a user or device group and select Review + save and then Save. After the next sync, Google Play will uninstall the app, and the user will receive a notification on their managed device that the app was “deleted by your admin”: The Google Play Store will no longer display the app. If the user attempts to install or access the app directly via a link, the example error below is displayed on the user’s managed device: Android Enterprise personally owned devices with work profile For Android Enterprise personally owned devices with a work profile, use the same settings as described in the Android Enterprise corporate owned, fully managed devices section to uninstall and prevent the installation of restricted apps in the work profile. Note: Apps installed outside of the work profile can’t be managed by design. Windows devices You can block users from accessing the DeepSeek website on Windows devices that are enrolled into Microsoft Defender for Endpoint. Blocking users’ access to the website will also prevent them from adding DeepSeek as a progressive web app (PWA). This guidance assumes that devices are already enrolled into Microsoft Defender for Endpoint. Using Microsoft Defender for Endpoint to block access to websites in Microsoft Edge First, Custom Network Indicators needs to be enabled. Note: After configuring this setting, it may take up to 48 hours after a policy is created for a URL or IP Address to be blocked on a device. Access the Microsoft Defender admin center and navigate to Settings > Endpoints > Advanced features and enable Custom Network Indicators by selecting the corresponding radio button. Select Save preferences. Next, create a Custom Network Indicator. Navigate to Settings > Endpoints > Indicators and select URLs/Domains and click Add Item. Enter the following, and then click Next: URL/Domain: https://deepseek.com Title: DeepSeek Description: Block network access to DeepSeek Expires on (UTC): Never You can optionally generate an alert when a website is blocked by network protection by configuring the following and click Next: Generate alert: Ticked Severity: Informational Category: Unwanted software Note: Change the above settings according to your organization’s requirements. Select Block execution as the Action and click Next, review the Organizational scope and click Next. Review the summary and click Submit. Note: After configuring the Custom Network Indicator, it can take up to 48 hours for the URL to be blocked on a device. Once the Custom Network Indicator becomes active, the user will experience the following when attempting to access the DeepSeek website via Microsoft Edge: Using Defender for Endpoint to block websites in other browsers After configuring the above steps to block access to DeepSeek in Microsoft Edge, admins can leverage Network Protection to block access to DeepSeek in other browsers. Create a new Settings Catalog policy by navigating to Devices > Windows > Configuration > + Create > New Policy and selecting the following then click Create: Platform: Windows 10 and later Profile type: Settings Catalog Enter a name and description and click Next. Click + Add settings and in the search field, type Network Protection and click Search. Select the Defender category and select the checkbox next to Enable Network Protection. Close the settings picker and change the drop-down selection to Enabled (block mode) and click Next. Assign Scope Tags as required and click Next. Assign the policy to a user or device group and click Next. Review the policy and click Create. When users attempt to access the website in other browsers, they will experience an error that the content is blocked by their admin. macOS macOS devices that are onboarded to Defender for Endpoint and have Network Protection enabled are also unable to access the DeepSeek website in any browser as the same Custom Network Indicator works across both Windows and macOS. Ensure that you have configured the Custom Network Indicator as described earlier in the guidance. Enable Network Protection Enable Network Protection on macOS devices by performing the following in the Microsoft Intune admin center: Create a new configuration profile by navigating to Devices > macOS > Configuration > + Create > New Policy > Settings Catalog and select Create. Enter an appropriate name and description and select Next. Click + Add settings and in the search bar, enter Network Protection and select Search. Select the Microsoft Defender Network protection category and select the checkbox next to Enforcement Level and close the Settings Picker window. In the dropdown menu next to Enforcement Level, select Block and select Next. Add Scope Tags as required and select Next. Assign the policy to a user or devices group and select Next. Review the policy and select Create. The user when attempting to access the website will experience the following: http://www.deepseek.com showing error: This site can't be reached Conclusion This blog serves as a quick guide for admins needing to block and remove specific applications on their Intune managed endpoints in regulated organizations. Additional guidance for other mobile device enrollment methods can be found here: Support tip: Removing and preventing the use of applications on iOS/iPadOS and Android devices. Additional resources For further control and management of user access to unapproved DeepSeek services, consider utilizing the following resources. This article provides insights into monitoring and gaining visibility into DeepSeek usage within your organization using Microsoft Defender XDR. Additionally, our Microsoft Purview guide offers valuable information on managing AI services and ensuring compliance with organizational policies. These resources can help enhance your security posture and ensure that only approved applications are accessible to users. Let us know if you have any questions by leaving a comment on this post or reaching out on X @IntuneSuppTeam.
TVM still showing outdated vulnerabilities despite applications being up to date
Hi everyone, we’re using Microsoft Defender for Endpoint with Threat & Vulnerability Management (TVM) enabled. Lately, we've noticed that certain vulnerabilities (e.g., CVEs in browsers or third-party software) continue to be flagged on devices, even though the affected applications have been updated weeks ago. Example scenario: The device is actively onboarded and reporting to Defender XDR The application has been updated manually or via software deployment The correct version appears under Software Inventory However, the CVE still shows up under Weaknesses Has anyone experienced similar behavior? Are there any best practices to trigger a re-evaluation of vulnerabilities or force a TVM scan refresh? Would a device reboot or restarting the MDE service help in this case? Any insights, suggestions, or known workarounds would be greatly appreciated. Thanks in advance!Monthly news - July 2025
Microsoft Defender XDR Monthly news - July 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from May 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. Microsoft Defender (General Availability) In advanced hunting, Microsoft Defender portal users can now use the adx() operator to query tables stored in Azure Data Explorer. You no longer need to go to log analytics in Microsoft Sentinel to use this operator if you're already in Microsoft Defender. Learn more on our docs. Introducing TITAN powered recommendations in Security Copilot guided response. This blog post explains the power of Guided Response with Security Copilot and and the integration of Threat Intelligence Tracking via Adaptive Networks (TITAN). (General Availability) Case management now supports multiple tenants in Microsoft Defender experience. We’re excited to share that multi-tenant support is now generally available in our case management experience. This new capability empowers security teams to view and manage incidents across all their tenants from a single, unified interface—directly within the Microsoft Defender Multi-Tenant (MTO) portal. You can read this blog for more information. Microsoft Defender for Cloud Apps (General Availability) The Behaviors data type significantly enhances overall threat detection accuracy by reducing alerts on generic anomalies and surfacing alerts only when observed patterns align with real security scenarios. This data type is now generally available. Learn more on how to use Behaviors and new detections in this blog post. New Dynamic Threat Detection model. Defender for Cloud Apps new dynamic threat detection model continuously adapts to the ever-changing SaaS apps threat landscape. This approach ensures your organization remains protected with up-to-date detection logic without the need for manual policy updates or reconfiguration. Microsoft Defender for Endpoint (General Availability) Global exclusions on Linux are now generally available. We just published a new blog post, that discussed how you can manage global exclusion policies for Linux across both AV and EDR. (General Availability) Support for Alma Linux and Rocky Linux is now generally available for Linux. (General Availability) Behavior monitoring on macOS is now generally available. Read this blog post to learn more about it and how it improves the early detection and prevention of suspicious and malicious activities targeting macOS users. (Public Preview) Selective Isolation allows you to exclude specific devices, processes, IP addresses, or services from isolation actions. More details in this blog post "Maintain connectivity for essential services with selective network isolation" Microsoft Defender for Identity (Public Preview) Domain-based scoping for Active Directory is now available in public preview. This new capability enables SOC analysts to define and refine the scope of Defender for Identity monitoring, providing more granular control over which entities and resources are included in security analysis. Read this announcement blog for more details. (Public Preview) Defender for Identity is extending its identity protection to protect Okta identities, that’s in addition to the already robust protection for on-premises Active Directory and Entra ID identities. For more details, have a look at this announcement blog post. Microsoft Defender for Office 365 Introducing the Defender for Office 365 ICES Vendor Ecosystem - a unified framework that enables seamless integration with trusted third-party vendors. Learn more about this exciting announcement in this blog post. (General Availability) Auto-Remediation of malicious messages in Automated Investigation and Response is now generally available. Have a look at this detailed blog post on how it works. Mail bombing is now an available Detection technology value in Threat Explorer, the Email entity page, and the Email summary panel. Mail bombing is also an available DetectionMethods value in Advanced Hunting. For more information, see MC1096885. AI-powered Submissions Response introduces generative AI explanations for admin email submissions to Microsoft. For more information, see Submission result definitions. Microsoft Security Exposure Management (Public Preview) Enhanced External Attack Surface Management integration with Exposure Management. This new integration allows you to incorporate detailed external attack surface data from Defender External Attack Surface Management into Exposure Management. Learn more on our docs. Microsoft Security Blogs Unveiling RIFT: Enhancing Rust malware analysis through pattern matching As threat actors are adopting Rust for malware development, RIFT, an open-source tool, helps reverse engineers analyze Rust malware, solving challenges in the security industry. Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North Korean government. Threat Analytics (Access to the Defender Portal needed) Tool Profile: Qilin ransomware. Qilin (also called Agenda) is a ransomware as a service (RaaS) offering that was first observed in 2022. It has been used by multiple cybercriminal groups, including Pistachio Tempest, Octo Tempest, and most recently Moonstone Sleet. While the ransom attacks appear to be opportunistic rather than targeted, they have had notable impacts against healthcare and media companies. Activity Profile: Emerald Sleet using QR codes for credential harvesting. In May 2025, Microsoft Threat Intelligence observed the North Korean threat actor that Microsoft tracks as Emerald Sleet using QR (quick response) codes designed to lure recipients to credential-harvesting sites in phishing emails. Vulnerability profile: CVE-2025-34028 – Commvault Command Center Innovation Release. According to the National Institute of Standards and Technology (NIST), “the Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.” Activity Profile: Forest Blizzard trojanizes Ukraine software to deliver new variant of Blipslide downloader. Since March, Microsoft Threat intelligence observed the Russian military intelligence threat actor Forest Blizzard infect devices in Ukraine with a new variant of BlipSlide malware, a downloader that the threat actor uses for command and control (C2). Actor Profile: Storm-2416. The threat actor that Microsoft tracks as Storm-2416 is a nation-state activity group based out of China. Storm-2416 is known to primarily target information technology (IT), government, and other business entities in Europe, Asia, Oceania, and South and North America. Activity Profile: Suspicious OAuth applications used to retrieve and send emails. In late February 2025, Microsoft discovered a set of malicious Open Authorization (OAuth) applications, including one that impersonated Outlook, that can retrieve and send emails. Actor Profile: Storm-0126. The threat actor that Microsoft tracks as Storm-0126 is a nation-state activity group based out of China. Storm-0126 is known to primarily target defense industry enterprises, public institutions, research institutes, and military-industrial organizations worldwide. Actor Profile: Storm-2001. Microsoft assesses with high confidence that the threat actor Microsoft tracks as Storm-2001 is a Russian state-sponsored actor. It is known to primarily target defense organizations in the North Atlantic Treaty Organization (NATO) alliance—specifically, member states that form NATO’s Enhanced Forward Presence (EFP) program, recent NATO members, and other related organizations that engage in NATO-related communications and planning. Activity profile: Storm-2561 distributes trojanized SonicWall NetExtender SilentRoute. In late May 2025, Storm-2561 began distributing malware that Microsoft detects as SilentRoute. The malware is a trojanized version of SonicWall’s SSL VPN NetExtender application that transmits the user’s VPN configuration data to a hardcoded IP address.
File Integrity Monitoring - Agentless Issues in Detecting Changes to Files
Hello! Looks like there have been some recent updates made to File Integrity Monitoring. After reviewing the MS documentation https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#recommended-items-to-monitor it looks like you can now create custom Rules for Files and for custom Registry keys. From what I can gather from the documentation, agentless scans are used for custom rules that you create and an agentless scan occurs once every 24 hours. I have created several custom rules to detect if a file has been Deleted, Added, Modified or Renamed and Defender for Cloud is still not detecting any changes. I have made changes to these files 3 days ago, and no changes have been reported back. Any ideas why this might not be working. I have already confirmed that the appropriate RBAC Roles have been assigned to my Key Vaults where CMK Disks are being used. I also wanted to know if the Agentless FIM can monitor Folders / Directories as well. I haven't seen anything about this in the documentation. Is this even supported?
DeviceNetworkEvents table, UDP and IGMP events
Does DeviceNetworkEvents table get all network events or are there any caveats. Want to know if Defender Agents on the Machines collect all the TCP/UDP/ICMP/IGMP events or there are any specific events which are collected or not collected. We don't see most of UDP events. For example, we have a server listening on UDP, and when a client makes UDP connection to the server, we expect to see UDP connection events in the DeviceNetworkEvents table. We only see mostly DNS UDP events. Same thing with ICMP and IGMP. We don't see IGMP events at all. Can somebody throw light on how these things work.Firewall Rules programming with Defender XDR
We have our devices onboarded to Defender for Endpoint, and want to program Firewall Policy and Firewall Rules Policy using Defender Onboarding. We know that we can onboard devices to Intune and use Intune MDM to program rules. But, we don't want a full blown MDM setup or license for just firewall programming. Is there a deployment scenario where we can do firewall programming just using defender machines. Any help is really appreciated.
