Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?
Weird updates "Security Threat Intelligence" on desktop
Hi guys, my name is Mo and I am new to the XRD community 🥰 I m observing anomalous device behavior. Upon login or wake-up, multiple virtual machines are active, some exhibiting headless screen reader functionality. This issue emerged following the installation of Microsoft security threat intelligence updates. Considering Windows Defender's machine learning and predictive maintenance capabilities, I question the deployment of these updates to my system. Is this update a standard Windows component? The associated URL is currently inaccessible. I acknowledge the potential of XR, CDN, and Hologres technologies (and other Azure/cloud-enabled features) to alter user experience. Could someone provide clarification regarding these iterative security updates? My usage is limited to cloud platforms and reputable open-source software; I do not utilize malicious websites. Thank you. #misclassification?
Custom critical filter for EDR/XDR
Hello everyone, i would like to ask if somebody is trying to make a unique "critical" filter for alerts/incidents that need to be done as fast as possible? We have many high alerts and we are trying to figure one to have prio list with important notifications. Have you any ideas? Thank you.Defender MDO permissions broken (again)
Defender wasn't letting me approve pending AIR remediation options, something I do every day, with my usual custom RBAC role checked out. Nor could I move or delete emails. I also had Security Operator checked out. I checked out Security Admin and tried again, no dice. It wasn't until I checked out Global Admin until I got the permissions I needed.
Defender - Cloud Activity Logs suspicious
Hi, I just noticed this logs from Defender - Cloud Apps > Activity Logs, seems all our Microsoft Cloud PC has these logs, looks suspicious for me as it is querying our Domain Admins account it seems, but would like to confirm. If this is suspicious, can help how to mitigate this please, thank you.
Administrative activity from a non-corporate IP address
Hi, Defender XDR raises incidents almost every day regarding OneDrive for Business sharing policies. Event description is: Change sharing policy: OneDrive Site Collection <b>https://xxxx-my.sharepoint.com/personal/user_domain_fi</b>; Parameters: property <b>Share Using Anonymous Links</b> <b>True</b>, property <b>Share With Guests</b>, property <b>ShareUsingAnonymousLinks</b> <b>From False To True</b>, property <b>ShareUsingAnonymousLinks - New Value</b> <b>True</b> Anonymous links are not allowed and when checking users onedrive site collection settings after alert it is still not allowed. Are these only false positives? Matched policy is Administrative activity from a non-corporate IP address and Alert Product is Microsoft Defender for Cloud Apps ~ Jukka ~Defender XDR - how to grant "undo action" Permissions on File Quarantine?
Dear Defender XDR Community I have a question regarding the permissions to "undo action" on a file quarantine action in the action center. We have six locations, each location manages their own devices. We have created six device groups so that Accounts from Location 1 can only manage/see devices from Location 1 as well. Then we created a custom "Microsoft Defender XDR" Role with the following permissions. This way the admins from location 1 can manage all Defender for Endpoint Devices / incidents / recommendations etc. without touching devices they aren't managing.. very cool actually! BUT - if a file gets quarantined, it might want to be released again because of false positive etc. I can do that as a global admin, but not as an admin with granularly assigned rights - the option just isnt there.. I don't want to give them admins a more privileged role because of - you know - least privileges. but i don't have the option to allow "undo action" on file quarantine events, besides that being a critical feature for them to manage their own devices and not me having to de-quarantine files i dont care about.. Any thoughts on how to give users this permission?
