Permissions to see and manage sentinel workspace in Defender XDR
Hi Team, One of my customers recently completed their Sentinel → Defender portal migration. Initially, I didn’t have access to view the Defender portal, but after the migration I was assigned the Security Operator role in Entra (via PIM), which now allows me to access the Defender portal.However, when I navigate to: Defender portal → System → Settings → Microsoft Sentinel → Workspaces. I’m unable to view the available workspaces. The portal shows an insufficient permissions error, and I also cannot switch the primary/secondary workspace. Could you please advise on the exact permissions/roles required to: View the Sentinel workspace list in Defender, and Switch the primary workspace? Thanks in advanceXDR advanced hunting region specific endpoints
Hi, I am exploring XDR advanced hunting API to fetch data specific to Microsoft Defender for Endpoint tenants. The official documentation (https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) mentions to switch to Microsoft Graph advanced hunting API. I had below questions related to it: 1. To fetch the region specific(US , China, Global) token and Microsoft Graph service root endpoints(https://learn.microsoft.com/en-us/graph/deployments#app-registration-and-token-service-root-endpoints ) , is the recommended way to fetch the OpenID configuration document (https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#fetch-the-openid-configuration-document) for a tenant ID and based on the response, the region specific SERVICE/TOKEN endpoints could be fetched? Since using it, there is no need to maintain different end points for tenants in different regions. And do we use the global service URL https://login.microsoftonline.com to fetch OpenID config document for a tenantID in any region? 2. As per the documentation, Microsoft Graph Advanced hunting API is not supported in China region (https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http). In this case, is it recommended to use Microsoft XDR Advanced hunting APIs(https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) to support all region tenants(China, US, Global)?
Issue with log collection from Microsoft XDR to Azure storage
Hello, We are currently facing an issue with collecting logs from Microsoft XDR and forwarding them to Azure Storage. We are aware of below two methods for forwarding logs from Microsoft XDR to Azure: Forward events to Azure Storage Forward events to Azure Event Hub Issue Details: Method 1: When using the "Forward events to Azure Storage" approach, we end up with different containers being created for each event, but we would prefer to have all the events stored in a single container. Method 2: When using the "Forward events to Azure Event Hub" approach, we are able to store all the events in a single container, but in this case, the logs are stored in Avro format instead of JSON, which is not our desired format. Our goal is to store all event logs in one single container in JSON format. Has anyone faced this issue or found a way to achieve this setup? Any guidance or solution would be greatly appreciated. Thank you!Weird updates "Security Threat Intelligence" on desktop
Hi guys, my name is Mo and I am new to the XRD community 🥰 I m observing anomalous device behavior. Upon login or wake-up, multiple virtual machines are active, some exhibiting headless screen reader functionality. This issue emerged following the installation of Microsoft security threat intelligence updates. Considering Windows Defender's machine learning and predictive maintenance capabilities, I question the deployment of these updates to my system. Is this update a standard Windows component? The associated URL is currently inaccessible. I acknowledge the potential of XR, CDN, and Hologres technologies (and other Azure/cloud-enabled features) to alter user experience. Could someone provide clarification regarding these iterative security updates? My usage is limited to cloud platforms and reputable open-source software; I do not utilize malicious websites. Thank you. #misclassification?MDO query of EmailEvents is not accepted in the flow which is why causing the badgateway error
When used the following MDO query of EmailEvents it is working in the Defender control panel but when applied through 'Advanced Hunting' action in Power automate application given bad gateway error. Is this query supported in this application?
ASR Rule Blocking ms-teams.exe
Hi, We have seen the ASR Rule for, 'Block Office communication application from creating child processes' start to block ms-teams.exe, this morning which is causing quite a lot of issues in the estate. The current workaround is to set the ASR Rule of, 'Block Office communication application from creating child processes', to Audit Mode instead of Block Mode. This has also been mentioned by a couple of people now on Twitter, so is MS aware of this issue and do you know when a fix may be in place for this, so I can safely move the ASR Rule back to Block ModeDefender RBAC - Grant at least priviliged for Quarantine handling NOT WORKING
Hi everyone, I've already deployed new Defender RBAC permission. I want to assign permission for quarantine message handling WITHOUT Preview Message option. I,ve configured Defender RBAC in follow settings: I've assgined only Security Basic (read) NOT Quarantine handle and NOT Quarantine RAW Contect permission Effect (in production!) I can't assign at-least permission. Currently everyone who has at least permission in Defender RBAC can read all email content for everyone user in organization!! Anyone can help with this case? Follow Defender RBAC docs this user should not have any permission for reading other mails! -- Kind Regards
