Where and how is AI used in Defender XDR?
Hi everyone, i was searching for an overview of where and AI is used in Defender XDR. Do you have a quick oversight of this? That would be great. Also how this data is used for training and decisions. I know it is used in Attack disruption and Copilot for Security ( ;) ) - but i need a complete list. BR StephanIntune device compliance status not evaluated
Has anyone encountered devices taking absolutely forever to evaluate overall compliance after user enrollment ESP? (pre-provisioned devices). They just sit there in "not evaluated" and get blocked by CA policy. Most come good eventually, but some literally are taking employees offline for the whole day. These are all Win11 AAD-joined. Microsoft has only offered me the standard "may take up to 8 hours, goodbye" response but I am pulling my hair out trying to figure out if this is just an Intune thing, or is there a trick I am missing? Some of them take so long that I give up and swap out the device so they can start working. The individual policies are evaluating just fine, but the overall status is way behind. I'd even prefer them to be non-compliant because at least then the grace period would kick in. I have had very limited success with rebooting and kicking off all the syncs / check access buttons, but I have a feeling those buttons have just been a placebo. It happens very sporadically too on about half of devices the user doesn't even notice it's that quick. Thanks for any advice
Service account usage
've been ach is installed on 3 iut 4 DCs and a large percentage sked by a customer to try and identify service accounts operating in their ADDS environment. I have access to both MDI and MDE. Does anything in the Defender stack inventory the services on machines and retrieve which accounts are being used to launch them? I have a list of service accounts based on the clients naming convention but i strongly suspect that that list is incomplete. Any assistance or guidance would be greatly appreciated. I've spent this afternoon experimenting with KQL but not satisfied with th eoutcome.
Defender KQL query for Windows firewall status changes?
Hi all, I would like a KQL query that finds when the Windows firewall is stopped or turned off on our servers in the last 7 days, with the aim of creating a custom detection rule to alert. So far, I have this: DeviceEvents | where Timestamp > ago(7d) | where ActionType == "FirewallServiceStopped" | sort by Timestamp However, I tested this by turning off the Windows firewall on a server and there was no alert, not even an obvious entry in the device timeline when I view all ActionTypes/events. What am I doing wrong? Or is there something I'm missing, like this ActionType doesn't do what I think it does, or these alerts go to Windows Event viewer, etc.?DeviceNetworkEvents does not refer to any known table.
When attempting to run an advanced hunting query, I'm receiving this error message at more than half of our clients. Most are on business premium licensing which includes Defender for Business. Does anyone have any information regarding this error? Is this a licensing issue or do we need to turn on more audit logs at the device level to include this table in queries?E5 Developer license + Defender XDR
Like the title says, i got my self a developer account with E5 developer licenses and were wondering if there is any way to get something similar to Defender XDR? It seams i got access to the Security dashboard and got recommendations to get Microsoft Defender XDR, but i can't seam to activate it anywhere. I have a AD hybrid setup connected to asure with password hash sync and syncback enabled that does work (tested). and are now wondering if im eighlible to run XDR too with the current license? It keeps directing me to the Azure portal where im supposed to create a workspace within the Microsoft Sientel application. How ever i endup not having a subscription and i can't seam to activate the trial either. Any ideas if this is possible in some way? (Here to learn)
XDR Deception
Hey, so I am currently testing everything that has to do with deception. I can successfully deploy the lures to all my targeted machines. However for testing purposes I want to act as the "hacker". I can find a deceptive host in one of the system files, but I cant seem to find the deceptive usernames. Does anyone know where these deceptive usernames are located on the system? I tried looking in lsass dump, but nothing found here. Thanks in advance!
