Custom data collection in MDE - what is default?
So you just announced the preview of "Custom data collection in Microsoft Defender for Endpoint (Preview)" which lets me ingest custom data to sentinel. Is there also an overview of what is default and what I can add? e.g. we want to examine repeating disconnects from AzureVPN clients (yes, it's most likely just Microsoft's fault, as the app ratings show 'everyone' is having them) How do I know which data I can add to DeviceCustomNetworkEvents which isnt already in DeviceNetworkEvents?
XDR advanced hunting region specific endpoints
Hi, I am exploring XDR advanced hunting API to fetch data specific to Microsoft Defender for Endpoint tenants. The official documentation (https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) mentions to switch to Microsoft Graph advanced hunting API. I had below questions related to it: 1. To fetch the region specific(US , China, Global) token and Microsoft Graph service root endpoints(https://learn.microsoft.com/en-us/graph/deployments#app-registration-and-token-service-root-endpoints ) , is the recommended way to fetch the OpenID configuration document (https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#fetch-the-openid-configuration-document) for a tenant ID and based on the response, the region specific SERVICE/TOKEN endpoints could be fetched? Since using it, there is no need to maintain different end points for tenants in different regions. And do we use the global service URL https://login.microsoftonline.com to fetch OpenID config document for a tenantID in any region? 2. As per the documentation, Microsoft Graph Advanced hunting API is not supported in China region (https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http). In this case, is it recommended to use Microsoft XDR Advanced hunting APIs(https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) to support all region tenants(China, US, Global)?
TVM still showing outdated vulnerabilities despite applications being up to date
Hi everyone, we’re using Microsoft Defender for Endpoint with Threat & Vulnerability Management (TVM) enabled. Lately, we've noticed that certain vulnerabilities (e.g., CVEs in browsers or third-party software) continue to be flagged on devices, even though the affected applications have been updated weeks ago. Example scenario: The device is actively onboarded and reporting to Defender XDR The application has been updated manually or via software deployment The correct version appears under Software Inventory However, the CVE still shows up under Weaknesses Has anyone experienced similar behavior? Are there any best practices to trigger a re-evaluation of vulnerabilities or force a TVM scan refresh? Would a device reboot or restarting the MDE service help in this case? Any insights, suggestions, or known workarounds would be greatly appreciated. Thanks in advance!
Integrate Defender for Cloud Apps w/ Azure Firewall or VPN Gateway
Hello, Recently I have been tasked with securing our openAI implementation. I would like to marry the Defender for Cloud Apps with the sanctioning feature and the Blocking unsanctioned traffic like the Defender for Endpoint capability. To do this, I was only able to come up with: creating a windows 2019/2022 server, with RRAS, and two interfaces in Azure, one Public, and one private. Then I add Defender for Endpoint, Optimized to act as a traffic moderator, integrated the solution with Defender for cloud apps, with BLOCK integration enabled. I can then sanction each of the desired applications, closing my environment and only allowing sanctioned traffic to sanctioned locations. This solution seemed : difficult to create, not the best performer, and the solution didn't really take into account the ability of the router to differentiate what solution was originating the traffic, which would allow for selective profiles depending on the originating source. Are there any plans on having similar solutions available in the future from: VPN gateway (integration with Defender for Cloud Apps), or Azure Firewall -> with advanced profile. The Compliance interface with the sanctioning traffic feature seems very straight forward .
Copilot on-prem?
Hi all, I am doing a bit of research about Copilot in Microsoft Defender XDR. I was looking at how this could benefit different companies with their day-to-day tasks and in-depth analysis. It looks promising, but how about companies that deal with sensitive information? Yes, all companies have sensitive data, but what about medical facilities and government agencies? I’ve seen that Copilot adheres to several standards like ISO 27001, 27017, 27018, and a few more, but the data is still shared with Microsoft. I have looked at the possibility of hosting an AI tool on-prem, but Copilot only enables on-prem integration with data sources of M365 services. The reason why this isn’t available on-prem is because it would require significant computational resources. Another reason (I assume) is the daily updates that Copilot would need to keep its database of known threats up-to-date. So what I’m interested in is: What would it take to host Copilot on-prem? Is on-prem hosting for Copilot going to be enabled in the near future? For companies that work in a Microsoft environment and want to help their security analysts but don’t want to share sensitive information, what options does Microsoft offer (besides courses and training)?Where and how is AI used in Defender XDR?
Hi everyone, i was searching for an overview of where and AI is used in Defender XDR. Do you have a quick oversight of this? That would be great. Also how this data is used for training and decisions. I know it is used in Attack disruption and Copilot for Security ( ;) ) - but i need a complete list. BR StephanIntune device compliance status not evaluated
Has anyone encountered devices taking absolutely forever to evaluate overall compliance after user enrollment ESP? (pre-provisioned devices). They just sit there in "not evaluated" and get blocked by CA policy. Most come good eventually, but some literally are taking employees offline for the whole day. These are all Win11 AAD-joined. Microsoft has only offered me the standard "may take up to 8 hours, goodbye" response but I am pulling my hair out trying to figure out if this is just an Intune thing, or is there a trick I am missing? Some of them take so long that I give up and swap out the device so they can start working. The individual policies are evaluating just fine, but the overall status is way behind. I'd even prefer them to be non-compliant because at least then the grace period would kick in. I have had very limited success with rebooting and kicking off all the syncs / check access buttons, but I have a feeling those buttons have just been a placebo. It happens very sporadically too on about half of devices the user doesn't even notice it's that quick. Thanks for any advice
Service account usage
've been ach is installed on 3 iut 4 DCs and a large percentage sked by a customer to try and identify service accounts operating in their ADDS environment. I have access to both MDI and MDE. Does anything in the Defender stack inventory the services on machines and retrieve which accounts are being used to launch them? I have a list of service accounts based on the clients naming convention but i strongly suspect that that list is incomplete. Any assistance or guidance would be greatly appreciated. I've spent this afternoon experimenting with KQL but not satisfied with th eoutcome.
