microsoft defender for endpoint

45 Topics

can we disable Multi Stage grouping in Sentinel/ Defender
Hi MS folks, is there a way to disable multi stage grouping in Sentinel/Defender. I understand the efficiently of this multi stage grouping feature, however, I like to see is there any way of disable it. Thanks XSplunk
dnivaraxTE
Jul 04, 2025 Place Microsoft Sentinel
64Views
0likes
1Comment
Insecure Protocol Workbook
Greetings, maybe most orgs have already eliminated insecure protocols and this workbook is no longer functional? I have it added and it appears to be collecting but when I go to open the template it is completely empty. Is the Insecure Protocol aka IP still supported and if so is there any newer documentation than the blog from 2000 around it? I am hoping to identify ntlm by user and device as the domain controllers are all logging this and the MDI agents on them are forwarding this data to Defender for Identity and Sentinel.
sjEntra
Jun 09, 2025 Place Microsoft Sentinel
149Views
1like
4Comments
Query for Windows Defender Activity changes
I was wondering what will be the best way to track changes via Windows Defender Activity.
ebstes
Nov 12, 2024 Place Microsoft Sentinel
163Views
0likes
3Comments
Azure Sentinel - Run Antivirus Scan using Logic App
Hello, I have to integrate antivirus run scan into azure sentinel using playbook (template Run MDE Antivirus - Incident Trigger). According to the prerequisites, I need to grant some permissions using powershell command. "Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App." From the powershell, I enter the following command: $MIGuid = '0fff8f4e-xxxx-xxxx-xxxx-xxxxxxxxxxxxx' $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid I receive the following error message Get-AzureADServicePrincipal: You must call the Connect-AzureAD cmdlet before calling any other cmdlets. Any idea ? PS: I'm not a developper... Regards, HA
Solved
HA13029
Oct 07, 2024 Place Microsoft Sentinel
3.7KViews
0likes
9Comments
MDE DeviceNetworkEvents missing full URL for HTTPS traffic
Hiall , I've integrated Sentinel with some external TI feeds (like Phishtank, etc) and collected MDE DeviceNetworkEvents. It seems that most (if not all) HTTPS traffic (URL) is not fully logged. Example: https://cloudflare-ipfs.com instead of https://cloudflare-ipfs.com/xxx.dat. PS: with HTTP traffic I got the full URL with path, etc. It means that the URL doesn't match when trying to compare URL TI source (full URL) and URL (partial) generated by the browser. The goal is to push the IOC (in this case the URL) into the Indicators list. I don't want to populate the indicator with domain list because it can blacklist a full domain. Example : https://docs.google.com/presentation/d/e/2 It could be a phishing URL, but don't want to blacklist docs.google.com domain because it can contains valid URL... Any idea ? Regards, HA
HA13029
Jun 30, 2024 Place Microsoft Sentinel
338Views
0likes
0Comments
I am trying to implement a Logic App - playbook with incident trigger.
Hello I am trying to implement a Logic App - playbook with incident trigger. logic app fails with error Failed to trigger playbook Caller is missing required playbook triggering permissions on playbook resource /resourceGroups/Test/providers/Microsoft.Logic/workflows/test2', or Microsoft Sentinel is missing required permissions to verify the caller has permissions As i validated all the parameters and permissions seem correct i dont know what i am doing wrong. - Sentinel settings are correct - I give Microsoft Sentinel permissions to run playbooks. - added Microsoft Sentinel Responder ( Identity playbook) please see screenshots not to sure, why its says incident arm id missing? Many thanks for any ideas!
phyton_fun
Apr 07, 2024 Place Microsoft Sentinel
921Views
0likes
3Comments
Sigma rules into content gallery
Hello Community! I have been trying to work out a nice way to convert sigma rules available here: sigma/rules at master · SigmaHQ/sigma (github.com) Which are compatible with the microsoft365defener backend into analytic rules in Sentinel. After thinking it through for a while, it seems a much more sensible approach to convert these into rule templates. However it seems that the only way to get rule templates in is via the content gallery. Is that correct? Before I embark on contributing a large pack of analytic rule templates it makes me wonder why this hasn't been done already by someone more capable and enthusiastic than I am, but I can't find much in the way of this. It seems like all the pieces are there, so surely I can't be the first one to have this thought. Can anyone point me to something I am missing? Cheers, Jeremy.
Solved
jeremyhAUS
Feb 29, 2024 Place Microsoft Sentinel
1.7KViews
0likes
3Comments
Microsoft Defender XDR / Defender for Endpoint data connectors inconsistent failures
Hello, We are deploying our SOC (Sentinel) environments via Bicep. Now the Defender XDR ( MicrosoftThreatProtection) and Defender for Endpoint ( MicrosoftDefenderAdvancedThreatProtection) data connectors are failing to deploy inconsistantly. It seems to be a known issue due to the following posts: - https://github.com/Azure/SimuLand/issues/23 - https://techcommunity.microsoft.com/t5/microsoft-sentinel/quot-missing-consent-invalid-license-quot-defender-for-endpoint/m-p/3027212 - https://github.com/Azure/Azure-Sentinel/issues/5007 Next to this issue I see almost no development on the data connectors API, is there some news to be spread how to enable data connectors automated in the future, since it seems to be moving to Content Hub. It is hard to find any docs about how to deploy this for example via Bicep!? Also I have a question regarding 'Tenant-based Microsoft Defender for Cloud (Preview)' data connector. We deploy this now via GenericUI data connector kind, but this has no option to enable it via automation. Same as the question in the previous paragraph, how would this be made possible?
Alfred_Schreuder
Feb 12, 2024 Place Microsoft Sentinel
1KViews
0likes
0Comments
Defender TVM Logs - "Coming Soon!", it has been over 12 months
Has anyone seen or heard anything about the Defender Advanced Hunting TVM integration with Sentinel? I would quite like to use it to create workbooks, but the Defender connector has displayed "Coming Soon!" for over a year now. Is this still on the roadmap, or is this a low priority.
-jmn-
Jan 29, 2024 Place Microsoft Sentinel
1.2KViews
0likes
2Comments
Block Computer Object / Azure Sentinel Playbook "Named Pipes Privilege escalation"
Hello MS Community, I have a question about the following Use Case. If some Hosts (Server / Clients) use the "Named Pipes privilege escalation", I would like to response automatically via Sentinel. I think to isolate / lock the coomputer object would be an good idea. Maybe someone had the same use case and have an solution for that toppic. Thanks a lot & best regards Kevin
KBraun94
Jan 24, 2024 Place Microsoft Sentinel
312Views
0likes
0Comments