How to get access to Move or Delete e-mail?
So this week I had some phishing e-mails that made it past Defender's filtering and were delivered to user mailboxes. I wanted to pull them back, so I found the relevant message the Defender XDR portal, and clicked on Take Action, but the only option available to me there was Submit to Microsoft for review. All the others, including Move or Delete, which is what I wanted, were grayed out. I'll add that was doing this using my Global Admin account. Did some research and supposedly assigning my account the Data Investigator role or creating a custom role with Search and Purge capability would provide the desired access So I put my account into both of those groups, and I still can't access Move or Delete. Anybody know what I am missing here? I’d be grateful for any information.Monthly news - April 2025
Microsoft Defender XDR Monthly news April 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. ⏰ April 9th & 10th is Microsoft Secure! Make sure you join this virtual event to hear about our latest product announcements. Three broadcast times are available, offering opportunities to get your questions answered by subject matter experts at a time that suits you best. April 9, 2025 | 8:00 AM – 9:00 AM PT (UTC-7) | Americas broadcast April 10, 2025 | 10:00 AM – 11:00 AM CET (UTC+1) | Europe, Middle East, Africa broadcast April 10, 2025 | 12:00 PM – 1:00 PM SGT (UTC+8) | Asia broadcast Microsoft Secure - Home - Microsoft Secure registration home page. New episodes of the Virtual Ninja Show has been published, covering various products and scenarios. Microsoft's Zero Trust approach Resolving high CPU utilization in Microsoft Defender Antivirus Microsoft Defender for Endpoint Client Analyzer overview Mastering onboarding issues with Defender for Endpoint Client Analyzer Mastering endpoint security settings issues with Defender for Endpoint Client Analyzer Connecting your Apps to Defender for Cloud Apps Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 (Webinar) Microsoft Sentinel Repositories: Manage Your SIEM Content as code Like a Pro (GA Announcement) The content hub offers the best way to find new content or manage the solutions you already installed, now with granular AI search. (Public Preview) The Microsoft Sentinel agentless data connector for SAP and related security content is now included, as public preview, in the solution for SAP applications. Blog post: Transforming public sector security operations in the AI era Discover how Microsoft's AI-powered, unified SecOps can revolutionize public sector security operations and safeguard multiplatform, multi-cloud environments with industry-leading innovation and seamless integration. Ready to elevate your cyber defense? (Public Preview) The incident description has moved within the incident page. The incident description is now displayed after the incident details. For more information, see Incident details. The Microsoft 365 alert policies can now only be managed in the Microsoft Defender portal. For more information, see Alert policies in Microsoft 365. You can now link Threat analytics reports when setting up custom detections. Learn more Microsoft Defender for Endpoint Update to the Microsoft Defender Antivirus group policies documentation. Learn more Addition of the default settings for Potentially Unwanted Applications (PUA) documentation. Learn more New video (9 mins): How Microsoft is redefining endpoint security New documentation: Troubleshoot Microsoft Defender Antivirus scan issues Microsoft Defender for Office 365 User reported messages by third-party add-ins can be sent to Microsoft for analysis: In user reported settings, admins can select Monitor reported messages in Outlook > Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-in are routed to. Microsoft analyzea these reported messages and provides result on the User reported tab of Submissions page at https://security.microsoft.com/reportsubmission?viewid=user. Create allow entries directly in the Tenant Allow/Block List: You can now create allow entries for domains & addresses and URLs directly in the Tenant Allow/Block List. This capability is available in Microsoft 365 Worldwide, GCC, GCC High, DoD, and Office 365 operated by 21Vianet. Microsoft Defender for Cloud Apps (GA) Unified Identity inventory now general available. Learn more Defending against OAuth based attacks with automatic attack disruption. Microsoft’s Automatic attack disruption capabilities disrupt sophisticated in-progress attacks and prevent them from spreading, now including OAuth app-based attacks. Attack disruption is an automated response capability that stops in-progress attacks by analyzing the attacker’s intent, identifying compromised assets, and containing them in real time. Level Up Your App Governance With Microsoft Defender for Cloud Apps Workshop Series. Join one of these workshops to learn: Real-world examples of OAuth attacks New pre-built templates and custom rules to simplify app governance How to quickly identify and mitigate risks from high-risk or suspicious apps Best practices for operationalizing app governance to improve your security posture These workshops are designed to accommodate global participation, with flexible date and time options. Protecting SaaS apps from OAuth threats with attack path, advanced hunting and more. Read this blog post to learn about various new capabilities rolling out over the next few weeks. Microsoft Defender for Identity Blog post: Discover and protect Service Accounts with Microsoft Defender for Identity Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you centralized visibility into service accounts across your Active Directory environment. New health issue for cases where sensors running on VMware have network configuration mismatch. The Identities page under Assets has been updated to provide better visibility and management of identities across your environment. New LDAP query events were added to the IdentityQueryEvents table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment. Microsoft Security Blogs Silk Typhoon targeting IT supply chain Malvertising campaign leads to info stealers hosted on GitHub New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware StilachiRAT analysis: From system reconnaissance to cryptocurrency theft Analyzing open-source bootloaders: Finding vulnerabilities faster with AI Threat Analytics (Access to the Defender Portal needed) Vulnerability Profile: CVE-2024-40711 – Veeam Backup Activity profile: Moonstone Sleet using Qilin ransomware [TA update] Actor Profile: Secret Blizzard Actor profile: Berry Sandstorm Activity profile: DarkGate malware samples delivered through fake Notion websites followed by ClickFix technique Activity profile: Secret Blizzard and Aqua Blizzard collaborate to target Ukrainian military devices [TA update] Actor profile - Swirl Typhoon Vulnerability profile: CVE-2024-57726 Multiple vulnerabilities found in SimpleHelp Remote Support Software Activity profile: Lumma Stealer spreads via YouTube video descriptions [TA update] Actor profile: Aqua Blizzard Tool profile: Latrodectus Vulnerability profile: CVE-2025-26633 Tool profile: WinRing0 Activity profile: Storm-0485 phishing activity Activity profile: Silk Typhoon targeting IT supply chain Activity profile: Storm-1877 evolving tactics to target users with ClickFix attacks Threat overview: Business Email Compromise [Snapshot] Actor profile: Storm-2372 [TA update] Actor profile: ZigZag Hail Actor profile: Storm-0287 Activity profile: Secret Blizzard abusing Visual Studio Code tunneling service Activity Profile: Clickfix and Malvertising campaigns leveraging node.exe application Actor profile: Yulong Flood Vulnerability profile: CVE-2024-43451- NTLM Hash Disclosure Spoofing Vulnerability Tool profile: FrostyStash [TA update] Tool profile: Mimikatz Tool profile: Mamba 2FA Activity profile: Phishing campaign deploying PureLogStealer targets users in Central America [TA update] Vulnerability profile: CVE 2025-0282: Ivanti Connect Secure, Policy Secure, and ZTA Gateway [TA update] Actor profile: Silk Typhoon Seamless SSO Abuse via AADInternals [TA update] SystemBC Tool Profile Vulnerability profile: CVE-2025-22224 – VMwareDeploy Microsoft Defender XDR today and start protecting your entire digital estate
The average organization now hosts 351 exploitable attack pathways, says Microsoft’s 2024 State of Multicloud Security Risk Report 1 , so it’s no wonder leaders across sectors are calling for enhanced protection of high-value assets within applications, email, endpoints, identity, and more. But deploying a comprehensive security solution like Microsoft Defender XDR can be a big lift, especially in organizations using legacy systems or a mix of third-party tools. Complex integrations and configurations combined with common issues like limited staffing resources can further delay or even prevent full product implementation. Fortunately, FastTrack for Microsoft 365 is ready to help streamline your security product deployment and today we’ll explain how. In this blog, you’ll learn: Why Microsoft Defender platform adds value beyond security. How to deploy Microsoft Defender efficiently and securely using Microsoft admin center advanced deployment guides. Answers to FAQs. Microsoft Defender: The industry leading 2 , XDR solution with added value Microsoft Defender protects your entire organization with a unified security platform that consolidates multiple security functions (e.g., endpoint, identity, cloud security) under a single tool. This comprehensive coverage creates overlapping security, which strengthens overall security and helps reduce workloads for security and IT teams. And while in some cases, transitioning security systems can create vulnerabilities in the short term, FastTrack engineers at Microsoft have solved for this by providing incremental security coverage as you wind down third-party point solutions. We’ll describe this in more detail later on but first let’s go over the Microsoft Defender platform. The Microsoft Defender platform: Microsoft Defender for Endpoint Helps prevent, detect, investigate, and respond to advanced threats with next-gen antivirus, endpoint detection response (EDR), automated investigation, and prioritized remediation capabilities. Microsoft Defender for Endpoint setup guide Microsoft Defender for Office 365 Protects email and collaboration tools like SharePoint, OneDrive, and Microsoft Teams against advanced threats, i.e., phishing, business email compromise, and malware attacks. Microsoft Defender for Office 365 setup guide Microsoft Defender for Identity Protects on-premises Active Directory from targeted attacks with signals that identify, detect, and investigate compromised identities and malicious insider actions. Microsoft Defender for Identity setup guide Microsoft Defender for Cloud Apps A Cloud Access Security Broker (CASB) that uses rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across cloud services. Gain visibility into Shadow IT, discover cloud apps in use, control and protect data within apps, and detect and respond to threats across all potential threat vectors. Microsoft Defender for Cloud Apps setup guide Microsoft Defender XDR, powered by AI, integrates seamlessly with other Microsoft 365 products and security tools Seamless integration provides for stronger, more consistent, automated security across the entire software ecosystem. For example: Microsoft Defender is embedded with Microsoft Sentinel Microsoft Sentinel is a new FastTrack offering. It’s a very powerful cloud-native, AI-powered security information and event management (SIEM) solution that helps teams address top cyberthreats, including ransomware attacks, by: Enriching data with machine learning: Sentinel employs machine learning to enrich data with Microsoft's threat intelligence, the secret ingredient that fuels capabilities, including threat hunting, detecting, investigating, and responding to threats across an ecosystem. Reducing “alert fatigue”: Sentinel filters through billions of signals, correlates them into alerts and incidents, and even prioritizes incidents. This allows for more efficient and cost-effective remediation strategies and reduced alert fatigue for SOC teams. Microsoft Defender integrates with Azure’s Microsoft Defender for Cloud Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) that secures full-stack workloads, end to end, across Amazon Web Services, Google Cloud Platform, and Azure Cloud Services with constant cyberthreat monitoring at the code level. How to deploy Microsoft Defender security products efficiently and securely Because each organization’s deployment scenario will be as unique as the organization itself, Microsoft engineers designed Defender to be highly customizable and able to accommodate a variety of different scenarios. However, no one should let complexities surrounding custom configurations delay deployment. FastTrack for Microsoft 365 is here to help With a variety of self-serve resources, detailed documentation, automated, step-by-step deployment guides, and even one-on-one assistance (with an eligible license), FastTrack can help you reduce complexity and get your Microsoft Defender products up-and-running quickly. Here’s how to start: 1. Visit the Microsoft 365 Setup site Regardless of license status or credentials, start your journey at the Microsoft 365 Setup site for open, self-service access to detailed setup guides, on-demand videos, and helpful blogs to plan secure and efficient Microsoft Defender deployment workloads. 2. Sign in to the Microsoft admin center Once your organization owns a license and you’re ready to deploy, sign in to the Microsoft admin center and access Microsoft Defender advanced deployment and setup guides. 3. Deploy using Microsoft Defender advance deployment guides Start with zero trust Microsoft Defender for Endpoint setup guide Microsoft Defender for Office 365 setup guide Microsoft Defender for Identity setup guide Microsoft Defender for Cloud Apps setup guide These streamlined, automated guides combine detailed documentation with stateful personalization, so you know you’re following the right instructions for your organization’s scenario. The step-by-step instructions also lead you through the correct order of operations so you can be confident you’re setting up each Microsoft Defender solution correctly, from beginning to end. Microsoft Defender setup guides: What to expect once you get there Each Microsoft Defender setup guide follows a similar pattern. They begin with an Overview, describing foundational prerequisites and Requirements, then have you identify your organization’s particular Scenario and goals, before walking you through your recommended Deployment and Configuration steps based on your scenario and Microsoft’s best practices. Let’s walk through the Microsoft Defender for Endpoint guide as an example: Microsoft Defender for Endpoint setup guide Arrive at Overview (see above) to learn more about the Defender setup guide and watch a short video. Follow the subway navigation and review Microsoft Defender for Endpoint’s minimum setup requirements to make sure you’re ready for a secure setup experience before you begin. At Scenario, identify your organization’s current security situation and your goals, for example: Do you already have an endpoint security solution in place? Would you like to see how Defender for Endpoint works before rolling it out? Do you want help designing configurations? At Deployment, find Microsoft’s recommended next steps based on your Scenario. These steps include: Preparation: Key points to consider as you prepare for migration. Setup: Guidance on which specific steps you should carry out next. Onboarding to your tenant: Advice on how to onboard while protecting other platforms in your environment. 5. Lastly, Configuration is where you’ll configure various settings and learn more about: Attack surface reduction Mobile threat defense Next-generation protection Auto remediation and investigation Microsoft Secure Score Endpoint detection and response Threat and vulnerability management Frequently asked questions Transitioning to or implementing a new security suite can be tricky. However, Microsoft Defender setup guides have been designed to eliminate as much risk and friction as possible from the deployment process. They also do a great job of anticipating and addressing questions admins frequently ask. Here are a few frequently asked questions and answers: How do I securely migrate to Microsoft Defender for Office 365? Read this Learn article to understand securely migrating from a third-party protection service or device to Microsoft Defender for Office 365. How should I deal with urgent security incident response issues? Get a better understanding of the complex threats affecting your organization. Subscribers to Defender Experts for Hunting can engage with their own security incident response teams to address urgent security incident response issues. Where can I go to learn how to fix onboarding issues myself? Microsoft Defender for Endpoint Microsoft Defender for Identity Microsoft Defender for Office 365 Microsoft Defender for Cloud Apps 4. Does Microsoft offer training for Microsoft Defender? Yes! To get started with Microsoft Defender training, browse the list of learning paths, and filter by product, role, level, and subject. Need additional assistance? Whether you have a few questions or want assistance with deployment of your entire Microsoft Defender suite, FastTrack Engineers and Partners are ready to help. Eligible customers can request direct, remote assistance from FastTrack for Microsoft 365. [1] Microsoft’s 2024 State of Multicloud Security Report [2] Microsoft Defender was named an XDR leader in The Forrester Wave: XDR platforms, Q2 2024, receiving top scores in 15 of 22 criteria, including Endpoint Detection, Threat Hunting, and Innovation.What’s new in Microsoft Defender XDR at Secure 2025
Protecting your organization against cybersecurity threats is more challenging than ever before. As part of our 2025 Microsoft Secure cybersecurity conference announcements, we’re sharing new product features that spotlight our AI-first, end-to-end security innovations designed to help - including autonomous AI agents in the Security Operations Center (SOC), as well as automatic detection and response capabilities. We also share information on how you can expand your protection by bringing data security and collaboration tools closer to the SOC. Read on to learn more about how these capabilities can help your organization stay ahead of today’s advanced threat actors. Expanding AI-Driven Capabilities for Smarter SOC Operations Introducing Microsoft Security Copilot’s Phishing Triage Agent Today, we are excited to introduce Security Copilot agents, a major step in bringing AI-driven automation to Microsoft Security solutions. As part of this, we’re unveiling our newest innovation in Microsoft Defender: the Phishing Triage Agent. Acting as a force multiplier for SOC analysts, it streamlines the triage of user-submitted phishing incidents by autonomously identifying and resolving false positives, typically cleaning out over 95% of submissions. This allows teams to focus on the remaining incidents – those that pose the most critical threats. Phishing submissions are among the highest-volume alerts that security teams handle daily, and our data shows that at least 9 in 10 reported emails turn out to be harmless bulk mail or spam. As a result, security teams must sift through hundreds of these incidents weekly, often spending up to 30 minutes per case determining whether it represents a real threat. This manual triage effort not only adds operational strain but also delays the response to actual phishing attacks, potentially impacting protection levels. The Phishing Triage Agent transforms this process by leveraging advanced LLM-driven analysis to conduct sophisticated assessments –such as examining the semantic content of emails– to autonomously determine whether an incident is a genuine phishing attempt or a false alarm. By intelligently cutting through the noise, the agent alleviates the burden on SOC teams, allowing them to focus on high-priority threats. Figure 1. A phishing incident triaged by the Security Copilot Phishing Triage Agent To help analysts gain trust in its decision-making, the agent provides natural language explanations for its classifications, along with a visual representation of its reasoning process. This transparency enables security teams to understand why an incident was classified in a certain way, making it easier to validate verdicts. Analysts can also provide feedback in plain language, allowing the agent to learn from these interactions, refine its accuracy, and adapt to the organization’s unique threat landscape. Over time, this continuous feedback loop fine-tunes the agent’s behavior, aligning it more closely with organizational nuances and reducing the need for manual verification. The Security Copilot Phishing Triage Agent is designed to transform SOC operations with autonomous, AI-driven capabilities. As phishing threats grow increasingly sophisticated and SOC analysts face mounting demands, this agent alleviates the burden of repetitive tasks, allowing teams to shift their focus to proactive security measures that strengthen the organization’s overall defense. Security Copilot Enriched Incident Summaries and Suggested Prompts Security Copilot Incident Summaries in Microsoft Defender now feature key enrichments, including related threat intelligence and asset risk –enhancements driven by customer feedback. Additionally, we are introducing suggested prompts following incident summaries, giving analysts quick access to common follow-up questions for deeper context on devices, users, threat intelligence, and more. This marks a step towards a more interactive experience, moving beyond predefined inputs to a more dynamic, conversational workflow. Read more about Microsoft Security Copilot agent announcements here. New protection across Microsoft Defender XDR workloads To strengthen core protection across Microsoft Defender XDR workloads, we're introducing new capabilities while building upon existing integrations for enhanced protection. This ensures a more comprehensive and seamless defense against evolving threats. Introducing collaboration security for Microsoft Teams Email remains a prevalent entry point for attackers. But the fast adoption of collaboration tools like Microsoft Teams has opened new attack surfaces for cybercriminals. Our advancements within Defender for Office 365 allow organizations to continue to protect users in Microsoft Teams against phishing and other emerging cyberthreats with inline protection against malicious URLs, safe attachments, brand impersonation protection, and more. And to ensure seamless investigation and response at the incident level, everything is centralized across our SOC workflows in the unified security operations platform. Read the announcement here. Introducing Microsoft Purview Data Security Investigations for the SOC Understanding the extent of the data that has been impacted to better prioritize incidents has been a challenge for security teams. As data remains the main target for attackers it’s critical to dismantle silos between security and data security teams to enhance response times. At Microsoft, we’ve made significant investments in bringing SOC and data security teams closer together by integrating Microsoft Defender XDR and Microsoft Purview. We are continuing to build upon the rich set of capabilities and today, we are excited to announce that Microsoft Purview Data Security Investigations (DSI) can be initiated from the incident graph in Defender XDR. Ensuring robust data security within the SOC has always been important, as it helps protect sensitive information from breaches and unauthorized access. Data Security Investigations significantly accelerates the process of analyzing incident related data such as emails, files, and messages. With AI-powered deep content analysis, DSI reveals the key security and sensitive data risks. This integration allows analysts to further analyze the data involved in the incident, learn which data is at risk of compromise, and take action to respond and mitigate the incident faster, to keep the organization’s data protected. Read the announcement here. Figure 2. An incident that shows the ability to launch a data security investigation. OAuth app insights are now available in Exposure Management In recent years, we’ve witnessed a substantial surge in attackers exploiting OAuth applications to gain access to critical data in business applications like Microsoft Teams, SharePoint, and Outlook. To address this threat, Microsoft Defender for Cloud Apps is now integrating OAuth apps and their connections into Microsoft Security Exposure Management, enhancing both attack path and attack surface map experiences. Additionally, we are introducing a unified application inventory to consolidate all app interactions into a single location. This will address the following use cases: Visualize and remediate attack paths that attackers could potentially exploit using high-privilege OAuth apps to access M365 SaaS applications or sensitive Azure resources. Investigate OAuth applications and their connections to the broader ecosystem in Attack Surface Map and Advanced Hunting. Explore OAuth application characteristics and actionable insights to reduce risk from our new unified application inventory. Figure 3. An attack path infused with OAuth app insights Read the latest announcement here AI & TI are critical for effective detection & response To effectively combat emerging threats, AI has become critical in enabling faster detection and response. By combining this with the latest threat analytics, security teams can quickly pinpoint emerging risks and respond in real-time, providing organizations with proactive protection against sophisticated attacks. Disrupt more attacks with automatic attack disruption In this era of multi-stage, multi-domain attacks, the SOC need solutions that enable both speed and scale when responding to threats. That’s where automatic attack disruption comes in—a self-defense capability that dynamically pivots to anticipate and block an attacker’s next move using multi-domain signals, the latest TI, and AI models. We’ve made significant advancements in attack disruption, such as threat intelligence-based disruption announced at Ignite, expansion to OAuth apps, and more. Today, we are thrilled to share our next innovation in attack disruption—the ability to disrupt more attacks through a self-learning architecture that enables much earlier and much broader disruption. At its core, this technology monitors a vast array of signals, ranging from raw telemetry data to alerts and incidents across Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) systems. This extensive range of data sources provides an unparalleled view of your security environment, helping to ensure potential threats do not go unnoticed. What sets this innovation apart is its ability learn from historical events and previously seen attack types to identify and disrupt new attacks. By recognizing similar patterns across data and stitching them together into a contextual sequence, it processes information through machine learning models and enables disruption to stop the attack much earlier in the attack sequence, stopping significantly more attacks in volume and variety. Comprehensive Threat Analytics are now available across all Threat Intelligence reports Organizations can now leverage the full suite of Threat Analytics features (related incidents, impacted assets, endpoints exposure, recommended actions) on all Microsoft Threat Intelligence reports. Previously only available for a limited set of threats, these features are now available for all threats Microsoft has published in Microsoft Defender Threat Intelligence (MDTI), offering comprehensive insights and actionable intelligence to help you ensure your security measures are robust and responsive. Some of these key features include: IOCs with historical hunting: Access IOCs after expiration to investigate past threats and aid in remediation and proactive hunting. MITRE TTPs: Build detections based on threat techniques, going beyond IOCs to block and alert on specific tactics. Targeted Industries: Filter threats by industry, aligning security efforts with sector-specific challenges. We’re proud of our new AI-first innovations that strengthen security protections for our customers and help us further our pledge to customers and our community to prioritize cyber safety above all else. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. We hope you’ll also join us in San Francisco from April 27th-May 1 st 2025 at the RSA Conference 2025 to learn more. At the conference, we’ll share live, hands-on demos and theatre sessions all week at the Microsoft booth at Moscone Center. Secure your spot today.
DeviceLogonEvents & IdentityLogonEvents
Hey, I'm trying to fetch login events via these 2 tables DeviceLogonEvents & IdentityLogonEvents, Advanced Hunting. which events will appear in the DeviceLogonEvents vs IdentityLogonEvents? are there events that will appear in DeviceLogonEvents and not in IdentityLogonEvents? or wise versa? as I understood, these table are based on Windows logon events? If yes, what is the mapping from the windows event to these tables? On DeviceLogonEvents, when Upn appears on the event? because sometimes it appears on Additional Info map and sometimes on AccountName, and sometimes it doesn't appear at all (some times weird username appear on the AccountName column) Thank you for your assistance
'Require User to sign in again option' missing from remediation actions
Hello everyone, I am encountering an issue with the Microsoft 365 Defender portal, specifically regarding the option in the remediation actions drop-down menu on the User Page. It is missing this 'Require user to sign in again' option and only displays the following – Any help would be appreciated.Defender XDR Unified Audit Logs
Hi, There used to be Unified Audit Logs -option in Defender XDR Settings under "Endpoints". This option has now disappeared. Trying to search for Defender XDR events, such as isolating devices etc. using the Purview Audit search, I don't get any results. From the XDR Action center history I can see that isolation actions have been performed. I have Security Administrator permissions. Is there a way to enable/disable the XDR auditing from Defender XDR or Purview portals?MS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?
