MSSP Multi-Tenant Handling with Lighthouse and Defender XDR
Hello, As far as I know an MSSP providers, leverages Azure Lighthouse to call and access multiple customer workspaces, which allows to manage analytics across tenants. My questions are: In the case of moving to Defender XDR, how would this be possible in a multi-tenant MSSP scenario? Even with Lighthouse, how does Defender XDR avoid merging incidents/alerts across different customers when the same entities are involved? How does Defender XDR differentiate identical IOCs (same IP, hash, etc.) that appear in multiple customers? Can MSSPs customize correlation logic to prevent false cross-tenant merges? Content Ownership & Sharing Most MSSPs do not want to share their proprietary content (custom rules, detections, playbooks, analytics, etc.) with customers. How is Defender XDR approaching this requirement to ensure MSSPs can operate without exposing their intellectual property? Example: Customer Test 1 has a port scan incident from IP 10.10.10.10. Customer Test 2 also has a port scan incident from the same IP 10.10.10.10. In Sentinel today, these would remain separate. But in Defender XDR, would these two alerts risk being merged into a single incident because the same entity is detected across tenants? Thanks in advance for any clarification.
Advanced Hunting Custom detection rule notification cannot be customized
Hello, We have a case with both Microsoft and US cloud about the custom detection rule created by a query. The problem that we have is that I want to send the rule's notification to an email group. However, after about 2 months of investigations, I was advised below: "We can go one of two routes. Either the alerts from Defender can be ingested into sentinel based on the custom detection rule you created, or the Entra Sign-in logs can be ingested allowing Sentinel to check the logs itself." Could you please help us find an easier solution for the notification or create a feature request so that we could have the configuration of notification for custom detection rules when creating the alert?
Unable to add Endpoints and Vulnerability management in XDR Permissions
Hi, I have defender for endpoint running on obver 400 devices. I have 10 with Bus Premium, 5 with E5, and the rest E3. I am getting incidents for DFE, and this is being sent to my SOAR platform for analysis, but when I pivot back using client-sync, I cannot see DFE incidents. I have gone into Settings > XDR > Workload settings, and can only see the below There does not appear to be the option to grant the roles I have provided for my SOAR user the ability to see Endpoint and Vulnerability management. Really scratching my head here. Help?Unable to query logs in Advanced Hunting
Hi Community, Recently, I turned off the ingestion of some of the Device* tables to Sentinel via Microsoft XDR Data connector. Ever since the ingestion is stopped in Sentinel, the TimeGenerated or Timestamp column usage in KQL is not working in Microsoft XDR Advanced Hunting at all. Example KQL in Advanced Hunting below: DeviceImageLoadEvents | where Timestamp >= ago(1h) | limit 100 The above yields no results in AdvancedHunting pane. However, if you use ingestion_time() you see the results which also gives TimeGenerated/Timestamp but cannot filter on that in the KQL. It seems like a bug to me. Does anyone face the same issue or can someone help? Thanks
Suggestion: Centralize Microsoft Defender XDR Role Management into Microsoft Entra ID
Microsoft Entra ID has evolved into a strong, centralized identity and access management solution. Likewise, the Defender XDR portal (formerly Microsoft 365 Defender) provides a unified experience for security monitoring, investigation, and response across endpoints, email, identities, and more. These tools are critical to modern SecOps. However, managing access across them is still more complex than it needs to be. Key challenges: Dual RBAC confusion: Defender for Endpoint uses its own RBAC system, separate from Entra ID. This leads to misunderstandings — for example, assigning a user the Security Reader role in Entra ID might not grant expected access in Defender once Defender RBAC is enabled. Hidden roles: Roles like Defender for Endpoint Administrator aren’t visible in the Entra portal, making centralized management harder. Access risks: Enabling Defender RBAC can revoke access for some users unless they’re added manually to MDE role groups — often without clear warning. Admin overhead: Managing permissions separately in Entra and Defender adds duplication, friction, and potential for misconfiguration. Suggestions Let’s build on the strength of Microsoft Entra ID by moving all Defender role assignments into Entra, where identity and access is already managed securely and consistently. Goal: Use only Entra ID roles to manage access to the Defender XDR portal — eliminating the need for custom RBAC roles or portal-based configurations in MDE, MDO, or MDI. Benefits of this change: Centralized, consistent access management across Microsoft security solutions Simplified admin experience with reduced configuration errors Better alignment with Zero Trust and least-privilege principles Clear, discoverable roles for Security and SOC teams Seamless experience during role onboarding/offboarding Suggested new Entra built-in roles for Defender XDR: Defender Endpoint Security Administrator Defender Email Security Administrator Defender Cloud Security Administrator SOC L1 Analyst (read-only) SOC L2 Analyst (response) SOC L3 Analyst (hunting) Defender XDR Administrator / Engineer Vulnerability Analyst Microsoft has done a fantastic job modernizing Entra and unifying security visibility in Defender XDR — and this would be a great next step forward. #MicrosoftEntraID #MicrosoftDefenderXDR #SecurityOperations #IAM #RBAC #CloudSecurity #ZeroTrust #MicrosoftSecurity #SecOps #SOC
Clarification on AADSignInEventsBeta vs. IdentityLogonEvents Logs
Hey everyone, I’ve been reading up on the AADSignInEventsBeta table and got a bit confused. From what I understand, the AADSignInEventsBeta table is in beta and is only available for those with a Microsoft Entra ID P2 license. The idea is that the sign-in schema will eventually move over to the IdentityLogonEvents table. What I’m unsure about is whether the data from the AADSignInEventsBeta table has already been migrated to the IdentityLogonEvents table, or if they’re still separate for now. Can anyone clarify this for me? Thanks in advance for your help!MS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?Data at rest Europe
Why in the world would MDE and XDR default ro Europe when our entire cloud services host oir of eastus? Data at rest shows Europe instead of eastus which is oue default tenant. Also the fact that XDR setup failed to ask set region is biggest bug in this stack along with MDE. what would have caused these two to get setup in europe and is thia configurable somewhere defender portal or other portal? I have read all the docs with only option would be to redo the entire setup. If we decided to start from beginning who holds the key to set desired region for all these modules? Is this EA, Tenant Admin, Microsoft Support? also streaming logs inter continental from Europe to log analytics in eastus, whats the cost ingestion? I show several pricing model but with my use case i need ti know dollar amount per gig for both. Not happy how illusive defender operates if not careful during initial setup from admin perspective or it could have been microsoft that managed to click through without lookingWhere and how is AI used in Defender XDR?
Hi everyone, i was searching for an overview of where and AI is used in Defender XDR. Do you have a quick oversight of this? That would be great. Also how this data is used for training and decisions. I know it is used in Attack disruption and Copilot for Security ( ;) ) - but i need a complete list. BR Stephan
