XDR advanced hunting region specific endpoints
Hi, I am exploring XDR advanced hunting API to fetch data specific to Microsoft Defender for Endpoint tenants. The official documentation (https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) mentions to switch to Microsoft Graph advanced hunting API. I had below questions related to it: 1. To fetch the region specific(US , China, Global) token and Microsoft Graph service root endpoints(https://learn.microsoft.com/en-us/graph/deployments#app-registration-and-token-service-root-endpoints ) , is the recommended way to fetch the OpenID configuration document (https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#fetch-the-openid-configuration-document) for a tenant ID and based on the response, the region specific SERVICE/TOKEN endpoints could be fetched? Since using it, there is no need to maintain different end points for tenants in different regions. And do we use the global service URL https://login.microsoftonline.com to fetch OpenID config document for a tenantID in any region? 2. As per the documentation, Microsoft Graph Advanced hunting API is not supported in China region (https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http). In this case, is it recommended to use Microsoft XDR Advanced hunting APIs(https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) to support all region tenants(China, US, Global)?
Secure score not improving after implementing ASR
I need some help on the following; Improving secure score for one of our customers. For example, the secure score is improving for identity. I implemented user risk and sign in risk CA policies on the 14th and on the 18th defender is increasing the secure score However i also implemented ASR rules 23rd of september but it still says ASR are recommended actions. Etcetera. I powershelled into one of the targeted endpoints and confirmed the ASR rules are active on the machine. Connector is on The are using Crowdstrike as primary AV. Can the 2 AVs work together so the score gets updated for device? Would i need to manually create exeptions for every rule? I hope not.. Thank you in advance. Regards, Andrew
Secure Score - Vulnerability Exceptions Not Registering
I have followed the guide to configure the proper permissions to manage within Defender. Device groups have been created based off tags we applied to the devices, and the device groups register the expected number of devices. We apply an exception to the vulnerability recommendation based off the device group, looking at the individual device pages we can confirm the recommendation is excluded and it all appears to work as intended up to this point. The problem starts on the vulnerability dashboard. The recommendation shows it is in partial exception status however none of the statistics or data reflect this including our secure score. I can confirm making a global exception works as expected and we can see the score adjust properly. Has anyone experienced this before or have any pointers? We have been working at this for weeks trying different things without luck, we are ensuring to leave adequate sync times.Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?
OpenSSL
We have the recommendation to update OpenSSL. However, we can not figure out how to actually do this. There seems to be no installed location of OpenSSL so how can we update this? I have found a few posts/comments that have led me to this page New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud - Microsoft Community Hub but this doesn't actually help you at all. Going to OpenSSL's site for download just gives you a repository of files that don't actually update anything. So what are we supposed to do to get this remediated?
TVM still showing outdated vulnerabilities despite applications being up to date
Hi everyone, we’re using Microsoft Defender for Endpoint with Threat & Vulnerability Management (TVM) enabled. Lately, we've noticed that certain vulnerabilities (e.g., CVEs in browsers or third-party software) continue to be flagged on devices, even though the affected applications have been updated weeks ago. Example scenario: The device is actively onboarded and reporting to Defender XDR The application has been updated manually or via software deployment The correct version appears under Software Inventory However, the CVE still shows up under Weaknesses Has anyone experienced similar behavior? Are there any best practices to trigger a re-evaluation of vulnerabilities or force a TVM scan refresh? Would a device reboot or restarting the MDE service help in this case? Any insights, suggestions, or known workarounds would be greatly appreciated. Thanks in advance!
How to get access to Move or Delete e-mail?
So this week I had some phishing e-mails that made it past Defender's filtering and were delivered to user mailboxes. I wanted to pull them back, so I found the relevant message the Defender XDR portal, and clicked on Take Action, but the only option available to me there was Submit to Microsoft for review. All the others, including Move or Delete, which is what I wanted, were grayed out. I'll add that was doing this using my Global Admin account. Did some research and supposedly assigning my account the Data Investigator role or creating a custom role with Search and Purge capability would provide the desired access So I put my account into both of those groups, and I still can't access Move or Delete. Anybody know what I am missing here? I’d be grateful for any information.Secure Score - gMSA not recognized ("Change service account to avoid cached password in registry")
Hello, we have several SQL Servers who were marked as "exposed devices" in the secure score recommendation "Change service account to avoid cached password in windows registry". The remediation option called for the use of "group Managed Service Accounts" ("gMSA"). We implemented those gMSAs. However, the servers are still marked as exposed. What did we do wrong? Is this a false-positive? I already did some checks with the help of Microsoft Copilot - there are no cached credentials for the gMSAs present, the Accounts are correctly set up (they are working for SQL Server services), and we don't use Microsoft Defender for Identity (if that is needed). Any advises? Thank you very much!
Change service account to avoid cached password in windows registry
Hi , In Microsoft 365 defender > secure score there's a recommendation for me saying "Change service account to avoid cached password in windows registry" , and I can see multiple MSSQL services falling into this recommendations . But the remediation is not very clear , what should I need to do in here ? Thanks ,Full Automation Capabilities in Linux OS
Hello eveyone, We have configured Defender to detect viruses, and our goal is that if one of our assets downloads or encounters a virus, it is automatically hidden or removed. Based on the documentation regarding the automation levels in Automated Investigation and Remediation capabilities, we have set it to "Full - remediate threats automatically." While this works correctly on Windows devices, we have noticed that on Linux devices, the defender still detect the virus but it was not prevented. I was wondering if anyone has encountered this issue and, if so, how it was resolved? Additionally, as I am new to the Defender platform, I wanted to ask if could this issue potentially be resolved through specific Linux policies or functionalities? Best regards Mathiew
