Remove access rights on suspicious accounts with the Admin SDHolder permission
Hi, Can the Defender Team please add more information regarding the improvement action "Remove access rights on suspicious accounts with the Admin SDHolder permission"? All sites appear to have this action triggered as "TO ADDRESS" but it displays "Users affected - No data to show" and under "Exposed Entities" it is blank with a line at the bottom displaying: {ISPM_REPORT_SUSPICIOUS_ADMIN_SD_HOLDER_USERS_TABLE_EMPTY_PLACEHOLDER} Just over 24 hours of initial detection the "Exposed Entities" section of "Remove access rights on suspicious accounts with the Admin SDHolder permission" now shows "No non-sensitive Admin SDHolder users" but it is still marked as "To address". Also please note the "More Information" links do not point to any useful or specific information for this improvement action. Thanks, Gary
Deep Dive into Preview Features in Microsoft Defender Console
Background for Discussion Microsoft Defender XDR (Extended Detection and Response) is evolving rapidly, offering enhanced security capabilities through preview features that can be enabled in the MDE console. These preview features are accessible via: Path: Settings > Microsoft Defender XDR > General > Preview features Under this section, users can opt into three distinct integrations: Microsoft Defender XDR + Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Cloud Apps Each of these options unlocks advanced functionalities that improve threat detection, incident correlation, and response automation across identity, endpoint, and cloud environments. However, enabling these features is optional and may depend on organizational readiness or policy. This raises important questions about: What specific technical capabilities are introduced by each preview feature? Where exactly are these feature parameters are reflected in the MDE console? What happens if an organization chooses not to enable these preview features? Are there alternative ways to access similar functionalities through public preview or general availability?
Secure Score per Device Group
Hello All, I want to ask if it's possible to add Secure Score calculation per Device Group/Tag in the Defender Secure Score Overview. We manage multiple devices, some of which are handled by local IT and in different domains. We need a separate secure score calculation since it gives us an initial metric of where we are compared to other domains/device groups. You already have the option in Vulnerability Management> Security Recommendations (per device group),can we have it for Secure Score also? Best Regards, Nick
Accessing edge protection data from advanced hunting API
I am creating a Power BI report for visualizing Defender 365 data to external users that don't have access to the security portal using the advanced hunting API. The client would be interested in seeing the "edge protection" figures that are in the email & collaboration reports included in the Defender reports. But I can't seem to find the particular data anywhere in the Advanced Hunting data schema. Can I access the edge protection data from the API?
An actor on NULL - ATP
I’m getting a lot of these messages below, I’m not sure what to do with them, tracing via my siem the process involved is lsass.exe, my suspicion is that it is Rapid7 performing vulnerability scans but just wanted to check if anyone else had similar issues? An actor on NULL performed suspicious account enumeration, exposing Guest, while trying to access <computer> clicking on null, as expected produces an error.
