Blocked by organization policy : Antimalware policy block by file type
Hi Can someone please shed some light on this. I am trying to identify if a DLP or Anti-malware policy is blocking an email. The real-time detection has this: Primary Override : Source Blocked by organization policy : Antimalware policy block by file type Would this be one of the policies in policies & rules>threat policies> anti-malware ? I was hoping there would be a setting that can pin-point the policy name or rule. Please advise
How to Connect MS Secure Scores to Power Query?
The Microsoft 365 Defender Portal (https://security.microsoft.com/) has a 'Secure Score' page, which contains the following: An overall secure score which is then broken down by Identity, Data, Device, and Application secure scores. I would like to be able to pull these four scores into a Power BI report; however, I have had some difficulty in putting together a solution. This data seems like it could be found in the Microsoft Graph API, but https://learn.microsoft.com/en-us/power-query/connecting-to-graph. I've tried other Defender APIs, but they all seem either outdated or out of scope for what I'm trying to pull. Can anyone advise? Thanks for reading.
Copilot on-prem?
Hi all, I am doing a bit of research about Copilot in Microsoft Defender XDR. I was looking at how this could benefit different companies with their day-to-day tasks and in-depth analysis. It looks promising, but how about companies that deal with sensitive information? Yes, all companies have sensitive data, but what about medical facilities and government agencies? I’ve seen that Copilot adheres to several standards like ISO 27001, 27017, 27018, and a few more, but the data is still shared with Microsoft. I have looked at the possibility of hosting an AI tool on-prem, but Copilot only enables on-prem integration with data sources of M365 services. The reason why this isn’t available on-prem is because it would require significant computational resources. Another reason (I assume) is the daily updates that Copilot would need to keep its database of known threats up-to-date. So what I’m interested in is: What would it take to host Copilot on-prem? Is on-prem hosting for Copilot going to be enabled in the near future? For companies that work in a Microsoft environment and want to help their security analysts but don’t want to share sensitive information, what options does Microsoft offer (besides courses and training)?
Expiring server certificates
Hello. I have a question defender 365 displays information about expired and future certificates on given servers in a given localization. Why does defender display certificates that no longer exist on a given server? Is there any way to make this monitor work properly? clearing the cache on given servers or restarting the defender service on a given server also does not help and defender catches some certificate. Has anyone encountered something like this?
Secure Score per Device Group
Hello All, I want to ask if it's possible to add Secure Score calculation per Device Group/Tag in the Defender Secure Score Overview. We manage multiple devices, some of which are handled by local IT and in different domains. We need a separate secure score calculation since it gives us an initial metric of where we are compared to other domains/device groups. You already have the option in Vulnerability Management> Security Recommendations (per device group),can we have it for Secure Score also? Best Regards, NickRemove access rights on suspicious accounts with the Admin SDHolder permission
Hi, Can the Defender Team please add more information regarding the improvement action "Remove access rights on suspicious accounts with the Admin SDHolder permission"? All sites appear to have this action triggered as "TO ADDRESS" but it displays "Users affected - No data to show" and under "Exposed Entities" it is blank with a line at the bottom displaying: {ISPM_REPORT_SUSPICIOUS_ADMIN_SD_HOLDER_USERS_TABLE_EMPTY_PLACEHOLDER} Just over 24 hours of initial detection the "Exposed Entities" section of "Remove access rights on suspicious accounts with the Admin SDHolder permission" now shows "No non-sensitive Admin SDHolder users" but it is still marked as "To address". Also please note the "More Information" links do not point to any useful or specific information for this improvement action. Thanks, Gary
