Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

threat intelligence

41 Topics

Newly Created DfE Device Groups not immediately usable
I created a device group via https://security.microsoft.com/securitysettings/endpoints/machine_groups to apply a custom Indicator URL block for a single device based on an exact device name match. I ensured that the device is matched with the group rule using the Preview Device feature. Immediately after creating the device group, I clicked on Apply Changes on the device group page but after an hour, the device group still shows 0 device members and is not yet visible when creating the custom TI URL rule. It's extremely frustrating when we need to respond quickly to threats but have to wait for back-end replication/scripts to run just for creating and using a Defender device group.
Brian_ATL
Mar 26, 2025 Place Microsoft Defender XDR
155Views
0likes
7Comments
Microsoft Defender Smartscreen doesn´t block via CMD
Hi there, I have noticed that Defender Smartscreen blocks an unrecognized application, but the same behavior is not seen via command line. Is there a way to setup so both ways get blocked? Thank you,
joao_ramos
Mar 20, 2025 Place Microsoft Defender XDR
112Views
0likes
1Comment
MS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?
Salamat_Shah
Feb 23, 2025 Place Microsoft Defender XDR
54Views
0likes
1Comment
Weird updates "Security Threat Intelligence" on desktop
Hi guys, my name is Mo and I am new to the XRD community 🥰 I m observing anomalous device behavior. Upon login or wake-up, multiple virtual machines are active, some exhibiting headless screen reader functionality. This issue emerged following the installation of Microsoft security threat intelligence updates. Considering Windows Defender's machine learning and predictive maintenance capabilities, I question the deployment of these updates to my system. Is this update a standard Windows component? The associated URL is currently inaccessible. I acknowledge the potential of XR, CDN, and Hologres technologies (and other Azure/cloud-enabled features) to alter user experience. Could someone provide clarification regarding these iterative security updates? My usage is limited to cloud platforms and reputable open-source software; I do not utilize malicious websites. Thank you. #misclassification?
dash14
Feb 23, 2025 Place Microsoft Defender XDR
62Views
0likes
2Comments
Anusorn Setraksa
email address removed for privacy reasons
anuson_gang
Nov 25, 2024 Place Microsoft Defender XDR
28Views
0likes
0Comments
Defender for Endpoints - Domain Controllers
Hi What is the correct process for managing and deploying policies for Windows server 2019 domain controllers. I know that Security settings management doesn't work on and isn't supported on 2019 DCs as per (https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration?view=o365-worldwide#configure-your-tenant-to-support-microsoft-defender-for-endpoint-security-configuration-management So how do I manage and get policies to a 2019 DC Thanks
Solved
Fhilp
Nov 25, 2024 Place Microsoft Defender XDR
8.4KViews
1like
4Comments
XDR Critical asset management - Custom classifications not picking up assets
Hi community, I tried creating a number of Custom classifications. For example, by creating a filter on Identity -> AD Roles, or Cloud resource -> Category -> virtual_machine. When previewing the filter during creation, it displays the desired results. The classifications are created without any errors. But when I go back after refreshing the page, the Custom classifications I just created contain "0" resources. Clicking any classification , on the Assets tab, they show zero members (assets). What did I do wrong? Best Regards, Andy
_AndyK
Oct 03, 2024 Place Microsoft Defender XDR
186Views
0likes
0Comments
Sent from Outlook for iOS links Being Quarantined in Defender
Hi, Microsoft seem to be falsely flagging their own shortening URL for hxxps://aka.ms/o0ukef as High Confidence Phishing This is the link that is created in emails when a user sends an email from Outlook for iOS This is causing a lot of emails to be blocked and sent to the Quarantine queue. Can someone at MS take a look and get this addressed.
Brok3NSpear
Jun 13, 2024 Place Microsoft Defender XDR
1.2KViews
0likes
4Comments
Recieving increasing number of phishing attempts mimicking Microsoft MFA QR Codes
Even though we are MS 365 defender customers for all our users (EMS + E3) we are receiving an increasing number of phishing attempts based on good looking MFA connection requests. Furthermore these are based on QR Codes, which can be used on a smartphone where the security rules will be helpless against such attacks. And these attempts are absolutely not filtered.
MGessner
Dec 26, 2023 Place Microsoft Defender XDR
12KViews
1like
15Comments
Blocked by organization policy : Antimalware policy block by file type
Hi Can someone please shed some light on this. I am trying to identify if a DLP or Anti-malware policy is blocking an email. The real-time detection has this: Primary Override : Source Blocked by organization policy : Antimalware policy block by file type Would this be one of the policies in policies & rules>threat policies> anti-malware ? I was hoping there would be a setting that can pin-point the policy name or rule. Please advise
virtual-tech
Nov 09, 2023 Place Microsoft Defender XDR
2.7KViews
0likes
0Comments