How to Get the Most Out of MDVM Webinar - Q&A Overflow
This page is to address the questions that we did not have time to get to in our latest webinar: How to Get the Most Out of Microsoft Defender for Vulnerability Management (MDVM) on February 12, 2025. We will be posting answers to all questions that were submitted, so make sure to bookmark this page and check it regularly over the next week or so as we continue to update this space with answers. Thanks for your participation in our call! Check out the recording of this call here: https://youtu.be/dQL9CRKzVa8
Custom critical filter for EDR/XDR
Hello everyone, i would like to ask if somebody is trying to make a unique "critical" filter for alerts/incidents that need to be done as fast as possible? We have many high alerts and we are trying to figure one to have prio list with important notifications. Have you any ideas? Thank you.
Whitelisting Pentesting tools
Hello everyone. I'm coming to you with a question that I think is pertinent. We use a pentesting tool in our environment. It generates a lot of incidents and alerts in Microsoft Defender. We have on-prem accounts (one user, one admin) so that the tool can perform this pentesting. Do you have any ideas on how to whitelist incidents linked to this user, these actions or the node machine he uses to initiate connections? So that it no longer generates or the incidents linked to these activities are automatically resolved. Thank you for your help. HKN
MDO query of EmailEvents is not accepted in the flow which is why causing the badgateway error
When used the following MDO query of EmailEvents it is working in the Defender control panel but when applied through 'Advanced Hunting' action in Power automate application given bad gateway error. Is this query supported in this application?
"Open Wi-Fi Connection on one endpoint" - network name is "hidden for privacy"?
Background: We have Defender for Endpoint, and Intune installed on our corporate Android devices. I'm not sure what changed recently but we are now getting tons of alerts everyday for Open Wi-Fi Connection on one endpoint. When I go in to investigate further every alert says: Device ID : <<unique ID>> connected to an open Wi-Fi network : hidden for privacy Is there any way to see what the actual network connected to is, to determine if this is a risk or if it is just needs user education?
Administrative activity from a non-corporate IP address
Hi, Defender XDR raises incidents almost every day regarding OneDrive for Business sharing policies. Event description is: Change sharing policy: OneDrive Site Collection <b>https://xxxx-my.sharepoint.com/personal/user_domain_fi</b>; Parameters: property <b>Share Using Anonymous Links</b> <b>True</b>, property <b>Share With Guests</b>, property <b>ShareUsingAnonymousLinks</b> <b>From False To True</b>, property <b>ShareUsingAnonymousLinks - New Value</b> <b>True</b> Anonymous links are not allowed and when checking users onedrive site collection settings after alert it is still not allowed. Are these only false positives? Matched policy is Administrative activity from a non-corporate IP address and Alert Product is Microsoft Defender for Cloud Apps ~ Jukka ~MSFT 365 Defender - Email & Collaboration email preview not working
Just curious, why the email preview under Email & Collaboration (explorer) is not working any more (All emails) It says "Message details couldn't be found. When a message is soft deleted or hard deleted by the user or the admin, its details no longer exist in the mailbox or server" Is there a setting or permission that changed, as a note doing all this activity as a global admin.
