MS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?
Weird updates "Security Threat Intelligence" on desktop
Hi guys, my name is Mo and I am new to the XRD community 🥰 I m observing anomalous device behavior. Upon login or wake-up, multiple virtual machines are active, some exhibiting headless screen reader functionality. This issue emerged following the installation of Microsoft security threat intelligence updates. Considering Windows Defender's machine learning and predictive maintenance capabilities, I question the deployment of these updates to my system. Is this update a standard Windows component? The associated URL is currently inaccessible. I acknowledge the potential of XR, CDN, and Hologres technologies (and other Azure/cloud-enabled features) to alter user experience. Could someone provide clarification regarding these iterative security updates? My usage is limited to cloud platforms and reputable open-source software; I do not utilize malicious websites. Thank you. #misclassification?
Defender - Cloud Activity Logs suspicious
Hi, I just noticed this logs from Defender - Cloud Apps > Activity Logs, seems all our Microsoft Cloud PC has these logs, looks suspicious for me as it is querying our Domain Admins account it seems, but would like to confirm. If this is suspicious, can help how to mitigate this please, thank you.
XDR Critical asset management - Custom classifications not picking up assets
Hi community, I tried creating a number of Custom classifications. For example, by creating a filter on Identity -> AD Roles, or Cloud resource -> Category -> virtual_machine. When previewing the filter during creation, it displays the desired results. The classifications are created without any errors. But when I go back after refreshing the page, the Custom classifications I just created contain "0" resources. Clicking any classification , on the Assets tab, they show zero members (assets). What did I do wrong? Best Regards, AndyAttack Simulation Training in Chinese showing as garbled character
Hi All, We recently moved to a new mail security gateway and initiated an attack simulation training from Microsoft. The scenario include 2 recipient; one from exchange online(EXO) and the other is exchange 2019 mailbox(OP). OP mail flow will go through mail security gateway before delivering to enduser while EXO go through EOP. Thing is using same payload and simulation, email to OP user always show as garbled and the link inside will contain a space which break the link. Meanwhile email to EXO works just fine. I believe it has something to do with the encoding, does anyone come around this issue before? Thanks Y'all
Secure Score per Device Group
Hello All, I want to ask if it's possible to add Secure Score calculation per Device Group/Tag in the Defender Secure Score Overview. We manage multiple devices, some of which are handled by local IT and in different domains. We need a separate secure score calculation since it gives us an initial metric of where we are compared to other domains/device groups. You already have the option in Vulnerability Management> Security Recommendations (per device group),can we have it for Secure Score also? Best Regards, NickAn actor on NULL - ATP
I’m getting a lot of these messages below, I’m not sure what to do with them, tracing via my siem the process involved is lsass.exe, my suspicion is that it is Rapid7 performing vulnerability scans but just wanted to check if anyone else had similar issues? An actor on NULL performed suspicious account enumeration, exposing Guest, while trying to access <computer> clicking on null, as expected produces an error.
Blocked by organization policy : Antimalware policy block by file type
Hi Can someone please shed some light on this. I am trying to identify if a DLP or Anti-malware policy is blocking an email. The real-time detection has this: Primary Override : Source Blocked by organization policy : Antimalware policy block by file type Would this be one of the policies in policies & rules>threat policies> anti-malware ? I was hoping there would be a setting that can pin-point the policy name or rule. Please advise
