We’re utilizing Defender Vulnerability Management for endpoints and servers and for a real time view of current vulnerability it is doing great. My management are wanting reports and dashboards to show current state and be able to show vulnerabilities remediated over time. Are there any packages available to do this? I know the API is quite extensive but we don’t have capacity to build anything custom.

In particular the information we’re lacking is getting visibility into the lag time for remediation. Being able to say “this vuln came out on this date and affected these machines, 72% were remediated after 5 days, 10% after 7 days, these machines are left”. There doesn’t seem to be any sort of event history for individual machines to show when a vuln was detected and when it was resolved.

We are moving back to Exchange Online Protection as we begin to look for another email filtering system. We have had horrible experiences with EOP, but are at this moment forced to go back for now due to regulations. Does anyone have any best practices for setting up EOP to filter out as much spam as possible? I know you have to monitor it, but I thought I had remembered there being a link to someone who had created a bset practices for settings for EOP.

Hey, does anyone know why DeviceTvmBrowserExtensions is missing from advanced hunting? Do you have it?

Hi there,

I have a question regarding the Defender XDR AIR Capabilities & Licensing.

Maybe someone can help me :)

It's a bit wierd documented in the MS Learn Articels , or maybe iam getting something wrong :|

• Based on my Knowledge , within Tenants as of 2020 Defender AIR Capabilties are set to "Full Remediate" per Default.
• Defender for Business > Default = Full Remediate , with no possibilty to set Device Groups and Remediation Level
• Defender for Endpoint P2 > Default = Full Remediate with the possibiltiy to break down to Device Groups and set Remediation Level.

This is confirmed by this Article:

https://learn.microsoft.com/en-us/defender-endpoint/configure-automated-investigations-remediation

BUT , i stumbled across another article

https://learn.microsoft.com/en-us/defender-xdr/m365d-configure-auto-investigation-response#prerequisites-for-automated-investigation-and-response-in-microsoft-365-defender

which states different things , like

• you need to configure remediation level with device groups (in Endpoint Settings)
• Following Licenses are needed :

https://preview.redd.it/vabtx0uribge1.jpg?width=693&format=pjpg&auto=webp&s=d1a7882520d9c84a05cda5297d59c8b8825f52d2

They thing is the same configuration way is stated in both articles , so iam quite unsure what exactly is the case.

Thanks

https://preview.redd.it/iw14762a5bge1.png?width=501&format=png&auto=webp&s=e832ed96360ecc2b3f8143ef5db047bb5fb593ad

Hello everybody,

today we detected that several servers are containing an error in Intune because a policy didn't get applied to several machines.

Anyone has got any idea if we can list these devices with a KQL ?

Thx !

Hey all, I am looking for a list of all the possible incidents that might occur. I tried googling a bunch but nothing. Anyone here know where I could find something of the sort? Thanks!

Hi Folks , while we enable defender on Databases ( enable  SQL server on machine ) do we also need to enable on Server ( which is running SQL Server).

Also defender for Server cost - 15$ /server/month 

and SQL Server on Machine cost -15$/Server/month,  Separate cost for both will be applicable ?

https://preview.redd.it/4in0p3uqg7ge1.png?width=939&format=png&auto=webp&s=c985e6200ca830f001b3e2bfb46044beef91f14f

apart from enabling toggle do we need any addition configuration for enabling defender for Databases ?what is recommended setting of workspace for AMA configuration ( default or custom ) can we choose sentinel workspace ?

https://preview.redd.it/23o6qbyrg7ge1.png?width=485&format=png&auto=webp&s=429bb7b9d1b283b3cb5252bfeb0e4a219d104af3

Defender for Database - SQL Server

Hi

We have installed Azure ATP on all 30 domain controllers in our environment. While the sensor status for most DCs is showing as healthy, there are two DCs where the sensor status is in a running state but not healthy.

I have identified the following points (attached image) in the Defender portal. From the firewall and port side, everything appears to be in place. Could you please assist in troubleshooting and resolving this issue?

https://preview.redd.it/n2ck80apz5ge1.jpg?width=800&format=pjpg&auto=webp&s=70f8c05d2a557af440fb9980b0d6c29629ffe690

How do I fix Defender showing that servers are missing KB patches when I know they've been installed and the server restarted after? I so need some help and guidance from this community. Here's the back story.

Every month, our security office generates tickets for servers that are missing Server OS patches using Defender reporting. I appreciate them doing that.

My goal is that we never get one of those tickets. For almost a year, in almost every case, where we received the ticket, we've been able to show that KB was installed weeks prior and that the server was rebooted after. I currently have one server showing that it's missing a KB, but it was installed and reported in December. I can see in InsightVM, our vulnerability scanner, that the KB was installed.

Defender ATP shows the server agent to be healthy (all green lights) and is reporting in.

We can query the server with PowerShell to see that the hotfix is installed and that we've restarted after. I can also tell from our vulnerability scanner that the patches are installed as those vulnerabilities don't appear and the missing KB as reported by Defender is not one of the recommendations.

Thanks in advance!

We've started using Defender and have set up training campaigns for all of our current employees, and have also gone through our first simulation. I was looking around and didn't see an easy way to set up an automation for any new employees that are onboarded. Would like to see something like when a new user box is created/licensed that a training assignment notification email would go out to them with a list of training modules for them to complete. I did see in the simulation there was a "How-to Guide" to show how to use the reporting button; unfortunately, it wouldn't allow you to assign any training modules to that simulation either (I know with other simulations you could assign training modules after the simulation).

Am I missing something obvious on how to accomplish this? Or is this something that MS doesn't have implemented and we'll have to manually run like a monthly training assignment push for new employees?

does defender for business (included in business premium license) has "EDR in block Mode" feature ,i couldn't find a clear answer in the docs

Yellowhat is a security event brought to you by Microsoft Security MVPs. Sign up for a day filled with in-depth Microsoft Security talks and demonstrations, featuring solutions like Microsoft Defender (XDR), Microsoft Sentinel, Microsoft Purview, Microsoft Entra, AI-driven security, and more. Attendees will gain practical insights, real-world strategies, and opportunities to connect with security experts across the industry. The lineup includes a keynote by Raviv Tamir, Vice President for Product Strategy for the Microsoft Security division, along with sessions led by Roberto Rodriguez, Dirk-Jan Mollema, Mattias Borg, Thomas Neunheim, and other renowned Security MVP’s.

 When:

March 6th 2025

3:00 PM – 10:00 PM CET

Register here: https://yellowhat.live/

Stream for free or purchase an in-person ticket.

Hi, I'm in the process of migrating a test group to the Streamlined Defender.

However , I'm observing strange behavior , the devices are duplicating with one showing as onboarded with no device data and one that can be onboarded with sensor data ...

https://preview.redd.it/rqy88xjn3yfe1.png?width=853&format=png&auto=webp&s=5d74476630f64227716378cedbf868384bc42b8d

Anybody getting the same behavior ?

Thanks

Currently when we get alerts from Microsoft Defender, we are getting a detection time showing in UTC. For the life of me I cannot get this to go to our local timezone instead. Anyone have any ideas or fixed this in the past?

Can Azure Arc tool to control applications?

Hello, any advice / best practice for handling build pipelines with Defender is much appreciated. I am seeing false positives that break the pipeline. However I can’t find any good sources about how to go with this in the best way.

What to exclude with minimal impact or excluding and scanning the application afterwards? But I wouldn’t know how to achieve that automatically without disabling tamper protection which is not an option.

Thanks!!!!!

Dear community members,

I need some suggestions to improve the risk score. We have one ipad device in org that seems to have accessed some phishing or malicious link from device and due to which device risk score increased and conditional access policy blocked his certain access to company apps. These access alerts show up in the xdr console, which are in open state for same. I would like to know how we can address these issues and improve the risk score.

Any help would be helpful 😃

Hello,

I have added a file hash to the IOC on the defender portal, and the file is sat on the desktop of a device with defender for endpoint plan 1 installed. It doesnt appear to be removing the file.... does it take a while for IOCs to update on devices? is it supposed to just delete it (remediate)? or am I missing something?

Hello Defender community!

I’m currently working on managing removable devices like WPD and USB sticks using ASR rules and Device Control, and I’m hoping to get some suggestions from those who have already implemented something similar in their environments.

At the moment, I’ve set up a policy to block USB devices by using the rule "Prevent installation of devices using drivers that match these device setup classes," and I’ve provided the classes for USB devices to first block all, and then allow specific ones using the device instance ID from the device properties. This way, only the allowed devices bypass the block.

Our goal is to block all removable USB storage devices, except for the allowed ones. If anyone has any experience with this type of policy or has alternative methods they’ve implemented successfully, I’d really appreciate hearing from you!

Looking forward to your suggestions!

https://preview.redd.it/pgyrmfaa1jfe1.png?width=910&format=png&auto=webp&s=242bf53fa1c37359f522048659b892aaaac61b0b

Hi all :)

I'm facing to disable the above Microsoft Defender for Endpoint Security Recommendation. Im wondering because we have around 1.5k clients in our Environment (Entra Hybrid Joined) but the Exposed Devices section shows that only 19/20 clients are not configured as needed. I would like to test it before disabling this setting, but i don't know how...

What is DFE looking for applying this Recommendation to?
I have various combinations:
- Internet Explorer installed or uninstalled
- Windows 10 & 11
- Diffrent Version of Internet Explorer/MS Edge

I have tested the following. Enable the GPO for clients i know they are in the Exposed Devices.
Client is disappearing from the list. But, there was no change to run or install an unsigned .exe
Just Defender Smart Screen is promting.

I set up a VM, similar to one i had in my exposed Devices. (Windows10, no special configs or Software)
This VM does not even appear in the List.

Why is the Recommendation not applied to the VM, or what does it depend on?
Any guesses?

Update:
This Recommendation seems not to be compatible with Defender Smart Screen. I tested it in an clean environment where no GPOs except the default domain Policy are configured. There it works completely fine.

Why does DFE show only 20 devices in the Identitys list? ==> This is because the Registry Path does not exist. When it is created, the devices are shown in the list.

Cheers :)

Evening all, hopefully this should be a quick one to answer.

We have server 2012 R2 running defender and is onboarding in Office 365.

However we do not have the defender gui or even the option to install one under features in server manager.

Has anyone come across this before? And how do we get the defender gui on this server ?

Thanks

I've been tasked with logging when people are using their computers in the office, as distinguished from on VPN. I'd want to capture hands-on keyboard use to distinguish from a session started days ago because most users have two computers (laptops travel and desktop left in office), and desktops could have sessions for weeks, so AD 4624 logs are overrun with non-interactive stuff like fileserver/dc/printer connections. Entra logs are missing some logons/unlocks when in sight of a DC.

I've determined that MDE DeviceLogonEvents ("LogonSuccess", "LogonUnlock") are likely my best bet, but that table doesn't have IP addresses. I'm hoping to join the DeviceLogonEvents to the DeviceNetworkEvents table to pull the most recent IP address used on the machine.

I am open to the implementation that I've described or a better way to skin the cat. However, my advanced query is not working. Can you help fix one of these queries or reinvent the wheel?
Thank you.

let logonEvents = DeviceLogonEvents
| where ActionType in ("LogonSuccess", "LogonUnlock")
| where DeviceName contains "WORKSTATION" // enterprise workstation naming convention to ignore servers
| where AccountName !in ("serviceaccount1", "serviceaccount2") //ignore service accounts
| where AccountName !contains "$" //ignore machine accounts
| project Timestamp, DeviceName, AccountName

let networkEvents = DeviceNetworkEvents
| project Timestamp, DeviceId,

logonEvents
| join kind=inner (networkEvents) on DeviceId
| where networkEvents.Timestamp between (logonEvents.Timestamp - 1h) and (logonEvents.Timestamp + 1h)
| project logonEvents.Timestamp, logonEvents.DeviceName, logonEvents.AccountName, logonEvents.ActionType, networkEvents.RemoteIP
| order by logonEvents.Timestamp desc

I have an alternative query if that's a better starting point

let logonEvents = DeviceLogonEvents
| where ActionType in ("LogonSuccess", "LogonUnlock")
| project Timestamp, DeviceName, AccountName, DeviceId;

let networkEvents = DeviceNetworkEvents
| project Timestamp, DeviceId, LocalIP;

logonEvents
| join kind=inner (networkEvents) on DeviceId
| where networkEvents.Timestamp between (logonEvents.Timestamp - 1h) and (logonEvents.Timestamp + 1h)
| project logonEvents.Timestamp, logonEvents.DeviceName, logonEvents.AccountName, networkEvents.LocalIP;
| order by logonEvents.Timestamp desc

Hello Everyone,

Here's our current set up -

Domain Controllers are not synced over to Intune as Device Groups. However, they are still listed in 'Devices' as they are MDE onboarded.
I suppose this is by design

The problem -

Domain controllers are receiving AV policies from Intune- even though there's a filter that excludes them
The assigment is - All Devices with a a filter to include only Windows 10 & 11 machines

Goal -

How to remove applied policies?
How to apply the policies I want on those domain controllers?

Hi,

Is there a solution for the following vulnerability? Does anyone have any information or what precautions can we take? Do you have any recommendations?

https://www.bleepingcomputer.com/news/security/microsoft-365-anti-phishing-feature-can-be-bypassed-with-css/

Thank you,

So MDE is applying the Internet Faced tag on company laptops that have directly assigned a Public IP to their WIFI / Ethernet card. Recently we had an alert on an device triggered by an external scan on port 22. The attempt was failed ofc cause the laptop didn't have SSH port open.

The issue was observed on laptops connected to their home ISPs, which are directly assigning public IP addresses, making the devices exposed to the internet.

The common factor among these cases is the ISP, either Telia Network Services in Sweden or DNA Oyj in Finland. Is anyone else experiencing the same problem with Nordics ISPs?

https://preview.redd.it/mb1lnou4ypee1.png?width=851&format=png&auto=webp&s=7fbd82ea8bcf52a876803abd6a8df13a78177f25

Hi, Recently, we had an incident where malware accessed one of our user's web and login data.

After investigating the user's recent sign-ins, I noticed one login attempt in the Azure portal's sign-in logs showing a status of "Interrupt." The password was correct, but the MFA failed.

My main question is: the IP address is a Microsoft IP. Why could this be?

P.S.: I'm new to this field and currently in the learning phase.

Hi, is there an option on the Admin Portal to see / manage the list of safe senders that users add into their Outlook client?

I want our administrators to be able to see the addresses users are adding into their safe sender's list.

We don't want to have to do to each outlook individually.

Thanks

When you select a device from your inventory list you see a section “Device Health” in the overview page.

That section displays information about the platform, engine and security intelligence status. I can see the versions but the State Circle or greyed out. Above it said “Security Intelligence update status unknown +4 more issues”. I have run the client analyzer - no issues, I have waited +48H and I have tested the connection, I checked if the configuration is fine - yes… so really I have no clue why it can’t refresh the data reliable - this issues shows on about 1/3 of all devices.

Hi,

I used an on-prem only domain admin account to dump our password hashes for an audit, defender disabled and contained the account and from within the action centre I was able to undo the actions however I'm not not able to login to any domain controller from said account, I can login to other servers and workstations, any ideas why?