I have my primary system, as well as several of my VMs (on a VMWare server), all using Windows 10 Pro (22H2), but on one of the VMs, Defender is consuming 9-12% CPU constantly. If I disable Real-Time Protection, it drops to zero. My other systems all have it enabled, and almost always sit around 0% usage. I can't stand seeing one of my VMs sitting "idle" at 2ghz, so I have the real-time protection disabled right now. Is there any way to see what it's actually doing? I've tried adding exclusions, even adding C:\ as a test, and it had no effect. I'm all in favor of the real-time protection, but not when it's running like this around the clock.

Hello guys, so I’ve been using Defender since July and tbh i love it even tho it seems complicated and it is complicated but i still love it, i ran it on 1500+ devices so it is a bit of a hassle but it was less than I expected. Now top management wants a report on how effective these months were so I want to prepare something light like the type of alerts it remediated Malware, ransomware and so Is there away that i can do this like to find these information so i can prepare this? It preferably to be without KQL but if it is with it then be it Thanks

We recently discovered users accessing YouTube proxy websites https://cdn[dot]youtubeunblocked[dot]live and https://www[dot]croxyproxy[dot]com in our environment. No problem, add the blocking indicator and apply. However when I went to test it the site was still showing up. We tried blocking directly on our fw same story no joy. The behavior was very odd though, we'd initially get a blocking message but a refresh would bring it right up. Right now it's blocked in edge but not other browsers (yes we have network protection enabled on all devices).

Packet captures are revealing that these websites are utilizing QUIC protocol instead of standard TCP. Google is telling us this is a newer web protocol that operates over UDP with encrypted packets and web content filtering is troublesome.

I'm going to talk to our network team next week about disabling QUIC via ports 80 and 443 on the fw but was wondering if there was anything else we could do via defender to stop the activity.

Hi!

The context is: In the case of a ransomware attack, is it possible to make all devices managed by MS Defender become isolated automatically? Assuming that Defender fails to detect the ransomware and doesnt perform any of it's own remediation actions.

I know there is the manual option in the device section, but say you have 300+ devices, this would be quite onerous to click the button for each device. It would be great to have a button to isolate all devices bar a predefined set.

Thanks in advance!

Hi

Never deployed defender and have little experience with vdi. I want to test performance impact on vdi desktops if we onboard defender. Is there some sort of baseline or pattern what you should test and shouldn’t do? I have briefly read microsoft documentation, but thought perhaps some ppl came across specific problems and what would be the lesson out of it.. Thanks

Been getting these alerts from only one of the domain controllers. Alert is just failed logins for administrator user for random (i would say a handful of endpoints). I suspect something funky. not malicious, is going on in the domain controller for X location. Local admin accounts are not managed by on-prem LAPS. I am not sure what is causing this MDI alerts to trigger. At first i suspected some automation in-place that does not account for a rotating local admin password every few hours but that is not the case. Have reviewed event logs on culprit domain controller and it is in-fact generates failed logins by administrator for reasons absolutely unknown. Any thoughts or opinions are much appreciated at this point :)

Edit:

This usually follows Account enumeration recon alert. Note: None of this is malicious and has no originating source. I suspect a misconfiguration in Advanced Auditing on the domain controller, not sure though?!

Is there any way to manually sync Web content filtering policies made in Defender to speed up the rollout to devices. If I make a policy change in https://security.microsoft.com/ Settings > Endpoints > Web content filter, it takes time for the change to take affect on the devices. Same for disabling Web Content filter altogether in Settings > Endpoints > Advanced features

My company has recently switched to defender from a 3rd party AV solution. What i don't understand is, when an employee leaves we typically remote wipe their device (mac laptop) from intune and then we can set it up for a new hire. The issue i'm noticing now is Defender just keeps the entry for the laptop under assets > devices. Is there a new offboarding proceedure I need to follow because why would I need to download an offboarding package from the Defender portal to run on a recently wiped laptop.. In fact i can't because our setup is pretty much zero-touch, a wiped laptop just gets issued to the new hire who immediately logs into Office365 during bootup and enrollment and apps get pushed automatically. How do i remove the defender entry?

Hi,

I have a URL which I need to make it available only for a specific group of people, while blocking it for all other users. The URL is an internal one.

I was taking a look if this could be achieved with Microsoft Defender XDR, but I can't seem to find a way to achieve this goal. My tought was using the "Web content filtering", but it only allows the blocking of categories instead of an individual URL.

Has anyone had this kind of use case and know if Defender allows this?

Thanks

I am in the process of configuring Defender for Office 365 and found the CISA minimum viable secure configuration baseline. It recommends "preset security profiles should NOT be used"

I am curious if you use the preset or if you define specific policies.

Hello,

TL;DR:

• Machines manually tagged with "MDE-Management" behave as expected.
• Machines automatically tagged with "MDE-Management" via the dynamic tagging rule do not behave as expected.

Description :

We defined a restricted set of windows 10 machines that must be Managed by MDE (using the enforcement scope settings "apply to tagged devices").

To test that everything works as intended we manually tagged some device with the "MDE-Management" Tag, everything works so far, devices are enrolled, Managed by MDE, we can see / apply policies from intune to theses devices -> Nice !

Problem :
We defined a dynamic tagging rule trough the Asset Rule Management which will add the tag "MDE-Management" to the devices that matches a certain condition.

This rules works and apply a tag "MDE-Management" to the targeted devices, however (we triple checked the syntax of the tag) it seems to be misinterpreted by the portal as another tag.

Example :

Double tags \"MDE-Management\"

So in the screenshot above you can see :
- The first 2 machines have been assigned the "MDE-Management" tag only from the dynamic rule -> Don't behave as expected (not managed by MDE).

- The last 2 machines have been assigned the "MDE-Management" tag from both method (manually and dynamically) -> these are working as expected.

You can also notice the difference in terms of color on the tags...

Question :

- Does anybody experienced some weird behavior using dynamic tagging rule and the MDE-Management tag ? - Are we doing something not supported ?

PS: We waited like 1-2 days after creating the dynamic rule, and we triple checked the syntax of the tag for hidden chars / spaces aso.

Is there any seperate integration to do Integration between Defender for Cloud Apps with Defender for office & Identity. Like which we do it for Defender for end point.

Hi all!

Got a quick question I was hoping if someone can answer.

Newbie into security space so sorry in advance if the question does not make sense.

Defender is showing an incident being active and alerts associated with it showing new however, upon checking process tree, the said files are quarantined (remediation status = success). Is it do with tuning on the defender or this should have got closed automatically? Alerts name that are showing "New" status is ending with the term "was prevented".

Edit: Got splunk feeding all defenders logs and nobody touches Defender incidents/alerts (not sure if its best practise), did check the endpoint and no sign of said files exists so assuming defender did do its job.

Can anybody share some KQL to query what files may have been copied to a google drive?

Hello all

how do you troubleshoot ASR findings like that:

cmd.exe - Nov 26, 2024 - Blocked - Block process creations originating from PSExec ... - WmiPrvSE.exe

We have these findings on multiple servers in this environment and I more or less know what it's doing and where it's coming from, but I don't know how to create an exclusion for it.
I know that excluding cmd.exe/WmiPrvSE.exe is not recommended at all.

I can find the exectued command, but that doesn't really help me create the exclusion:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
 Detection time: 2024-11-26T21:41:39.653Z
 User: NT AUTHORITY\NETWORK SERVICE
 Path: C:\Windows\System32\cmd.exe
 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
 Target Commandline: cmd /c "chcp 65001 & C:\Windows\system32\inetsrv\appcmd list app /site.name:"Default Web Site" /xml > "\\127.0.0.1\c$\temp\REPLACED\REPLACED\REPLACED\psscript_output.txt" 2>&1"
 Parent Commandline: C:\Windows\system32\wbem\wmiprvse.exe
 Involved File: 

Hi all,

I'm trying to create a KQL query for file exfiltration and my code right now looks like this -

"let LargeFileThreshold = 485760; // Define large file size threshold (10MB)

// Detect suspicious extraction of archives

let FileEvents = DeviceFileEvents

| where FileName has_any (".zip", ".rar", ".7z", ".docs", ".pptx")

| project Timestamp, DeviceId, InitiatingProcessCommandLine, FileName, FolderPath, ReportId;

// Filter for files that were moved

let MovedFiles = DeviceFileEvents

| where InitiatingProcessCommandLine has "move"

| where FolderPath has_any ("E:\\", "D:\\", "C:\\")

| project Timestamp, DeviceId, InitiatingProcessCommandLine, FileName, FolderPath, ReportId;

// Network events with remote IP

let NetworkEvents = DeviceNetworkEvents

| where RemoteUrl has_any ("dropbox.com", "drive.google.com")

| project Timestamp, DeviceId, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, ReportId;

// Focus on recent activity and summarize

let RecentFileEvents = DeviceFileEvents

| where Timestamp between (ago(1h) .. now())

| summarize FileActionsCount = count(), TotalBytesSent = sum(FileSize) by DeviceId

| where FileActionsCount > 2 and TotalBytesSent > LargeFileThreshold;

// Join the tables

FileEvents

| join kind=inner (MovedFiles) on DeviceId, Timestamp

| join kind=inner (NetworkEvents) on DeviceId, Timestamp

| join kind=inner (RecentFileEvents) on DeviceId

| project Timestamp, DeviceId, InitiatingProcessCommandLine, FileName, FolderPath, RemoteUrl, RemoteIP, ReportId

 "

I get no results no matter if I scale it up or down,
If i use another code like "let LargeFileThreshold = 10485760; // Define large file size threshold (10MB)

// Detect suspicious extraction of archives

DeviceFileEvents

| where FileName has_any (".zip", ".rar", ".7z", ".docs", ".pptx")

| project Timestamp, DeviceId, InitiatingProcessCommandLine, FileName;

DeviceFileEvents

| where InitiatingProcessCommandLine has_any ("copy", "move")

| where FolderPath has_any ("E:\\", "D:\\")

| project Timestamp, DeviceId, InitiatingProcessCommandLine, FileName, FolderPath;

DeviceNetworkEvents

| where RemoteUrl has_any ("dropbox.com", "drive.google.com")

| project Timestamp, DeviceId, InitiatingProcessCommandLine, RemoteUrl;

DeviceFileEvents

| where Timestamp between (ago(1h) .. now()) // Focus on recent activity

| summarize FileActionsCount = count(), TotalBytesSent = sum(FileSize)// Ensure ReportId is in summarize

| where FileActionsCount > 2 and TotalBytesSent > LargeFileThreshold"

It gives me 30k+ results.

Any help to resolve this is welcome

https://preview.redd.it/tjebllldvd3e1.png?width=3063&format=png&auto=webp&s=e9ca52945edcb0180f3f9990fbd8a484ca161227

This is the incident timeline, looks like defender nuked the file instead of quarantine so I can't investigate it but the weird thing is that dll is pretty much unknown to the world (well google and copilot) and it isnt associated to Dark Crytsal Malware based on anything I can find. I don't know if its another false positive or defender smoking crack or what. Anybody have any experience with this particular dll being triggered??

We are starting to look at using DFE baselines for our servers in our environment. It seems Arc enabled servers are the only servers to appear in the specified groups when creating a baseline. Is that intentional or is there a way around the Arc requirement?

I'm implementing for the first time an Intune-managed deployment of Microsoft Defender for Endpoint for Mac. The online tutorials have gone relatively smoothly, despite there being many, many steps.

Step 17 is confirming an alert on an EICAR test file. This works great.

Step 18 is an EDR detection test with a "MDATP MacOS DIY" executable. (As described here: https://learn.microsoft.com/en-us/defender-endpoint/edr-detection) The executable runs as expected, but no alert ever happens.

This is a new Mac Mini with an M4 chip, and I needed to install Rosetta to run the test executable. Could the silicon change be interfering with this test?

I've confirmed all successes on "mdatp connectivity test".

Do any non-n00bs have a place I should look to explain this behavior? Thanks in advance.

UPDATE: I'm finding that the linux test instructions, used on a Mac, create alerts in the Defender Web Portal, though the MacOS-specific instructions do not work. From my point of view, I've successfully confirmed EDR activity. I suppose that the MacOS test is no longer valid? I'm leaving it there.

Currently our Azure Arc-Enabled servers are enrolled in Defender for Cloud and have the MDE agent installed. The servers are all reporting in Defender as expected. To my understanding, the windows servers are currently having the Microsoft defender for cloud benchmark applied to them in this state.

I am in the process of converting these machines to being managed by MDE so that security configurations/endpoint security policy can be applied through the defender portal. Currently I have this enabled for tagged devices only.

If I change the enforcement scope such that "all devices" use MDE to enforce security configurations from Intune, but do not have endpoint security policy assigned to all devices, does anything effectively change from the current configuration? I would assume "no" since I am not applying any new policy, but am unsure if something else changes on the backend that could affect production if enabled.

I’ve noticed this issue happening for the past couple of days. I’m not sure what’s actually going on. Could it be Microsoft messing something up? Or have they made any changes?

Hi,

I have been tasked with putting all of our devices into groups in Defender so that we can set different remediation levels on them depending on which group they fall into.

I have some basic groups and rules assigned to them based on their Tag but I also now have "Ungrouped devices (default) right at the bottom of the list with 270 devices in. I cannot figure out what these 270 devices are.

If I view a full device inventory (by selecting Assets > Devices) and then filter it so it only shows "Untagged" devices, it only displays 97 devices.

How can I find out what the other 173 devices are so that I can ensure they are properly tagged?

Is there a report I can run on this "Ungrouped devices" group?

TIA!

We had an incident involving a suspicious attachment: MDO didn’t flag it, but MDE responded once the file was accessed, and related emails were ZAPPED.

When trying to analyze the file, I found it missing from the endpoint. I used live response (findfile) and manually checked Outlook cached folders and the user’s downloads folders but found nothing.

Key observations:

• Alert status: detected, not prevented.

• No quarantine actions in Actions > History.

• AIR (Full) was triggered, but no logs show quarantine activity.

Despite the email being ZAPPED, I’d expect the downloaded file to remain on the device. My last option is the “Collect file” action, which may take up to 3 days..

We received the alert “Suspicious attachment opened” for an Excel file, but it’s unclear why it was flagged. Here’s what I found:

• No detection technology triggered.

• No VirusTotal matches.

• File wasn’t detonated in the Microsoft sandbox.

• Deep analysis is unavailable (not a PE).

I reviewed the file and, apart from generic terms like “invoice” or “file” in the name, I see no clear indicators of suspicion or ways to adjust this in XDR. Any tips for better understanding or fine-tuning the verdict?

Hi guys, a device in Defender is saying there’s vulnerabilities in a software and to update to the latest version. The user has confirmed the update has been completed yet Defender still picks up an outdated version. When looking at Inventories, I can see the threat being picked up for the software but the location is HKEY_USERS\x\x\x\Uninstall\Software reg path instead of a file path. Am I missing something obvious, what is the best course of action?

Hi,

Our users are getting messages that MSN (since every new tab opens w that in Edge) is blocked by our administrator. Security says it's not them and it's a "Microsoft issue" but I'm not sure about that.

It opens fine using Chrome or Firefox

Has anyone seen this?

Azure, Intune and all other sites work fine. I can get the menus of the defender pages to load, but the content sits at "Loading" for up to 2-3 minutes.

Cleared browser caches, tried different browsers. it's really slowing me down this morning. Literally.

Hi Everyone, I am trying to onboard Linux server to MDE using Saltstack deployment method. The problem here is configure proxy so that request for adding repo should pass through it instead firewall? I can configure proxy after MDE is installed for connecting Endpoint to MDE in cloud.

Hi everyone,

I’m looking for advice regarding an issue we're facing. After migrating to Intune, we've had multiple reports of users unable to use Remote Desktop.

Here’s our setup for context:

• We use AutoPilot for provisioning new devices.
• Most configurations are out-of-box (OOB), including the standard Security Baseline and Windows Autopatch.
• We also apply some configuration profiles (CPs), but nothing is configured to delete or block mstsc.exe or mstsc.exe.mui.

To troubleshoot, I’ve tried excluding both files from our Attack Surface Reduction (ASR) rules, but this hasn’t resolved the issue.

Has anyone encountered a similar problem or have insights into what might be causing this? I suspect we may need to create exclusions in Microsoft Defender for Endpoint (MDE), but I’m not an expert in that area and don’t currently have full access to MDE. Any guidance on what to check or configure before applying for permissions would be greatly appreciated.

Thanks in advance!

https://preview.redd.it/jnqjz2kgd03e1.png?width=1519&format=png&auto=webp&s=ea87e5080af3c1e451bfa763b6465e97af982e51

For the ones with MDE, since AIX servers are not supported, looking around to see how you guys manage your AIX security stack