Forum Widgets
Latest Discussions
Vulnerability Management: Why don't tags show up on exposed devices?
In Vulnerability Management's Security Recommendations, there's a "tags" column for the exposed devices, but it isn't populated. Why? Wouldn't this screen be one of the most useful places to see tags? "Let's see, I need to update the software on these twenty machines. One machine has the "user on leave" tag, another one has the "pending reboot" tag - better contact that user." I shouldn't have to drill down into the devices table to check out each machine in the exposed list.
Lack of alerts in Sentinel
Hello, I am troubleshooting a lack of alerts and incidents in my Sentinel deployment. When I look at the Micrsoft Defender XDR connector, I see plenty of events like DeviceEvents, DeviceInfo, IdentityLogonEvents, etc. However, the entries for: SecurityIncident-- SecurityAlert-- AlertInfo-- AlertEvidence-- all show grey with a disconnected connector showing. I've been over the onboarding documentation several times and can't find what I'm missing. Has anyone else experienced this who can point me in the right direction of what to check? Thanks!
Secure Score isn't loading
Hi! For more than a week, the Microsoft Secure Score isn't displaying my organisation's score or any actions to review or recommended ones. I'm having problems with Teams' access lately and I need to check the security configurations as soon as possible. Does anyone have the same issue?
Defender not detecting test Kali Linux devices connected to network
Hello, first time posting here. Our organization is trying to get more familiar with MS 365 Defender. Just to see what it would discover, we connected a device running Kali Linux (not domain joined) to our internal LAN network then did some NMAP scans from it against the subnet and one of our servers. We were thinking we would see Defender trigger some kind of alert but that did not happen. We are also not seeing this Kali Linux device in the Defender Device Inventory anywhere. We have our device discovery set to Standard and have the appropriate networks enabled for Monitoring. Should we be getting some kind of alert of a non-onboarded device doing port scans against other devices in our network?Attack Surface Reduction - Problem Enforcement
Hello Community, for a customer i deploy Microsoft Defender for Endpoint with Security Management Features of MDE. All works fine but for "Attack Surface Reduction Rule" i have some problem, device are 1.8K and attack surface reduction only apply for 304 devices that have the same policy of other. But from Security Portal So i don't understand because in some device asr works correctly and in the other device not. Has anyone the same problem ? Regards, GuidoHow to get access to Move or Delete e-mail?
So this week I had some phishing e-mails that made it past Defender's filtering and were delivered to user mailboxes. I wanted to pull them back, so I found the relevant message the Defender XDR portal, and clicked on Take Action, but the only option available to me there was Submit to Microsoft for review. All the others, including Move or Delete, which is what I wanted, were grayed out. I'll add that was doing this using my Global Admin account. Did some research and supposedly assigning my account the Data Investigator role or creating a custom role with Search and Purge capability would provide the desired access So I put my account into both of those groups, and I still can't access Move or Delete. Anybody know what I am missing here? I’d be grateful for any information.
Bug using streaming API related to new type of event 'CloudProcessEvents'
Hi community, recently i've been trying to send XDR events/logs to a storage account via streaming API option. The problem comes when this bad request appears: This problem is related with a new schema that have been added recently to XDR Advanced Hunting. As you can see the new type of event 'CloudProcessEvents' is not supported via API but it doesnt appear in type of event at the configuration to unselect it. Can someone help?Bug using Streaming API with new schema 'CloudProcessEvents'
Hi community, recently i've been trying to use defender streaming api for raw data linking my XDR to an storage account. The problem comes when I end setting the API for sending the logs to azure and this problem appears: As you can see there is a problem related to the new type of event CloudProcessEvents that is not supported via API. I cannot unselect this type of event because it doesn't appear, we can only visualize it in the Advanced Hunting portal. Can someone help?
Suggestion: Centralize Microsoft Defender XDR Role Management into Microsoft Entra ID
Microsoft Entra ID has evolved into a strong, centralized identity and access management solution. Likewise, the Defender XDR portal (formerly Microsoft 365 Defender) provides a unified experience for security monitoring, investigation, and response across endpoints, email, identities, and more. These tools are critical to modern SecOps. However, managing access across them is still more complex than it needs to be. Key challenges: Dual RBAC confusion: Defender for Endpoint uses its own RBAC system, separate from Entra ID. This leads to misunderstandings — for example, assigning a user the Security Reader role in Entra ID might not grant expected access in Defender once Defender RBAC is enabled. Hidden roles: Roles like Defender for Endpoint Administrator aren’t visible in the Entra portal, making centralized management harder. Access risks: Enabling Defender RBAC can revoke access for some users unless they’re added manually to MDE role groups — often without clear warning. Admin overhead: Managing permissions separately in Entra and Defender adds duplication, friction, and potential for misconfiguration. Suggestions Let’s build on the strength of Microsoft Entra ID by moving all Defender role assignments into Entra, where identity and access is already managed securely and consistently. Goal: Use only Entra ID roles to manage access to the Defender XDR portal — eliminating the need for custom RBAC roles or portal-based configurations in MDE, MDO, or MDI. Benefits of this change: Centralized, consistent access management across Microsoft security solutions Simplified admin experience with reduced configuration errors Better alignment with Zero Trust and least-privilege principles Clear, discoverable roles for Security and SOC teams Seamless experience during role onboarding/offboarding Suggested new Entra built-in roles for Defender XDR: Defender Endpoint Security Administrator Defender Email Security Administrator Defender Cloud Security Administrator SOC L1 Analyst (read-only) SOC L2 Analyst (response) SOC L3 Analyst (hunting) Defender XDR Administrator / Engineer Vulnerability Analyst Microsoft has done a fantastic job modernizing Entra and unifying security visibility in Defender XDR — and this would be a great next step forward. #MicrosoftEntraID #MicrosoftDefenderXDR #SecurityOperations #IAM #RBAC #CloudSecurity #ZeroTrust #MicrosoftSecurity #SecOps #SOCCannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?
I tried to create custom detection rule from KQL query in Defender XDR: Advance Hunting by custom various variable to be able to submit, but for this query to be able to go through remediation setting of detection rule, I need the entity identifiable columns like AccountUpn, that I need to union with IdentityInfo schema. But detection rule seems not support the union * thing as the attached pic: I searched for the same problems that seems to be occurred in all system using KQL including in Microsoft Sentinel Logs but has no workaround to bypass. So, is there any way to get through this objective without strucking with union * problem?
