New blog post | One click to cover containers & Kubernetes in Defender CSPM (agentless)
Defender CSPM contextual security capabilities assists security teams in the reduction of the risk of impactful breaches. Defender CSPM uses environment context to perform a risk assessment of your security issues. Defender CSPM identifies the biggest security risk issues, while distinguishing them from less risky issues. One click to cover containers & Kubernetes in Defender CSPM (agentless) - Microsoft Community HubNew blog post | Microsoft Defender for Cloud Monthly News - May 2023
This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month. In this edition, we are looking at all the goodness from April 2023. Monthly news - May 2023 - Microsoft Community Hub
Can the access to Purview dashboard be denied to non-admin users?
Hello, in my organization we noticed that when a user browses the security dashboard (security.microsoft.com), they can easily access critical information about compliance using the "more resources" tab, even if they have no directory role at all: For example, they can access the Purview portal and see information they're not supposed to see about organization's compliance: Can the "more resources" tab be hidden to the user? Alternatively, can the access to the Purview dashboard be denied to non-admin users? Thank you.
Inconsistent Defender Search Results When Searching by Hash
I am seeing inconsistent search results in Defender when searching for a file by hash. I saved a file to my desktop and sent it via email. I hashed the file with SHA1, SHA256, and MD5 algorithms. When I perform searches in https://securitycenter.windows.com/ for the MD5 hash the search completely fails. When I search using the SHA256 hash for the same file the search completes but finds no results. If I search for the SHA1 value for the same file, the file is found, and it lists the SHA256 and MD5 values for the file that previously yielded no results or failed. If I do the same searches in the M365 portal (https://security.microsoft.com) the MD5 search still fails. The SHA256 search finds an occurrence of the file in email but the result doesn't show any results for the file on endpoints. Searching for the SHA1 hash of the file again finds the file on the endpoint and email and also lists the corresponding SHA256 and MD5 but doesn't show any email results. Has anyone encountered the same issue? This seems to be a bug in Microsoft's platform.MDM Security Baseline vs Intune Profile
Hi all, I am testing currently the 2 profiles in the Security Baselines in default configuration. As they are now checked against the endpoint there is one Error in the Per-settings status: Type of system scan to perform Problem is now - I cannot see anything configured in the MDM Security Baseline for May 2019 the setting itself in the Intune profile is configured. Any idea? Best regards MiguelManage Microsoft 365 Defender Alerts in Azure Sentinel
We're trying to find a way to manage the 'out of the box' alerts that come with Defender 365 about 95% of which are FP. Is there a way to build some sort of dashboard in Sentinel with alerts? I don't mean incidents, we aren't there yet, I just mean alerts? Preferably, with enough information about the alert that the analyst can make a quick decision and move on... Thanks!!Defender Antivirus (AV) Passive Mode
Hi, While researching how to set Defender AV to passive mode I stumbled upon two registry keys: ForceDefenderPassiveMode https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server?view=o365-worldwide#set-microsoft-defender-antivirus-to-passive-mode-using-a-registry-key ForcePassiveMode https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard?view=o365-worldwide#set-microsoft-defender-antivirus-on-windows-server-to-passive-mode-manually https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup?view=o365-worldwide#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server Does either of you know which one is the correct one? Thanks, Andre
Migrating workstations and servers to Defender
Hi all, My organisation is moving its AV to defender for endpoint. I've not administered defender in a corporate environment before so would was hoping to get some advice/help? We have already begun onboarding our laptops, vdis and workstations and are looking to onboard a couple fileservers too. Our devices are not currently managed via Intune, so it's a case of setting up the policies in the security portal which hasn't been too bad so far.. However, I wanted to know- -do we need seperate licences for the file servers? -how can I split the policies between user devices and servers? I don't see a way to define granular policies per device? And of course, I don't want to set the same user policies on the servers. Thanks! TejLicensing and Where's the Endpoint List?
I recently moved some users on E5 licenses so we could see about using Endpoint Defender in place of our current endpoint AV. The license description says ED is included in E5. But I cannot find the list of those users' endpoints anywhere. The MS documentation is an endless circle of waffle. Documentation suggests I should have a Device Inventory in the new Security admin console, but I have none. It seems to want me to start a trial of an additional service even though it's supposed to be included with E5. The only place I can find anything likely is with the Intune (bleah) console. We dropped Intune 5 years ago as it was very very poor. I'd be grateful if anyone can say: - Is Intune needed for ED? - Where can I see a list of endpoints and status? - Do I really need an additional service on top of the E5 licenses?
