Defender XDR Unified Audit Logs
Hi, There used to be Unified Audit Logs -option in Defender XDR Settings under "Endpoints". This option has now disappeared. Trying to search for Defender XDR events, such as isolating devices etc. using the Purview Audit search, I don't get any results. From the XDR Action center history I can see that isolation actions have been performed. I have Security Administrator permissions. Is there a way to enable/disable the XDR auditing from Defender XDR or Purview portals?
"Copy to clipboard" balloon tip blocks Copy icon
If you have 1920x1080 screen resolution or higher, this annoying balloon tip wreaks havoc by blocking the "copy" icon. I find this balloon tip to be the least necessary thing ever. Everyone who's job involves using the Defender portal knows what that icon means and the fact that it is blue lets us know even more concretely that we can click it. Does anyone else have this issue and/or find this annoying? The next thing that is also problematic in the same way, the way we have to use these balloons to first sort columns ascending, before we can ever sort descending. And we can't just click the obvious arrows, we have to click, get the balloon, choose "Sort ascending", then click again, get the next balloon, finally choose "Sort descending". I'm flabbergasted as to how anyone thought this was going to be helpful (making a simply sort button require so many clicks just to sort columns). I give feedback in the portal about these two things often, but it doesn't go away. These 2 UI elements are no good, need to go.MDO query of EmailEvents is not accepted in the flow which is why causing the badgateway error
When used the following MDO query of EmailEvents it is working in the Defender control panel but when applied through 'Advanced Hunting' action in Power automate application given bad gateway error. Is this query supported in this application?
System and organization controls in XDR?
A recent Service Health post in the Office 365 Admin Center, regarding a problem with Defender XDR, says "This issue impacts tenant admins and users with system and organization controls (SOC) permissions." Is this a mistake? Do they mean "security operations center permissions" (i.e., Entra ID roles or RBAC roles) rather than "system and organization controls?" The former would make sense. Looking for any clarity anyone can provide on this post. Thanks in advance!
Help with KQL / Advanced Hunting - Antivirus Scan
Hi, Trying to come up with a solution to find all devices via Advanced Hunting where a full scan was never successful. The report that can be downloaded via `Defender XDR > Reports > Device Health > Microsoft Defender Antivirus Health` as well as the device health page only provide the result of the last antivirus scan. If a device ran a full scan successfully in the past but the most recent full scan was cancelled the report shows that the full scan failed. Here's an example of what I mean: The device health status shows "Full scan failed" with a failed scan on March 28, 2024 at 3:35:57PM. When querying the device via Advanced Hunting (see query below) I receive the information that a full scan successfully ran on March 28, 2024 at 3:35:36PM. Here's the query I am currently using and I already played around with it a little bit (distinct, summarize). I could export it to Excel and then remove duplicate entries but was hoping that can be done with KQL: DeviceEvents | where ActionType has_any ("AntivirusScanCompleted", "AntivirusScanCancelled") | extend AdditionalFields = parse_json(AdditionalFields) | extend ScanType = AdditionalFields.["ScanTypeIndex"] | where ScanType == "Full" | project Timestamp, DeviceName, ActionType This is the result I would like the query to return. If any device has had an entry for `ActionType == AntivirusScanCompleted` and `ScanType == Full` then all rows for that device should be removed.
DeviceNetworkEvents does not refer to any known table.
When attempting to run an advanced hunting query, I'm receiving this error message at more than half of our clients. Most are on business premium licensing which includes Defender for Business. Does anyone have any information regarding this error? Is this a licensing issue or do we need to turn on more audit logs at the device level to include this table in queries?
Dark Mode in Defender and Email Preview Issues in Explorer
Hi, When you are investigating an email for Phishing or for another reason, via Email & Collaboration>Explorer and you then select the email to investigate and use the Email Preview option, you are unable to clearly look at the email itself due to Dark Mode making the text really hard to read. Is this something that can be fixed, but without the end use having to disable Dark Mode?
KQL script report last reboot/reset endpoint devices (Workstations/Laptops)
Hello everyone, I'm reaching out for assistance with a challenge I'm facing in Microsoft Defender. In my organization, we have numerous endpoint devices with vulnerabilities, and I suspect that the issues may stem from either inadequate patching or misconfigured Group Policy Object (GPO) settings preventing updates or reboots. To investigate further, I need a KQL script that can generate a report showing when each endpoint device was last rebooted or reset, along with the computer name and the last user who logged in to that device. I've attempted to use the following KQL script in different ways without success: DeviceEvents | where ActionType == "Restarted" or ActionType == "Shutdown" | summarize LastReboot = max(EventTime) by DeviceName Despite trying various approaches and searching through online forums, I haven't been able to obtain the desired results. I'm unsure if this information can be retrieved through Defender or if there's an alternative method I should explore. Any guidance or suggestions would be greatly appreciated as I work to identify and resolve these issues. Thank you for your assistance! Best regards, Sergio
