Issue with log collection from Microsoft XDR to Azure storage
Hello, We are currently facing an issue with collecting logs from Microsoft XDR and forwarding them to Azure Storage. We are aware of below two methods for forwarding logs from Microsoft XDR to Azure: Forward events to Azure Storage Forward events to Azure Event Hub Issue Details: Method 1: When using the "Forward events to Azure Storage" approach, we end up with different containers being created for each event, but we would prefer to have all the events stored in a single container. Method 2: When using the "Forward events to Azure Event Hub" approach, we are able to store all the events in a single container, but in this case, the logs are stored in Avro format instead of JSON, which is not our desired format. Our goal is to store all event logs in one single container in JSON format. Has anyone faced this issue or found a way to achieve this setup? Any guidance or solution would be greatly appreciated. Thank you!
Weird updates "Security Threat Intelligence" on desktop
Hi guys, my name is Mo and I am new to the XRD community 🥰 I m observing anomalous device behavior. Upon login or wake-up, multiple virtual machines are active, some exhibiting headless screen reader functionality. This issue emerged following the installation of Microsoft security threat intelligence updates. Considering Windows Defender's machine learning and predictive maintenance capabilities, I question the deployment of these updates to my system. Is this update a standard Windows component? The associated URL is currently inaccessible. I acknowledge the potential of XR, CDN, and Hologres technologies (and other Azure/cloud-enabled features) to alter user experience. Could someone provide clarification regarding these iterative security updates? My usage is limited to cloud platforms and reputable open-source software; I do not utilize malicious websites. Thank you. #misclassification?"Copy to clipboard" balloon tip blocks Copy icon
If you have 1920x1080 screen resolution or higher, this annoying balloon tip wreaks havoc by blocking the "copy" icon. I find this balloon tip to be the least necessary thing ever. Everyone who's job involves using the Defender portal knows what that icon means and the fact that it is blue lets us know even more concretely that we can click it. Does anyone else have this issue and/or find this annoying? The next thing that is also problematic in the same way, the way we have to use these balloons to first sort columns ascending, before we can ever sort descending. And we can't just click the obvious arrows, we have to click, get the balloon, choose "Sort ascending", then click again, get the next balloon, finally choose "Sort descending". I'm flabbergasted as to how anyone thought this was going to be helpful (making a simply sort button require so many clicks just to sort columns). I give feedback in the portal about these two things often, but it doesn't go away. These 2 UI elements are no good, need to go.MDO query of EmailEvents is not accepted in the flow which is why causing the badgateway error
When used the following MDO query of EmailEvents it is working in the Defender control panel but when applied through 'Advanced Hunting' action in Power automate application given bad gateway error. Is this query supported in this application?
ASR Rule Blocking ms-teams.exe
Hi, We have seen the ASR Rule for, 'Block Office communication application from creating child processes' start to block ms-teams.exe, this morning which is causing quite a lot of issues in the estate. The current workaround is to set the ASR Rule of, 'Block Office communication application from creating child processes', to Audit Mode instead of Block Mode. This has also been mentioned by a couple of people now on Twitter, so is MS aware of this issue and do you know when a fix may be in place for this, so I can safely move the ASR Rule back to Block ModeDefender RBAC - Grant at least priviliged for Quarantine handling NOT WORKING
Hi everyone, I've already deployed new Defender RBAC permission. I want to assign permission for quarantine message handling WITHOUT Preview Message option. I,ve configured Defender RBAC in follow settings:     I've assgined only Security Basic (read) NOT Quarantine handle and NOT Quarantine RAW Contect permission Effect (in production!)   I can't assign at-least permission. Currently everyone who has at least permission in Defender RBAC can read all email content for everyone user in organization!!   Anyone can help with this case? Follow Defender RBAC docs this user should not have any permission for reading other mails! -- Kind Regards          
