Defender XDR Unified Audit Logs
Hi, There used to be Unified Audit Logs -option in Defender XDR Settings under "Endpoints". This option has now disappeared. Trying to search for Defender XDR events, such as isolating devices etc. using the Purview Audit search, I don't get any results. From the XDR Action center history I can see that isolation actions have been performed. I have Security Administrator permissions. Is there a way to enable/disable the XDR auditing from Defender XDR or Purview portals?Defender Deception Advance Lures - verification
Hello everyone, I'm looking to deploy defender deception in our environment. I've successfully tested and verified the basic lures, but I'm having trouble with the advanced lures/decoys. Specifically, I can't find a way to verify the account-planted cached credentials. Initially, I thought dumping LSASS would show some reference, but I found nothing. Has anyone tried this, and what were the results? Additionally, from an attacker's perspective, how would these account decoys be discovered? Thank you in advance.MS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboardingâafter configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?
Weird updates "Security Threat Intelligence" on desktop
Hi guys, my name is Mo and I am new to the XRD community 𥰠I m observing anomalous device behavior. Upon login or wake-up, multiple virtual machines are active, some exhibiting headless screen reader functionality. This issue emerged following the installation of Microsoft security threat intelligence updates. Considering Windows Defender's machine learning and predictive maintenance capabilities, I question the deployment of these updates to my system. Is this update a standard Windows component? The associated URL is currently inaccessible. I acknowledge the potential of XR, CDN, and Hologres technologies (and other Azure/cloud-enabled features) to alter user experience. Could someone provide clarification regarding these iterative security updates? My usage is limited to cloud platforms and reputable open-source software; I do not utilize malicious websites. Thank you. #misclassification?
Stop Defender isolating Domain Controllers
Recently we have experienced Defender isolating our Domain Controllers. It is always the same rule which causes the isolation "Suspected AD FS DKM key read". I edited the rule and set it to auto resolve if triggered by the DCs. I assumed this would then release the DCs from isolation but this doesn't seem to be the case. Manual intervention is still required. I either need to stop Defender alerting this particular rule against my DCs (not ideal) or i need to stop the rule isolating the DCs. Any help would be appreciated."Copy to clipboard" balloon tip blocks Copy icon
If you have 1920x1080 screen resolution or higher, this annoying balloon tip wreaks havoc by blocking the "copy" icon. I find this balloon tip to be the least necessary thing ever. Everyone who's job involves using the Defender portal knows what that icon means and the fact that it is blue lets us know even more concretely that we can click it. Does anyone else have this issue and/or find this annoying? The next thing that is also problematic in the same way, the way we have to use these balloons to first sort columns ascending, before we can ever sort descending. And we can't just click the obvious arrows, we have to click, get the balloon, choose "Sort ascending", then click again, get the next balloon, finally choose "Sort descending". I'm flabbergasted as to how anyone thought this was going to be helpful (making a simply sort button require so many clicks just to sort columns). I give feedback in the portal about these two things often, but it doesn't go away. These 2 UI elements are no good, need to go.
Whitelisting Pentesting tools
Hello everyone. I'm coming to you with a question that I think is pertinent. We use a pentesting tool in our environment. It generates a lot of incidents and alerts in Microsoft Defender. We have on-prem accounts (one user, one admin) so that the tool can perform this pentesting. Do you have any ideas on how to whitelist incidents linked to this user, these actions or the node machine he uses to initiate connections? So that it no longer generates or the incidents linked to these activities are automatically resolved. Thank you for your help. HKNMDO query of EmailEvents is not accepted in the flow which is why causing the badgateway error
When used the following MDO query of EmailEvents it is working in the Defender control panel but when applied through 'Advanced Hunting' action in Power automate application given bad gateway error. Is this query supported in this application?
