Defender XDR Unified Audit Logs
Hi, There used to be Unified Audit Logs -option in Defender XDR Settings under "Endpoints". This option has now disappeared. Trying to search for Defender XDR events, such as isolating devices etc. using the Purview Audit search, I don't get any results. From the XDR Action center history I can see that isolation actions have been performed. I have Security Administrator permissions. Is there a way to enable/disable the XDR auditing from Defender XDR or Purview portals?
Disabling Security Copilot Embedded Experience in Microsoft Defender XDR
We are currently trialing Microsoft Security Copilot for specific use cases within our organization. However, due to our RBAC setup, many of our security administrators have default access to the embedded Copilot experience in Microsoft Defender XDR. This is consuming SCUs unnecessarily. Is it possible to disable or limit the embedded Security Copilot experience in XDR for certain users or roles while still maintaining access to other XDR features? We would like to optimize SCU usage while ensuring that only authorized personnel can utilize Copilot's capabilities.Defender Deception Advance Lures - verification
Hello everyone, I'm looking to deploy defender deception in our environment. I've successfully tested and verified the basic lures, but I'm having trouble with the advanced lures/decoys. Specifically, I can't find a way to verify the account-planted cached credentials. Initially, I thought dumping LSASS would show some reference, but I found nothing. Has anyone tried this, and what were the results? Additionally, from an attacker's perspective, how would these account decoys be discovered? Thank you in advance.
How does Defender XDR work?
It´s not easy to compose the right question to get the answers you are looking for. Defender XDR is getting me crazy. I used a simple kql query to figure out which Windows machines in my network perform LDAP queries via Powershell. The result was: empty. DeviceEvents | where InitiatingProcessFileName == "powershell.exe" or InitiatingProcessFileName == "pwsh.exe" | where RemotePort == "389" or RemotePort == "636" | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ReportId Then I queried LDAP via Powershell from three machines and after that the hunting was successfull. Not instantly, it took some time until "not security relevant information" found it´s way to the timelines of the machines. No chance for "near realtime detection". Last week I created a series of firewall rules in intune to block Powershell.exe from communication on remote ports 389 and 636 and applied this rules to a group of machines. I fired the earlier mentioned kql query again today. I didn´t expect to get another result than last week, but exactly those machines that have the new firewall rules applied shine up in my results for querying LDAP via Powershell. I had also built a custom detection rule for starting an automatted investigation and it says: It looks a little bit weird for me. Any ideas?Scanning of Archive files
When scanning of archive files, we find that depending on the amount of archive files present (say on SQL server backups) the system disk space is used to unpack and scan the file. This can cause the system drive to run out of disk space, and cause the scanning to fail or system to fail. At the moment there does not seem to be any configuration on where to extract the temporary files for scanning. Can we add an option for this?
EDR Exclusions - file extensions with square brackets
Background: We applied for, and received the ability to access EDR Exclusions for our tenant due to some performance problems we were seeing. I think this might still be an early preview feature but am not 100% sure... Here is a screenshot of what I am referring to: We have found a few other applications that had issues, including one that uses many different file extensions. Some of those files use square brackets in the extension name. This are valid files. However when I try to add them to our EDR Exclusions, I get an error "a valid extension must be specified"... which is frustrating because it is a valid extension. Does anyone have a solution for this or know how to get Microsoft to fix this? ThanksMS Defender Azure Arc Logic App
What is the best procedure for configuring a Logic App for Microsoft Defender in an Azure Arc environment? We had a very unexpected experience during onboarding—after configuring the Logic App, we missed setting a cap, and within a week, it consumed over $18K USD. I believe there must be a way to fine-tune the configuration to optimize costs. From my perspective, no organization would adopt an environment with such high costs for Microsoft Defender Plan 2 without better cost control measures in place. Could you suggest best practices or optimizations to prevent such excessive consumption?
Blocking domain for group of users/or devices
Hi all, I am trying to find a way to block youtube for a group of users. We are using M365 E5 Security so can use Defender for endpoint or Defender for cloud apps. However, cant find a way to implement this. My idea was to create an INDICATOR in Endpoint that will be blocked, however I cannot select any group and "all devices" are included there in default. So not sure if this is a way. Neither Web Content Filtering cannot be used for my scenario Another idea was to use Defender for cloud apps. This looks promising but I am not sure how to target only specific users or devices? I managed to mark an app as "unsanctioned" but it applies for all devices. Any idea ? Thank you.
