Recent Discussions
Endpoint menu missing in settings in security center
Hello, I'm trying to understand while endpoint menu is missing in security center. (security.microsoft.com). I currently have a Microsoft 365 E5 Security License but I can't access to endpoint menu. I'm currently logging with a global admin account with the "Microsoft 365 E5 Security" license assigned but I can't access to the endpoint menu at all. Am I doing something wrong? My current license is a trial license, could be the issue (I don't think so)? ThanksLinux (Ubuntu 22.04) Discovered Vulnerabilities/Missing Security Updates
Hello we have Defender for endpoint P2 server is reporting correctly enrolled. Everything MDE is updated Full and quick scan are completed Inventory software is complete No weaknesses / no vulnerable components reported No discovered vulnerabilities No missing security update Licence issue/installation issue...any hints where i could look ? Thanks
Defender API - Get software by ID with a " ' " inside the defender_id
In the list of software I retrieved with the API ("/api/Software") some of the software have an Id with a "'" (apostrophe) in the name i.e. : microsoft-_-portail_d'entreprise when calling, for exemple, Get Software by Id ("/api/Software/{Id}"), so in this case it would be /api/Software/microsoft-_-portail_d'entreprise or if I replace the ' by %27, so /api/Software/microsoft-_-portail_d%27entreprise I always get a status code 400 (malformed). How can make it to work ? Thx
How to Automatically Export Microsoft Defender Security Recommendations with Historical Tracking
Hi everyone, I'm currently using Microsoft Defender for Endpoint, and I'm looking for a way to automate the export of security recommendations. Right now, the only available option is to manually export these recommendations as a CSV using the "Export" button in the portal. However, I’d like to: Automatically pull these recommendations regularly Store them in an Azure SQL database/Azure Storage Use Power BI to create dashboards and track trends over time (since Defender does not provide historical views) Is there a way to fetch this data programmatically? My Goal: Automatically query this API daily (via Azure Function or Azure Automation or any other way) Store each day's results in an Azure SQL table/Storage account with timestamps Build Power BI reports for: Most frequent vulnerabilities Exposure trends over time Recommendation coverage and progress[MDE] Add the important feature, Yara rules if possible
Hi, Refer to this advisory (first link). In addition, you can see that there are Yara rules from GitHub (inside pdf). (2nd link) All EDR/XDR companies (except Microsoft) already have features and a Yara rule configuration for the incident responders to detect. The method of adding and detecting Yara rules has been in practice across companies for many years. Would you mind advising on any reason why not adding the important feature, Yara rules? It would be good if you include the important feature, Yara rules. If not, would you mind advising on converting from Yara rules to MDE query for querying via advanced threat hunting? Thanks much appreciated. 🙂 https://www.csa.gov.sg/singcert/Advisories/ad-2021-007 This link is the Yara rule. https://github.com/Neo23x0/signature-base/blob/master/yara/apt_cobaltstrike.yar https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/yara-rule-support/m-p/2276820
Change tamper protected settings permanently
Hi there, I need to disable real-time monitoring permanently on a device. I can turn it off temporarily using troubleshooting mode but once tamper protection is back on, so is real-time monitoring. How do we actually permanently change tamper protected settings?Using Group policy to auto install Security Intelligence Update for Microsoft Defender Antivirus
Hi Guys, I am trying to get a GPO to automatically install the update without user intervention. I have done the following settings but the update won't install. We currently use Fortinet FortiClient but I still want to keep Defender up to date. Any ideas on where i am going wrong? J.MDE not detecting regsecrets.py from impacket-toolkit
In a recent red-team engagement we got exposed to the regsecrets.py toolkit which made it possible to extract SAM hive without any detection from the MDE. I have tried to use advanced hunting to see if there are any event that would make up for a good custom detection rule but no success yet, please share if you have any queries that works for you. Some information regarding this script: This script is a modification of secretsdump.py that uses a different technique to extract registry secrets (the logic regarding DCSync operations has been removed). It does not write files on the disk and does not perform reg save like operations. This allow recovering the SAM database and the LSA secrets while being less prone to detection by security product. All required keys are accessed using registry queries. To access keys within the SAM and SECURITY hives, the dwOption of BaseRegOpenKey allows passing the REG_OPTION_BACKUP_RESTORE value to disable any ACL checks performed, thus, allowing to access these registry keys normally restricted to the SYSTEM user. Thanks in advance for sharing some experience of detecting this.
Core Isolation False Positives
Why is there currently no way to white list or even submit Memory Integrity Core Isolation false positives to Microsoft? I have a services that is constantly detected (even though now it has been digitally signed by the vendor). When it is detected it stops the product from working correctly. There is no way to white list this service and the only way to currently work around it is to turn off Core Isolation. But our security teams are wanting to turn Core Isolation back on for users. How do we get this service looked at? I have tried submitting the file to Microsoft who say it isn't malicious but it's still getting detected. I don't have access to the MDE console so can't submit anything directly from there either.[MS Defender for Endpoint] Wanted guidance on Alerts API
Question: Which API is recommended for reliably sharing domain information, especially for integration with external tools? https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info How can I generate or simulate alerts so that the https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info API returns actual domain-related data? What are the best practices for selecting the appropriate API for this use case, considering I cannot use both in my integration? Things I have explored so far, Currently using https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id API. Provides domain-related data in the evidence section. Example response includes entities with entityType as Url containing domain names and URLs both. Alert Response { "id": "da0c5a38e4-3ef4-4c75-a0ad-9af83e866cf1_1", "detectionSource": "WindowsDefenderAtp", "category": "CredentialAccess", "evidence": [ { "entityType": "Url", "url": "pub-8eab0c35f1eb4dacafaaa2b16d81a149.r2.dev" DOMAIN TYPE // ... Other fields }, { "entityType": "Url", "url": "https://example.com" URL TYPE // ... Other fields } ] // ... Other fields } Noticed another API: https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info. Purpose-built for retrieving domains related to alerts. Returns empty data object with no domains or hosts, even when generating alerts by accessing blocked domains. Custom IOC type domain has been added to endpoint indicators list and then accessed the same domain from windows machine. Ref: https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain#create-an-indicator-for-ips-urls-or-domains-from-the-settings-pageSecure Score for Devices
Hi, I need to query Defender for Endpoint to get the Secure Score for Devices. I need it in percent, but the "GET https://api.securitycenter.microsoft.com/api/configurationScore" only returns the current achieved points. And I cannot find a method to get the current total achiveable points. Anyone who knows how to get this ? (I have seen there are api's for this in defender for cloud) My second question is for the security center where you have a "Secure Score" that covers all areas. One of the sub categories for the total secure score is "Device", but that category has different "achiveable points" (currently 872 out of 927) than the points that are listed for the "Secure Score for Devices" (currently 949 out of 1004). Anyone knows why these are not in sync ?How to extract vulnerability details from Microsoft Defender?
With the KQL below, I'm able to retrieve only a few details about the vulnerability. DeviceInfo | summarize arg max(Timestamp, DeviceName, OSPlatform, SensorHealthState, OnboardingStatus) by DeviceId join kind inner ( DeviceLogonEvents where ActionType == "LogonSuccess" summarize arg max(Timestamp, AccountName, AccountDomain) by DeviceId extend Owner = strcat(AccountDomain, "\\", AccountName) ) on DeviceId | join kind=inner ( DeviceTvmSoftwareVulnerabilities | project DeviceId, Cveld, SoftwareName, VulnerabilitySeverityLevel, RecommendedSecurityUpdate ) on DeviceId OnboardingStatus, Cveld, SoftwareName, RecommendedSecurityUpdate However, I need additional details as below: Environment,OS Version,Vulnerability Name,Apps/Infra,Owner, Risk,CVSS, CVE ID, Solution, Vulnerability links,IP, Port,DNS/NETBIOS NAME, Plugin Output, Synopsis Description, Occurance, Ageing, Region, Plugin ID, Purpose, Exception, Application Is there a way or script (KQL or PowerShell) to retrieve these details from Microsoft Defender?
Defender Onboarding
I have domain joined device. Implementing Defender thru Intune Connector. (Connector Status is on - EDR policy is Deployed correctly) -ASR All Rules in place -AV policy in place 2 Same OS Version Device I tried to Onboard 1 got onboarded & 1 Did not. Not sure why? Also Domain joined 1 Device got on boarded with some issue where Realtime Protection and Behavior monitoring is disabled. Any Solution ? Please Don't Recommend to make any changes to GPO thru Onprem. Help me to resolve issue thru intune.Defender for Endpoint/Identity not logging eventid 4625
During some on-prem pen-testing password-sprays were conducted and defender did not alert in any way and even digging in the advanced hunting did not show enough indication of this attack. We were also ingesting the logs(Eventid 4624 and 4625) from a domain-controller which made it possible to create an SIEM-rule to detect the behavior but the question is what is missing for Defender to pick this up or atleast log the events to make custom detection an option? The Domaincontroller that generated the SIEM-logs was onboarded with a type of "domain controller", defender for identity is also enabled. Does any users have this experience with Defender is missing pen-test activities?
Blocking file uploads to all sites, unless safelisted
We're trying to verify if we can block file uploads through the browser to all sites, unless these sites are part of an approved list or the user has an exception. We currently have a similar solution through a different vendor, but wanted to see if Defender for Endpoint is an alternative. So, if someone creates a new site, this site would not be allowed to be uploaded to unless the domain is added to an approved list. The alternative would be to block if the file has a specific label. Thanks,Looking for Siloed solution
Hello, my organization is looking for a new cyber security solution for our siloed network. The network is kept internal and we have been using a trellix solution for our needs, but we are looking to move away from it for various reasons. With MDE looking at the current solution we want, we have been unable to find if there is a solution for an isolated network like ours where it we would still have access to the GUI and the features, but we wouldn't connect via the cloud to the greater networks outside. Is this possible for us to set up with MDE or should we begin looking for a different solution?
MS Defender > Reports > Device Control
Hey all, I am able to export a Report called 'Device Control report'. The report is straightforward and has an option to export. I want this report to be emailed on a weekly basis. How to achive this. Couldnt find a schedule option to send this as email report. Can someone help me. Sample Report as under.Get-MpComputerStatus output is blank
Hello, We recently transitioned from ESET AV to a solution that uses the Microsoft Defender engine. However, we're encountering an issue where domain-joined VMs running Windows Server 2022 return no output when executing the following command: Get-MpComputerStatus | Select AntivirusEnabled The antivirus application (Heimdal Next-Gen Antivirus) relies on this output to verify that real-time scanning is enabled. We have tried several troubleshooting steps, including rebooting the machines, running the command D i s m /Online /Enable-Feature /FeatureName:Windows-Defender, and checking the registry to ensure that Defender is not in passive mode. However, the issue persists. Has anyone encountered a similar issue, or can anyone suggest additional steps to resolve this? Any help would be greatly appreciated!
Recent Blogs
- Network isolation refers to how Microsoft Defender for Endpoint restricts a compromised device’s communication within the network in order to contain threats and prevent lateral movement. But oftenti...Jun 25, 2025
- Microsoft has a long-standing relationship with MITRE and holds deep respect for the unique role that the organization plays within the security ecosystem. MITRE ATT&CK® Evaluations have been instru...Jun 13, 2025
