Recent Discussions
Unable to add Endpoints and Vulnerability management in XDR Permissions
Hi, I have defender for endpoint running on obver 400 devices. I have 10 with Bus Premium, 5 with E5, and the rest E3. I am getting incidents for DFE, and this is being sent to my SOAR platform for analysis, but when I pivot back using client-sync, I cannot see DFE incidents. I have gone into Settings > XDR > Workload settings, and can only see the below There does not appear to be the option to grant the roles I have provided for my SOAR user the ability to see Endpoint and Vulnerability management. Really scratching my head here. Help?
Unable to query logs in Advanced Hunting
Hi Community, Recently, I turned off the ingestion of some of the Device* tables to Sentinel via Microsoft XDR Data connector. Ever since the ingestion is stopped in Sentinel, the TimeGenerated or Timestamp column usage in KQL is not working in Microsoft XDR Advanced Hunting at all. Example KQL in Advanced Hunting below: DeviceImageLoadEvents | where Timestamp >= ago(1h) | limit 100 The above yields no results in AdvancedHunting pane. However, if you use ingestion_time() you see the results which also gives TimeGenerated/Timestamp but cannot filter on that in the KQL. It seems like a bug to me. Does anyone face the same issue or can someone help? Thanks
How to Connect MS Secure Scores to Power Query?
The Microsoft 365 Defender Portal (https://security.microsoft.com/) has a 'Secure Score' page, which contains the following: An overall secure score which is then broken down by Identity, Data, Device, and Application secure scores. I would like to be able to pull these four scores into a Power BI report; however, I have had some difficulty in putting together a solution. This data seems like it could be found in the Microsoft Graph API, but MS seems to have made connecting Graph to Power Query rather difficult. I've tried other Defender APIs, but they all seem either outdated or out of scope for what I'm trying to pull. Can anyone advise? Thanks for reading.
Unable to view certain defender alerts
Hi Team, We are unable to view certain defender alerts from defender portal. We are able to pool alerts using graph api and from the output -> using alertWebUrl we tried to view the alert. We observed "You can't access this section" error message. (Sorry, you can't access this section. Check with your administrator for the role-based access permissions to see the data). But we are able to view other alerts, (Ex: Above error is for XDR alert, but we are able to view other XDR alerts). Is it possible to allow access to view only few XDR alerts?TVM still showing outdated vulnerabilities despite applications being up to date
Hi everyone, we’re using Microsoft Defender for Endpoint with Threat & Vulnerability Management (TVM) enabled. Lately, we've noticed that certain vulnerabilities (e.g., CVEs in browsers or third-party software) continue to be flagged on devices, even though the affected applications have been updated weeks ago. Example scenario: The device is actively onboarded and reporting to Defender XDR The application has been updated manually or via software deployment The correct version appears under Software Inventory However, the CVE still shows up under Weaknesses Has anyone experienced similar behavior? Are there any best practices to trigger a re-evaluation of vulnerabilities or force a TVM scan refresh? Would a device reboot or restarting the MDE service help in this case? Any insights, suggestions, or known workarounds would be greatly appreciated. Thanks in advance!
DeviceNetworkEvents table, UDP and IGMP events
Does DeviceNetworkEvents table get all network events or are there any caveats. Want to know if Defender Agents on the Machines collect all the TCP/UDP/ICMP/IGMP events or there are any specific events which are collected or not collected. We don't see most of UDP events. For example, we have a server listening on UDP, and when a client makes UDP connection to the server, we expect to see UDP connection events in the DeviceNetworkEvents table. We only see mostly DNS UDP events. Same thing with ICMP and IGMP. We don't see IGMP events at all. Can somebody throw light on how these things work.Firewall Rules programming with Defender XDR
We have our devices onboarded to Defender for Endpoint, and want to program Firewall Policy and Firewall Rules Policy using Defender Onboarding. We know that we can onboard devices to Intune and use Intune MDM to program rules. But, we don't want a full blown MDM setup or license for just firewall programming. Is there a deployment scenario where we can do firewall programming just using defender machines. Any help is really appreciated.
Lack of alerts in Sentinel
Hello, I am troubleshooting a lack of alerts and incidents in my Sentinel deployment. When I look at the Micrsoft Defender XDR connector, I see plenty of events like DeviceEvents, DeviceInfo, IdentityLogonEvents, etc. However, the entries for: SecurityIncident-- SecurityAlert-- AlertInfo-- AlertEvidence-- all show grey with a disconnected connector showing. I've been over the onboarding documentation several times and can't find what I'm missing. Has anyone else experienced this who can point me in the right direction of what to check? Thanks!Attack Surface Reduction - Problem Enforcement
Hello Community, for a customer i deploy Microsoft Defender for Endpoint with Security Management Features of MDE. All works fine but for "Attack Surface Reduction Rule" i have some problem, device are 1.8K and attack surface reduction only apply for 304 devices that have the same policy of other. But from Security Portal So i don't understand because in some device asr works correctly and in the other device not. Has anyone the same problem ? Regards, Guido
Secure Score isn't loading
Hi! For more than a week, the Microsoft Secure Score isn't displaying my organisation's score or any actions to review or recommended ones. I'm having problems with Teams' access lately and I need to check the security configurations as soon as possible. Does anyone have the same issue?Bug using Streaming API with new schema 'CloudProcessEvents'
Hi community, recently i've been trying to use defender streaming api for raw data linking my XDR to an storage account. The problem comes when I end setting the API for sending the logs to azure and this problem appears: As you can see there is a problem related to the new type of event CloudProcessEvents that is not supported via API. I cannot unselect this type of event because it doesn't appear, we can only visualize it in the Advanced Hunting portal. Can someone help?
Vulnerability Management: Why don't tags show up on exposed devices?
In Vulnerability Management's Security Recommendations, there's a "tags" column for the exposed devices, but it isn't populated. Why? Wouldn't this screen be one of the most useful places to see tags? "Let's see, I need to update the software on these twenty machines. One machine has the "user on leave" tag, another one has the "pending reboot" tag - better contact that user." I shouldn't have to drill down into the devices table to check out each machine in the exposed list.Defender not detecting test Kali Linux devices connected to network
Hello, first time posting here. Our organization is trying to get more familiar with MS 365 Defender. Just to see what it would discover, we connected a device running Kali Linux (not domain joined) to our internal LAN network then did some NMAP scans from it against the subnet and one of our servers. We were thinking we would see Defender trigger some kind of alert but that did not happen. We are also not seeing this Kali Linux device in the Defender Device Inventory anywhere. We have our device discovery set to Standard and have the appropriate networks enabled for Monitoring. Should we be getting some kind of alert of a non-onboarded device doing port scans against other devices in our network?How to get access to Move or Delete e-mail?
So this week I had some phishing e-mails that made it past Defender's filtering and were delivered to user mailboxes. I wanted to pull them back, so I found the relevant message the Defender XDR portal, and clicked on Take Action, but the only option available to me there was Submit to Microsoft for review. All the others, including Move or Delete, which is what I wanted, were grayed out. I'll add that was doing this using my Global Admin account. Did some research and supposedly assigning my account the Data Investigator role or creating a custom role with Search and Purge capability would provide the desired access So I put my account into both of those groups, and I still can't access Move or Delete. Anybody know what I am missing here? I’d be grateful for any information.Bug using streaming API related to new type of event 'CloudProcessEvents'
Hi community, recently i've been trying to send XDR events/logs to a storage account via streaming API option. The problem comes when this bad request appears: This problem is related with a new schema that have been added recently to XDR Advanced Hunting. As you can see the new type of event 'CloudProcessEvents' is not supported via API but it doesnt appear in type of event at the configuration to unselect it. Can someone help?Suggestion: Centralize Microsoft Defender XDR Role Management into Microsoft Entra ID
Microsoft Entra ID has evolved into a strong, centralized identity and access management solution. Likewise, the Defender XDR portal (formerly Microsoft 365 Defender) provides a unified experience for security monitoring, investigation, and response across endpoints, email, identities, and more. These tools are critical to modern SecOps. However, managing access across them is still more complex than it needs to be. Key challenges: Dual RBAC confusion: Defender for Endpoint uses its own RBAC system, separate from Entra ID. This leads to misunderstandings — for example, assigning a user the Security Reader role in Entra ID might not grant expected access in Defender once Defender RBAC is enabled. Hidden roles: Roles like Defender for Endpoint Administrator aren’t visible in the Entra portal, making centralized management harder. Access risks: Enabling Defender RBAC can revoke access for some users unless they’re added manually to MDE role groups — often without clear warning. Admin overhead: Managing permissions separately in Entra and Defender adds duplication, friction, and potential for misconfiguration. Suggestions Let’s build on the strength of Microsoft Entra ID by moving all Defender role assignments into Entra, where identity and access is already managed securely and consistently. Goal: Use only Entra ID roles to manage access to the Defender XDR portal — eliminating the need for custom RBAC roles or portal-based configurations in MDE, MDO, or MDI. Benefits of this change: Centralized, consistent access management across Microsoft security solutions Simplified admin experience with reduced configuration errors Better alignment with Zero Trust and least-privilege principles Clear, discoverable roles for Security and SOC teams Seamless experience during role onboarding/offboarding Suggested new Entra built-in roles for Defender XDR: Defender Endpoint Security Administrator Defender Email Security Administrator Defender Cloud Security Administrator SOC L1 Analyst (read-only) SOC L2 Analyst (response) SOC L3 Analyst (hunting) Defender XDR Administrator / Engineer Vulnerability Analyst Microsoft has done a fantastic job modernizing Entra and unifying security visibility in Defender XDR — and this would be a great next step forward. #MicrosoftEntraID #MicrosoftDefenderXDR #SecurityOperations #IAM #RBAC #CloudSecurity #ZeroTrust #MicrosoftSecurity #SecOps #SOCCannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?
I tried to create custom detection rule from KQL query in Defender XDR: Advance Hunting by custom various variable to be able to submit, but for this query to be able to go through remediation setting of detection rule, I need the entity identifiable columns like AccountUpn, that I need to union with IdentityInfo schema. But detection rule seems not support the union * thing as the attached pic: I searched for the same problems that seems to be occurred in all system using KQL including in Microsoft Sentinel Logs but has no workaround to bypass. So, is there any way to get through this objective without strucking with union * problem?Secure Score - gMSA not recognized ("Change service account to avoid cached password in registry")
Hello, we have several SQL Servers who were marked as "exposed devices" in the secure score recommendation "Change service account to avoid cached password in windows registry". The remediation option called for the use of "group Managed Service Accounts" ("gMSA"). We implemented those gMSAs. However, the servers are still marked as exposed. What did we do wrong? Is this a false-positive? I already did some checks with the help of Microsoft Copilot - there are no cached credentials for the gMSAs present, the Accounts are correctly set up (they are working for SQL Server services), and we don't use Microsoft Defender for Identity (if that is needed). Any advises? Thank you very much!Investigation state Queued
I see a number of messages in our Defender XDR Incidents with a status of Queued. What does this status mean? This appears to only be related to Defender for Office 365 incidents, usually email reported as junk/phish/notjunk etc type of incidents. Regardless of whether I investigate or change the status of the incident, in remains in the Incidents list as queued. I cannot find clear documentation on what this state means or what action is required to resolve/close the incident. Can anyone shed any light on the what the queued state means and how to resolve a queued incident.
Recent Blogs
- 3 MIN READLearn how Microsoft Defender for Cloud Apps helps you discover and govern ChatGPT and other AI apps as they access Microsoft 365.Jul 17, 2025
- 5 MIN READMicrosoft Defender XDR Monthly news - July 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across o...Jul 02, 2025
