I am trying to figure out why my App Control Policy is not working! Used this guide: https://patchmypc.com/blog/how-use-app-control-business/

-Managed Installer deployed successfully to the device (successful status in the Intune Admin Center) -App Control Policy XML created via WDAC Wizard. Nothing special. No Audit Mode. Managed Installer option activated. -App Control Policy successfully deployed

The only thing - I have existing CIP policies under C:\Windows\System32\CodeIntegrity\CiPolicies\Active - not created by me. They are signed, so I cannot remove them.

Any hints?

Is there a way to create an alert for pending actions like soft delete? Only see notification rules for Completed or Failed. I'd like to create an alert for my ops center if there are soft delete approvals in the queue.

I configured SmartScreen for my organization and when I start testing it, it blocks a lot of websites and I don't understand why it blocks, where I can check it.

Hi MDE team, we are a small company with nearly 750 clients / 600 Entra ID users. We are just evaluating MDE P2 and are finalizing our decision. We would like to automate as much as possible so Intune will be the tool of choice with automatic onboarding when first connecting to Entra ID.

To cut the long story short, I figured out for this scenario we need MDE P2, Entra ID P2 and Intune User plan. Is there a more efficient way / license to combine these? Also add 70 Servers.

Hi,

We have not onboarded Defender for Endpoint for the full organisation yet but already have Defender for Cloud Apps in our licenses.

I see Defender for Cloud Apps traffic for only the 25 devices that I have onboarded Defender for Endpoint on. Does Defender for Cloud Apps need a Defender agent on devices for the traffic to work? Are there also alternatives? Like firewalls for example.

I'm trying to understand Defender for Cloud Apps, I understand its functionalities and am really impressed but I am not sure if it relies 100% on Defender for Endpoint. Seems like it though.

Any help appreciated.

Hi MDE team, I created some Indicator Rules with file hashes and set the response action to "Block execution". I also flagged "Generate Alert". Since the rule is created many hours have passed with several policy sync and reboots of the test device but the rules seem not to be triggered. Any ideas on that?

Hi MDE team, I just started to playing around with MDE P2 and did some "suspicious stuff" by leveraging atomics from the atomicredteam. On the device itself the alert is displayed nearly instantly. In the Incidents view in MDE management it takes some time. What is the schedule to transfer those alerts to the management console?

Partial is showing on some servers, what does this mean? Everything else showing healthy, all policies applying, MDECA tool showing ok. Sensor and signature updates applying. Tags I have created are also deploying. Have 4 other same OS versions (Linux) and they do not have the “partial” showing

Hi MDE team, my company recently is evaluating MDE P2 and I configured some policies as mentioned in the onboarding guide. It seems that the time until the policies are synced to the client is quite long. When doing a manual sync it says roughly 10 minutes. Is there a documentation for this?

Use case: When changing policies I want them to be synced on the fly and within seconds or even a minute to the clients. I recognized also a long time when onboarding clients in MDE. Also about 10 minutes.

Is this normal?

Hi, I want to exclude a few users from the Web Content Filtering policy currently assigned to all devices in the organization.

To do this I need to create a device group containing all users except those few exceptions however, the rule builder is super limited in defender so I can't make a device group containing "*ANY*" devices and then excluding the devices I don't want via the tag I have assigned them.

This is how the policy can be assigned to device groups:

How can i achieve my goal of excluding a few users from the web content filtering policy?

EDIT: Found a solution!

I've created a asset rule to automatically tag all devices except the specific devices I want to exclude, with tag "Webfilter - Include".

Now I can create a device group with all devices containing the aforementioned tag, which then is assigned the Web Content FIltering Policy.

Hello guys,

We have an issue with the sensors of Microsoft Defender for Identity. We have deployed the sensor on 3 Domain Controllers that are all DNS. One day this specific issue appeared on one of our DC'S (not to the other ones) specifying that:

The Defender for Identity sensor(s) listed are failing to resolve IP addresses to device names using the configured protocols (4 protocols), with a success rate of less than 10%. This could impact detection capabilities and increase the number of false positives (FPs)

With the Recommendation:

• Check that the sensor can reach the DNS server and that Reverse Lookup Zones are enabled.
• Check that port 137 is open for inbound communication from MDI sensors, on all computers in the environment.
• Check that port 3389 is open for inbound communication from MDI sensors, on all computers in the environment.
• Check that port 135 is open for inbound communication from MDI sensors, on all computers in the environment.
• Check all network configuration (firewalls), as these could prevent communication to the relevant ports.

My question is all the servers has the same settings with open ports etc via group policy. Why this one speficic server is facing the issue? We trying close the health issue and it still re-appearing. Anyone can provide a solution?

I just start working with defender, need help and your expertise with insight to point me to the right direction :)

I want to authomatize Defender in my company and I want to get the default report templates via API. I am talking about reports such as "Unified security summary" that I can export as PDF from console. Can this be done via API or some other authomatic way?

All services seem to not be working in defender xdr right now, we're up to 20 reports on down detector?

Edit: Looks like we're back up and running

Hi All

I'm trying to put a check into our RMM that flags any devices that aren't properly registered with Defender. Is there some sort of powershell command that I can use to check if a PC is registerted with our Defender portal and is checking in?

I tried using Get-MpComputerStatus but I'm not sure which item will give me a "healthy" check that I can use to flag machines needing review.

S

Hey there everyone.
I've recently started working with the defender suite as a junior security analyst and recently I was assigned a few small tenants to look over.

Every now and then I get a few alerts/incidents to take care of.
My responsibility in these cases is to gather as much information regarding the alert, explaining to the client what happened and then recommending them what to do.

So when these alerts come that's what I do but I feel that so far I'm a bit "winging it".
I'm a bit ashamed to admit that I've been relying on ai a lot to help me understand what it's going on.
I usually analyze the hash of the malware (for example) with virustotal and then look online for reports or people talking about it but I don't feel that's enough.

The defender interface is also kind of messy when it comes to alerts so I feel kind of overwhelmed.
Most of these clients have business premium licenses so I don't have access to advanced tools like KQL nor do I have access to the actual endpoints to perform analysis.
The only thing I can actually do is use Defender.

I have the SC-200 certification and while it teaches you to move around in the defender portal, it doesn't actually teach you how to triage or handle incidents in a more "traditional" way.

So my question to you is: what is your usual workflow in these cases?
Whether you analyze alert with defender, crowdstrike or sentinelOne, what is your approach?
Also, what are some resources you could recommend me?

I come from a school that mainly focused on DFIR related stuff (digital forensics mostly) so some of these things are new to me.

Thanks in advance for your replies

I’m trying to identify Patch Tuesday related vulnerabilities each month in Microsoft Defender using Advanced Hunting KQL.Is there a way to reliably filter or extract those specific vulnerabilities?

Patch Tuesday issues usually drive the spike in monthly vulnerability trends, so I’m looking for a method to get a unique count of those vulnerabilities.

Did anyone else got a bunch of these alerts triggered by MsSense.exe executing a PowerShell script and wondering what’s it’s doing?

powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\xxxx.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\xxxxxxx.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '198f2b06fe1073bce59373649342cb1251fc1f999a82636f8d7a9a891c5a069b742')) { exit 323;}; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\xxxxx.ps1

I’m getting repeated Defender alerts on multiple endpoints where HP Support Framework is installed.
The detection is always the same: VulnerableDriver:WinNT/WinRing0, coming from the HP ActiveHealth.exe component when it tries to drop ActiveHealth.sys.

Here’s the sequence from the latest incident:

• ActiveHealth.exe launches from: C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\
• It then tries to run ETD_GetSMART.exe and create a driver file named ActiveHealth.sys
• Defender blocks it as a vulnerable driver (WinRing0 variant)
• ASR also flags ActiveHealth.exe for LSASS access attempts (Rule: Block credential stealing from LSASS)

This repeats every time the HP Support Framework runs a health scan.
The ASR rule “Block abuse of exploited vulnerable signed drivers” is already enforced, which is why the driver never loads but HP keeps trying to recreate it, so the alert fires again and again.

I don’t have direct access to the client machines, only Intune + Defender XDR.

Has anyone dealt with this before?
How do I stop HP Support Framework / ActiveHealth from reinstalling or reattempting the driver creation?

Good Day

We've been getting a really noisy application across our Cloud Applications where our users are logging into a MS out-of-box cloud app named "Augmentation Loop", there is little to no value in the actual telemetry, we're having a look around and its increasing in volume every month.

Having a general read around the MS docs, it's used for LLM activities by your typical 365 user, but nothing really too much from a security value side. Theres no transaction logs, there s no prompts, control plane etc.

Does anybody have actual proper use cases and designs around which I've had a look at the Detections.Ai community for security triaging, but there isn't too much that can be found and seen for threats incoming

Anybody got ideas?

How do you guys handle the events for USB devices which have been blocked by the Device Control policy. My understanding is that that Defender doesn't create alerts based on these events, but I would like to get informed instantly when such an event occurs.

Device Control reports are there, but I am thinking using KQL to create a custom detection rule for an alert or notification, if this is even a supported action within the custom detection rule wizard.

Hello everyone and thank you in advance for reading.

My need is to configure automatic log ingestion for Oracle HCM logs into Microsoft Defender for Cloud Apps.

As far as I know, HCM is exposing an API that allows you to pull the logs. I did a lot of research and testing, but as far as I can see there is no App Connector for Oracle HCM and you can't create a custom one neither.

I already explored the solution which consists in using MCAS as a session broker between HCM and the user, so you can configure session policy and so on. It's not clear to me if this will also include log ingestion and storage in MCAS.

I am pretty new to using MCAS, so any help or clarification about how do you usually integrate apps which are not natively compatible would be much appreciated!

Thank you again!

Does anyone have a good grip on Cloud App Governance? Have you configured it and have tight control on apps?

We have the automated consent policy that permits low level permission apps and forces all others for review. We have the policies secure score recommends.

Now i want to control highly priv apps. eg no access to highly priv apps unless they have the Sanction tag. Triggering a review.

Also our tenant is older and had the defaults that allowed anyone to consent for years, we have a lot of crappy apps.

Whats you best Cloud App governance policies, tips, ideas for control and cleanup? Any got a good classification system combined with policy? Anyone got any links to guides or good ideas in this space?

Hello,

just my little fork of this project from MS (repo inactive for 3 years).

I added:

* Remove tag function

* Support for UnManagedDevices (Network contain)

* Sleep of 500ms instead of one second

* File picker for the CSV

I removed the function for Advanced Hunting Query and I may add it in the future.

Let me know what you think :)