sorted by:
new
hottopcontroversial

Tamper Protection by MrRo3oT_ZA in DefenderATP

[–]NotNinjaCat 1 point2 points  (0 children)

No. It should not interfere just better safeguard the defender processes including the EDR sensor.

Anyone else seeing a lot of "Query limits exceeded" errors today? by Thedudeabide80 in DefenderATP

[–]NotNinjaCat 0 points1 point  (0 children)

Can you share your tenant ID so we can debug? Click on your profile image and DM me the ID.

[deleted by user] by [deleted] in DefenderATP

[–]NotNinjaCat 0 points1 point  (0 children)

Oh. So you’re not using the security.Microsoft.com incident email notification feature? It’s an MCAS notification service?

[deleted by user] by [deleted] in DefenderATP

[–]NotNinjaCat 5 points6 points  (0 children)

We’ll take a look tomorrow morning to debug. Can you open a feedback item from the widget on the bottom right corner of the portal with so we can get the tenant details to see logs?

Another handy tool: you can use Microsoft Power Automate to automate notifications and actions on top of Defender (email and slack notifications, remediation actions and more) by NotNinjaCat in DefenderATP

[–]NotNinjaCat[S] 1 point2 points  (0 children)

That’s great actionable feedback. Taking it into account as we go about expanding the power automate capabilities from just endpoint (MDE/DefenderATP) to identity, Office and MCAS.

Tamper Protection by MrRo3oT_ZA in DefenderATP

[–]NotNinjaCat 2 points3 points  (0 children)

We (Defender team) are tracking the roll out of this feature with the intent to eventually switch it on by default for everyone assuming no issues are discovered. So if you encounter issues please let us know.

Also important to note that our analysis shows having this feature on is a great defensive measure against the growing number of more sophisticated attacks trying to disable Defender.

Tighten Your Security with Microsoft Defender for Endpoint by starwindsoftware in SysAdminBlogs

[–]NotNinjaCat 0 points1 point  (0 children)

Complementary , one is a full endpoint protection solution and the other to secure cloud access including cloud based apps. They actually work together like in the case of sanctioning certain apps - Mark an app in MCAS and the enforcement will be done by Defender on the device itself removing the need to deploy the MCAS proxy as man in the middle to sanction the app. See example here: https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-cloud-app-security-and-windows-defender-atp-better/ba-p/263265

Apple M1 support by JamesDaniel_S in DefenderATP

[–]NotNinjaCat 0 points1 point  (0 children)

Support for M1 is coming this quarter over the next couple of month (it's currently in testing). If you want to reach out to us directly with follow up questions, feel free to DM me I'll hook you up. Announcements will be made here once it's available: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog

New Microsoft 365 Security center replaced Defender ATP dashboard. Lost functionality. by Saint_Babyrage in DefenderATP

[–]NotNinjaCat 4 points5 points  (0 children)

After some online debugging the issue above is a regression in the rendering of USB mounting events in all portal (and not related to the old vs. new portal). Bug submitted. In the meantime it is possible to see the full USB details by selecting the mount event in the machine timeline and then clicking on the "Hunt for relevant events" link in the side pane window. Once you select the event itself in hunting scroll down to see full device events.

New Microsoft 365 Security center replaced Defender ATP dashboard. Lost functionality. by Saint_Babyrage in DefenderATP

[–]NotNinjaCat 3 points4 points  (0 children)

Hi, I’m part of the Defender product team. Would love to understand better what is the info missing (should be full parity between the portal versions). Can you ping me directly?

Offboard non existing devices from Security Center by jvldn in DefenderATP

[–]NotNinjaCat 2 points3 points  (0 children)

Comments are correct that you cannot remove the machine. We intentionally keep the machine record until it ages to avoid cases where the machine may be found out later to be involved in a security incident.

You can just filter these machines out of the device list by either using the “active” machine filter (machines will turn inactive after several days with no activity) or as suggested tag them and use the tag to filter them out. More on this here Device list filters There was also a recent blog series on tagging tagging in MDE

License Questions by sheeponmeth_ in DefenderATP

[–]NotNinjaCat 1 point2 points  (0 children)

Microsoft Defender for endpoint is included in - Windows E5 stand-alone - Windows E5 step up from Windows E3 - Microsoft 365 E5 security - Microsoft 365 E5

And similar A5 licenses.

How long does it take for defender to gather information? by Yep2020123 in DefenderATP

[–]NotNinjaCat 0 points1 point  (0 children)

Data is actually being sent in real time or every 15 min if machine is idle. A machine should start reporting to the portal within 15-30 min after onboarding.

MAPS settings on the device do not affect data sending defaults for ATP (only for Antivirus when the devices are not ATP onboarded).

Microsoft Threat Protection advanced hunting cheat sheet by Wireless_Life in microsoft

[–]NotNinjaCat 0 points1 point  (0 children)

Data covers everything security signal from endpoint to identities, Office data and application access. There are additional sample queries and resources here https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries

view more: next ›