r/DefenderATP

I rebuilt my local M365 SOC Tool from PowerShell to a full Web App Now self-hostable with RBAC, SSO & much more
▲ 76 r/DefenderATP+1 crossposts

I rebuilt my local M365 SOC Tool from PowerShell to a full Web App Now self-hostable with RBAC, SSO & much more

Hi everyone,

A while back I showed you my local Microsoft 365 SOC tool built in PowerShell. Back then it was limited to a single-user setup https://github.com/Mau2rice0/World-of-M365/tree/main/Security/SOC/M365%20Compromise%20Response%20Console

Well… I’ve been pulling all-nighters and completely rebuilt it from the ground up. It’s no longer PowerShell, it’s now a full JavaScript application and it’s absolutely fire.

You can now self-host it wherever you want:

  • On-prem
  • Azure
  • Any web server with at least 2 cores and 4 GB RAM

I’ll be releasing it in the next few days so you can host and test it yourselves.

What’s new & improved:

  • SSO support for additional users → no more manual logins
  • Full RBAC permission system
  • More RBAC roles coming: Analyst, Responder, Reader, Administrator
  • Azure Files Share integration for storing evidence and data
  • Significantly better performance
  • Security hardening
  • Fully automatic setup script that does the entire deployment for you

GCC / GCC-High compatibility is unfortunately not possible yet. I don’t have access to that environment and being based in Germany makes it pretty hard to get one.

If anyone has a GCC tenant they’d be willing to test with, I’d love to collaborate!

I’m planning to sink at least 35 hours into this project again this weekend.

If you have feature requests or ideas for what a proper M365 SOC tool should have, drop them in the comments. You guys know better than anyone what’s actually needed in the field.

Huge thanks to everyone who tested the earlier version:)

Can’t wait to get this into your hands.

u/Ok-Stretch-7850 — 3 days ago

Blocking AI defender for cloud

Hi looking for idea here

We have blocked most of the AI in discovered app ( unsscntionned) but we will need to allow some ai to specific users

In my search the best way is with device group. Sadly I don’t see a good way to do this as with the default filters I could filter them by tag exemple deepseek tag for deepseek ai

But users changes devices sometimes and we would like more to filter them by azure group as as of nous I would have to always manually tag the new devices or etc

Any better way to do this?

Thanks

reddit.com
u/neko_whippet — 5 days ago

Seeing TVM-2026-0001 Vulnerability with sparse details

I'm not seeing any references to the naming convention of TVM. Anyone seen this before?

The vulnerability listed just has one reference to a random GitHub with a Bitlocker Bypass vulnerability. No other information.

reddit.com
u/drolemag21 — 4 days ago
▲ 3 r/DefenderATP+1 crossposts

Endpoint event logs on security portal

We use MDE. For alerting on data exfiltration attempts, I want to collect certain event viewer logs from the windows 11 endpoints and view them in Security portal/SIEM. Is it possible? If yes, how please.

reddit.com
u/True-Agency-3111 — 4 days ago

Any experience with MDE on linux?

Are you using heavier features like enable file hash computation?

Are you havong lots of exlusions?

Are you using cloud protection?

I saw it taking quite a lot of memory even without scans or blocking enabled -> between 400 and 600 MB, is this normal? Seems a bit high.

reddit.com
u/WhatIsHappening369 — 5 days ago

MDE device control with encrypted USB

We are using MDE device control to block USB access. Exception process is in place, we collect the user id and machine id to ensure that usb is accessible only for a particular user on a specific device.

Now we want to test that when the exception is provided user should only be able to write data to usb if it's encrypted. How should we be approaching this along with a provision for exception for use cases where encrypted USB cant be used on business device e.g. RIG

reddit.com
u/True-Agency-3111 — 4 days ago

M365 SoC Tool

Hi

Over the past few weeks I’ve built a tool I wanted to share with you.

It’s a SOC solution for Microsoft 365. It currently runs on a local PowerShell web server, but the plan is to make it fully self-hosted or deployable in Azure in the future.

What it does:

You enter a compromised user and the approximate compromise date, and the tool gives you:

  • All devices the user was logged into
  • Suspicious sign-ins
  • Mail traffic after the breach
  • Additional aggregated signals from multiple M365 data sources

The goal is to give you fast and clear visibility into a potential incident. Results can be exported or automatically sent via email.

More features are coming soon. I’m developing this after work in my spare time because I want to give something useful back to the community and make our jobs a bit easier (and a lot more secure).

Version 0.1 is now live on GitHub.
I’d love your feedback, test results, improvement ideas, or bug reports. Feel free to comment here or open an issue in the repo.

→ GitHub Link: https://github.com/Mau2rice0/World-of-M365/tree/main/Security/SOC/M365%20Compromise%20Response%20Console

Thanks in advance, looking forward to your thoughts!

reddit.com
u/Ok-Stretch-7850 — 7 days ago

Azure Domain Controller - Defender for Cloud P2

Hi,

I'm a bit lost here. We have a domain controller VM in Azure. I've enabled Defender for Cloud P2 at the subscription layer. I can see the MDE agent is enabled in extenstions.

When I check the Defender XDR Portal, it tells me the DC isn't enrolled to MDE security settings. This is after a few days too.

We have two on prem DCs that are showing ok but they have the "on prem" Defender licence, not Defender for Cloud.

Also, do we have to configure the actual defender settings via a GPO? The server setup seems very convoluted versus onboarding to Intune.

reddit.com
u/DaithiG — 10 days ago

Need suggestions to buy a Microsoft defender

We are planning to purchase a defender for our organization. Our infrastructure is hosted in AWS and includes both Windows and Linux servers. We have more than 200 employees in the organization, and we need a security monitoring solution that can provide protection and visibility for both endpoints and servers.

We would like to know which XDR tool would be the best fit for our environment. It would also be helpful if you could share approximate pricing or licensing costs based on your experience

reddit.com
u/Say_My_Name_00 — 9 days ago

I’m looking for some help with creating a workbook in Microsoft Sentinel.

Hi,

I’m looking for some help with creating a workbook in Microsoft Sentinel.

I’ve managed to create one where you enter the user email, date, and time range, and when it runs it returns around 6 different results (Google searches, emails, internet history, etc.)

The issue is that the output looks quite messy because it brings back too many results at once. Is there a way to add a selection before running the query (for example checkboxes/options) so I can choose which results I want returned, and only show those?

Any advice would be appreciated.

Thanks!

reddit.com
u/Minega15 — 9 days ago
▲ 6 r/DefenderATP+1 crossposts

KnowBe4 XLSM attachments detected by MDE

We’re running KnowBe4 phishing simulations in a Microsoft 365 and Defender environment, and have configured Advanced Delivery Policies as recommended by KnowBe4. The emails are being delivered but we’re still seeing MDE detect and quarantine some simulated attachments, specifically .xlsm files.

Example event: OUTLOOK.EXE created file Invoice.xlsm

Path: C:\Users\<user>\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\<folder>\Invoice.xlsm

Defender finds: TrojanDownloader:O97M/Obfuse.SU!MTB inside Invoice.xlsm->xl/vbaProject.bin

Defender also finds: Trojan:O97M/Phish.RV!MTB inside Invoice.xlsm->xl/drawings/_rels/drawing1.xml.rels

The remediation action is successful quarantine and in some cases the alert says it prevented attempted open by OUTLOOK.EXE.

My understanding is that Advanced Delivery helps Microsoft 365 Defender for Office identify authorised phishing simulations and bypass certain mail filtering and detonation behaviour but it does not necessarily stop Defender MDE from scanning and quarantining the file once Outlook writes it to the cache locally. So this appears to be endpoint protection detecting the simulated payload rather than Microsoft 365 blocking delivery.

Has anyone else run into this with KnowBe4 .xlsm or macro-enabled phishing simulation attachments? This has been ongoing for about 6 months where Microsoft and KB4 are of little help. This is also having a minor impact to our phishing test reports where users that interact with xlsm payload tests are not marked as a fail.

The only option I see to stop these detections would be to whitelist payload behaviour that the phishing tests are there to prevent which feels dumb.

reddit.com
u/nocryptios — 11 days ago

"Edge for Business protection" is supposed to enforce use of Edge, but it doesn't

Here's a look at it, showing exactly where it's buried in Defender and how it's configured:

https://i.imgur.com/OOKiwWA.png

Has anyone here gotten it to work to enforce use of Edge/Edge for Business when accessing M365 properties? If so, please tell me what you did.

Yes, it's in Preview, but for a year or two. Its only job is to do the one thing that I can't get it to do, which is to put up a message about needing to use Edge.

What I've done:

-The above screen as you see in the screenshot

-CA policy: Target resources on "All resources" (confirmed working by Entra ID sign-in logs showing Applied); Conditions: Windows/Mac, Client app Browser; Session: Use CA App Control (Use custom policy)

-MDCA session policy: under the Conditional Access section and is a "Monitor only" type. Currently no "Matching activities" set (have tried many before), but its log shows that it's matching. I don't think that Matching activities is needed in this context.

The result: Chrome and Firefox (desktop) reach M365 apps with no prompt or block but with abundant indicators in the rewritten URLs that the reverse-proxy (mca.ms) is active. When troubleshooting, I even tried Edge for Business, which of course is NOT supposed to hit the proxy. It was as if I was using Chrome.

It's very much like this "Edge for Business protection" straight up doesn't work or things just aren't getting that far. I hope I'm just doing something wrong.

Testing in E5

Update: Finally got it to work, with no changes to the above configuration. The reason:

- One thing I didn't mention above, is that I started testing on our normal tenant, Business Premium. When I realized early on that a MDCA session policy was needed, I found that the specific kind wasn't even available in straight Business Premium. At that point, I switched over to a separate tenant that had E5, and used it for all future testing.

- I continued testing with the same PC...but that machine was AAD registered with our normal tenant. I never thought about that, as the browser testing was going on by my logging in to the browser, of course, with E5-appropriate credentials. Turns out though, that the machine is registered/joined very much matters.

-The machine can be AAD registered or joined. But whichever one it is, it MUST agree with the tenant you're trying to access with the browser, regardless of how you're logging in with the browser. I only discovered this when testing with a brand-new VM and found everything to be magically working. Then I began to think about what was different, and it dawned on me.

u/rpodric — 12 days ago

AVD Host and Intune

Hi,

I've got some AVD hosts that I want to install Defender on and remove Sophos. It's currently domain joined and GPO managed. It's entra hybrid joined. Its Windows 11 multi session.

I tried with a Dev host, which went well and I could see it in the portal. When I asked our security team to exclude various fslogix items it came to light that I needed to get the AVD registered in intune as that's where the policies for defender live. Upon doing this I started getting all my intune polices and apps, which was sub optimal.

Can I manage exclusions from the defender portal so I don't have to register the other devices in intune?

reddit.com
u/AlertCut6 — 11 days ago

Silly question: how are my devices being onboarded in Defender?

So I inherited an environment with 0 documentation. I can see the devices are all onboarded into Defender just fine (E5 licenses for all users).

My question is: how? I thought via GPO using an onboarding package but 50 % of our devices are Entra joined and don't get GPO's. There's also no config profile for Defender onboarding in Intune.

Defender is linked with Intune but all of the switches are off (Connect Windows devices version 10.0.15063 and above to Microsoft Defender for Endpoint , this one too).

There is a platform script in Intune using the package, but that's assigned to a test group from a few years ago and definitely does not hit new devices.

HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection shows me that a packageGUID is present so I guess that was the method used, but I cannot for the life of me find out where this is coming from. We don't use any third party MDM, it's all Microsoft.

Any help? I'd like to switch it over to using Intune but I need to disable that legacy shit first.

reddit.com
u/workaccountandshit — 14 days ago

How does Defender MDE? update it's signatures?

This would seem like a simple question, but how do the signature updates work with defender. I had assumed that like everyother autvirus/malware product it would deal with updates itself, but when ever I look at available updates there in Azure Update Manager there's a defender update available.

What's the go?

reddit.com
u/stiggerer — 14 days ago

MDE not tracking Safari traffic

Hello guys, we've recently understood MDE is not tracking Safari traffic. It tracks when the safari process initiates outbound connections to share telemetry etc but not when people manually visit a website. MS support said this is a known issue and the fix will be released in mid July. However, I am not able to find someone that shares the same problem online, which is kinda strange giving the fact this is MDE and Safari... Is anyone else experiencing the same issue or did MS support sent me running a long one?

reddit.com
u/Total-Assumption-494 — 14 days ago

Is there a way to map Named Locations from Azure Conditional Access in Microsoft Defender?

I want to exclude whitelisted IP addresses from an alert and was wondering if I can reference Azure Conditional Access Named Locations in a KQL alert query instead of hardcoding the IP addresses.

u/Ok-Shock6637 — 14 days ago

Microsoft Defender for Cloud Apps file policies retirement and huge costs for 3rd party Purview file policies.

Logged into Defender for Cloud Apps today and received the following notification

>MDA SPO & 3P File Policies are being deprecated — December 31, 2026

Microsoft Defender for Cloud Apps SPO and 3rd-party File policies will be retired. Migrate your policies to Microsoft Purview DLP to ensure continued data protection coverage after December 31, 2026.

It looks like existing per-user licenses take care of first party data sources. However, third party data sources are under a pay-as-you-go license.

According to the learn docs the pricing applies to all files in scope (don't have to be matched by a policy).

>Counting assets

>Assets are counted based on the number of items that are in the scope of a policy. The asset doesn't have to match a policy's conditions to be counted, it just has to be in a location that's in the scope of a policy. An asset is only counted once, regardless of how many solutions or protection policies cover it.

According to the purview pricing it applies to

>Billing is calculated based upon the number of assets at rest that are auto-labeled and protected under these policies

and

>You're charged for each day that a policy covers an asset.

The price is $.50 per month per asset.

So, if you have a Google Workspace with 1 million files total and 1 thousand matched via policy, $500 per month.

Just saw this today and wanted to put an FYI out there.

edited to clarify that the pricing is per asset covered by a policy

u/sarge21 — 13 days ago