Back To All Updates

Back To All Updates

April 28, 2025

Blog

Deception in Microsoft Defender XDR – Part 2: How to Set It Up for Maximum Impact

Deception in Microsoft Defender XDR – Part 2: How to Set It Up for Maximum Impact

Introduction:

Continuing the deep dive into Microsoft Defender XDR’s built-in Deception Capability

today we’ll walk through how to configure it properly to make sure your environment gets the full protection this feature offers.

The setup process is simple but powerful when done right.

Here’s everything you need to know.


Step 1: Turn on the Deception Capability

By default, deception is off — you need to activate it manually:

  • Go to Settings > Endpoints.

  • Under General, select Advanced features.

  • Find Deception capabilities and toggle it On.


When you turn it on, a default rule is automatically created:

  • Decoy accounts and hosts are generated.

  • Lures are planted on Windows client devices across the organization.

The goal: instant baseline protection while giving you room to customize later.

Step 2: Understand the Default Deception Rule

The default rule covers all devices (organization-wide), but lures are currently planted only on Windows clients.

You can edit the default rule if you want:

  • Adjust which devices get lures.

  • Fine-tune decoys and lures based on your specific needs.

Pro Tip: Even without custom rules, the default setup already gives you strong first-layer coverage.


Step 3: Create and Customize Deception Rules

You can create up to 10 deception rules.

To create a new rule:

  • Go to Settings > Endpoints > Rules > Deception Rules.

  • Select Add Deception Rule.


In the rule creation panel:

  • Add a name and description.

  • Choose lure types (you can select Basic, Advanced, or both).

  • Define the scope: All Windows clients or based on specific tags.

The system then starts generating decoys automatically 🛠️.


Step 4: Manage Decoys and Hosts

  • Review or edit automatically generated decoy accounts and hosts.

  • You can add your own decoys if needed.


⚠️ Important:

  • Always create unique usernames and hostnames for decoys.

  • Avoid using real IPs or common ones like 127.0.0.1 or 10.0.0.1.

  • Using sandbox IPs is recommended if available.

This helps avoid false positives during incident investigations.


Step 5: Customize and Upload Lures

When configuring lures:

  • Choose between autogenerated lures or custom lures.

  • To upload your own lure:

  • Use any file type (except .DLL or .EXE).

  • Limit size to 10 MB per file.


Pro tips for effective custom lures:

  • Mention decoy accounts or hosts in your lure file content.

  • Make the lures appealing for attackers (e.g., fake passwords, internal configs).


You can also decide:

  • Whether to plant lures on all scoped devices.

  • Whether the lure should be hidden or visible.


Step 6: Final Review and Save

Before saving:

  • Review all sections (scope, decoys, lures).

  • Make any edits if needed.

  • Select Save.


Creation might take 12–24 hours to fully deploy across your network.

You can monitor progress in the Deception Rules panel.

You can also Export rule details for auditing and documentation purposes.


Step 7: Managing Existing Rules

To edit, disable, or delete a deception rule:

  • Select the rule in the Deception Rules pane.

  • Choose Edit, Turn off, or Delete as needed.


Good hygiene:

  • Review your active deception rules periodically.

  • Update lures and decoys if your environment or threat landscape changes.


for more information:

https://learn.microsoft.com/en-us/defender-xdr/configure-deception