Forum Discussion
Defender for Business - No alert after process lock out ?
Hello all,
A few days ago, I have setup Defender for business server on a Windows Server 2019.
I can see that server in the Microsoft security portail devices list.
I have also tested the "suspicious" powershell command provided by Microsoft and it went all good. Powershell blocked, alert escaladed as incident in the security portal, email received, ...
But the next day, I tried to install a service on that server that got blocked by Virus & Thread Protection because it was attempting to modify a lot of files. That was a good point for Defender (it was not a real thread and was later added as exception).
My worry is that it was never escaladed to the security portal, I didn't received a alert email, .. The system blocked that "thread" multiple times during my attempt to deploy it and no incident were throw.
What could be wrong ?
Thank you.
3 Replies
Hi karnalta
This behavior is expected.
The PowerShell test triggered EDR, which is designed to raise alerts and create incidents in the Microsoft 365 Defender portal. This is good because it confirms your server is properly onboarded and that EDR, alerting and notifications are working as intended.
When you tried to install a new service on the same server, it, was blocked by local, real‑time protection (antivirus/behavior monitoring). These preventive actions often do not create alerts or incidents if the threat is blocked successfully and there are no signs of compromise. Its like SOC team does not have any further actions at the it threat is blocked successfully.
However, you can see events logged locally on the server at Windows Defender operational logs. You can find these at Event viewer.
Applications and Services Logs -> Microsoft -> Windows -> Windows Defender -> Operational
These are intentionally not escalated to avoid alert noise as there is no action required.
If your goal is visibility rather than just protection, you can utilise defenders advanced hunting feature and run the KQL query to get the anitirus events telementry.
DeviceEvents| where ActionType has "Antivirus"
In short Defender blocked it correctly, but it wasn’t severe enough to warrant an incident.
If you find the answer useful, please do not forget to like and mark it as a solution 🙂
Are you sure you are getting emails on all alerts and incidents? Configuring these email notifications you need to choose the sources and the severity. In my train of thought it easy to just select high and medium severity for emails to reduce the noise. However, Defender often puts the informational or low severity on an alert when it has blocked the threat and e.g. it is not a well known hacking tool.
Hi Karnalta,
When file get detected as malicious it goes through series of check before the cloud protection service decide if its a malicious or not during that time it block the file for which you got toast notification And when that verdict made and the system decided its not harmful when it compared to Microsoft threat intelligence it doesnt raise an alert. There are some resources available online that you can search to test the Defender AV protection and alerting.
thanks
Rish
