Defender for Business - No alert after process lock out ?

Hi karnalta​ 

This behavior is expected. 

The PowerShell test triggered EDR, which is designed to raise alerts and create incidents in the Microsoft 365 Defender portal. This is good because it confirms your server is properly onboarded and that EDR, alerting and notifications are working as intended.

When you tried to install a new service on the same server, it, was blocked by local, real‑time protection (antivirus/behavior monitoring). These preventive actions often do not create alerts or incidents if the threat is blocked successfully and there are no signs of compromise.   Its like SOC team does not have any further actions at the it threat is blocked successfully.

However, you can see events logged locally on the server  at Windows Defender operational logs.  You can find these at Event viewer. 

Applications and Services Logs -> Microsoft -> Windows -> Windows Defender -> Operational

These are intentionally not escalated to avoid alert noise as there is no action required. 

If your goal is visibility rather than just protection, you can utilise defenders advanced hunting feature and run the KQL query to get the anitirus events telementry.

DeviceEvents| where ActionType has "Antivirus"

In short Defender blocked it correctly, but it wasn’t severe enough to warrant an incident.

If you find the answer useful, please do not forget to like and mark it as a solution 🙂