Forum Discussion
Solved
Devices with malware detections Report
Hi, in our MDE portal the 'Devices with malware detections' contains a few devices which supposedly have active malware, however, the devices do not have any (active) alerts in Defender for Endpoint....
- While reverse engineering the reports in M365D I was able to find out the 'Devices with malware detections' report contains hosts that were active within the last 24h, and had malware detections within at least the past 15 days, but that might be a longer period. I used the following query:
DeviceInfo
//| summarize by DeviceName
| where Timestamp > startofday(datetime(2021-11-15 00:00:01))
| join (AlertEvidence | where Timestamp > ago(15d)) on DeviceName
| summarize count() by DeviceName
While reverse engineering the reports in M365D I was able to find out the 'Devices with malware detections' report contains hosts that were active within the last 24h, and had malware detections within at least the past 15 days, but that might be a longer period. I used the following query:
DeviceInfo
//| summarize by DeviceName
| where Timestamp > startofday(datetime(2021-11-15 00:00:01))
| join (AlertEvidence | where Timestamp > ago(15d)) on DeviceName
| summarize count() by DeviceName
DeviceInfo
//| summarize by DeviceName
| where Timestamp > startofday(datetime(2021-11-15 00:00:01))
| join (AlertEvidence | where Timestamp > ago(15d)) on DeviceName
| summarize count() by DeviceName