Forum Discussion

noooooooo's avatar
noooooooo
Copper Contributor
Mar 15, 2021

Enable alerts but disable action on detected file

Hi, 

 

I'm trying to enable alerts for detected malicious files (to include sending an email notification), but NOT have Defender block files or actions taken by the detected file. 

 

I've tried enabling passive mode which does not block malicious files, but also does not result in an alert/email being sent. When I download an EICAR file, it's allowed and not notification occurs. 

 

When passive mode is disabled, the file is blocked and an alert/email is sent. I cannot download an EICAR file and a notification occurs. 

 

How can I effectively "audit" Defender, whereby files are NOT blocked, but alerts are sent? 

 

I am working on Linux devices. 

 

Thanks. 

 

 

  • shoando's avatar
    shoando
    Brass Contributor
    Is the detection log displayed in Advanced Hunting when operating in Passive Mode?
    If it is displayed, I think you can use the Custom detection rule to alert without action.
    • noooooooo's avatar
      noooooooo
      Copper Contributor

      shoando thanks for the reply. I don't see anything that says "detection logs" in my threat hunting tab. Is that the table name I should be looking for? 

Resources