Forum Discussion

drivesafely's avatar
drivesafely
Brass Contributor
Jun 23, 2024
Solved

MDE Alerts tab and quarantine files location

Hello,

 

I have a few questions that I hope you can help clarify.

  1. Filtering MDE Alerts by Detection Source: In Microsoft Defender for Endpoint (MDE), is it possible to filter alerts based on their detection source? Specifically, if we want to view only those alerts generated by MDE itself, how can we achieve that? Any guidance on this would be greatly appreciated.

  2. Quarantine Location in MDE: According to a Google search, the quarantine location for MDE is specified as "/ProgramData/Microsoft/Windows Defender/Quarantine". Could you please confirm if this information is accurate? If there's an official reference from Microsoft documentation, I would appreciate it if you could share the link.Regards,

  • AdelAlDabbas's avatar
    AdelAlDabbas
    Jun 26, 2024

    Hello drivesafely,

     

    The Alerts page (https://security.microsoft.com/alerts) supports filtering by Product name, which can be helpful if you're looking for MDE alerts without specifying the exact source within MDE product. You can achieve that by clicking on the "Add filter" option and choose Product name.

    If you're still looking for Detection Source filter, you can export the Alerts page and filter in Excel.

     

    Or, to filter alerts by detection source, you can use the following Advanced Hunting query:

    AlertInfo
    | where DetectionSource == "Source"
    | project AlertId, Timestamp, DetectionSource, Title, Severity, Category
    | sort by Timestamp desc

     

    The quarantine location you mentioned for MDAV is correct. Noting that it is recommended to only interact with Quarantine folder through Microsoft Defender/Windows Security App.

     

    Best regards,

    Adel

     

     

2 Replies

Sort By
  • AdelAlDabbas's avatar
    AdelAlDabbas
    Icon for Microsoft rankMicrosoft
    Jun 26, 2024

    Hello drivesafely,

     

    The Alerts page (https://security.microsoft.com/alerts) supports filtering by Product name, which can be helpful if you're looking for MDE alerts without specifying the exact source within MDE product. You can achieve that by clicking on the "Add filter" option and choose Product name.

    If you're still looking for Detection Source filter, you can export the Alerts page and filter in Excel.

     

    Or, to filter alerts by detection source, you can use the following Advanced Hunting query:

    AlertInfo
    | where DetectionSource == "Source"
    | project AlertId, Timestamp, DetectionSource, Title, Severity, Category
    | sort by Timestamp desc

     

    The quarantine location you mentioned for MDAV is correct. Noting that it is recommended to only interact with Quarantine folder through Microsoft Defender/Windows Security App.

     

    Best regards,

    Adel

     

     

    • drivesafely's avatar
      drivesafely
      Brass Contributor
      Jun 26, 2024

      AdelAlDabbas 

       

      Thanks for the response and guidance.

      I would like to take this oppurtunity to ask a question related to Alerts notification via email. We have configured the same, and receive quite limited information in the email. Is there a way to natively configure MDE to send more details we want in the email itself when it sent for any alert?

      Regards,

Resources