Forum Discussion

brunhuber's avatar
brunhuber
Copper Contributor
Jun 29, 2020
Solved

Windows Defender Malware alerts not shown in Security Center

Hi Everyone ,    This is my first post so please excuse me if I`m no on the right topic.  I`m having 10 Windows servers 2016 in Azure that have Windows Defender installed on them and they are conf...
  • nawolfin's avatar
    nawolfin
    Jul 01, 2020

    Hi brunhuber,

     

    First of all welcome to our community :), please always feel free to raise questions, this is what this community is for.

     

    To be able to test your scenario, please first validation if you see ProtectionStatus events in your workspace.

    ProtectionStatus is an antimalware events that ASC collecting into the workspace and ASC's Antimalware alerts are based on.

     

    To test if ProtectionStatus events are avaialble, please run the following query via the "Logs" section in your LogAnalytics workspace.

    ProtectionStatus
| where TimeGenerated > ago(1d)
| where ThreatStatusRank == 555
| summarize count() by Computer
     
    When the ProtectionStatusRank == 550 it indicates on a malware activity.
     
    The best way to test the integration with Antimwalre is to run the EICAR file
    Just save the EICAR content into a file on one of your connected VMs and in couple of minutes later you should see Antimalware alert in Azure Security Center.
     
    Thanks,
    Nadav.
nawolfin's avatar
nawolfin
Former Employee
Jul 12, 2020

Let's first validate that you are seeing the alert in Azure Security Center.

Could you please go the Azure Security Center portal and see if you are seeing the security alerts on the machine ?

brunhuber's avatar
brunhuber
Copper Contributor
Jul 13, 2020

nawolfin 

Thanks for your advise. It`s all there now , maybe it was a replication delay between the data in Sentinel and Security Center.

  • nawolfin's avatar
    nawolfin
    Former Employee
    Jul 13, 2020
    Great, happy to hear that! 🙂