Forum Discussion

brunhuber's avatar
brunhuber
Copper Contributor
Jun 29, 2020
Solved

Windows Defender Malware alerts not shown in Security Center

Hi Everyone ,    This is my first post so please excuse me if I`m no on the right topic.  I`m having 10 Windows servers 2016 in Azure that have Windows Defender installed on them and they are conf...
  • nawolfin's avatar
    nawolfin
    Jul 01, 2020

    Hi brunhuber,

     

    First of all welcome to our community :), please always feel free to raise questions, this is what this community is for.

     

    To be able to test your scenario, please first validation if you see ProtectionStatus events in your workspace.

    ProtectionStatus is an antimalware events that ASC collecting into the workspace and ASC's Antimalware alerts are based on.

     

    To test if ProtectionStatus events are avaialble, please run the following query via the "Logs" section in your LogAnalytics workspace.

    ProtectionStatus
| where TimeGenerated > ago(1d)
| where ThreatStatusRank == 555
| summarize count() by Computer
     
    When the ProtectionStatusRank == 550 it indicates on a malware activity.
     
    The best way to test the integration with Antimwalre is to run the EICAR file
    Just save the EICAR content into a file on one of your connected VMs and in couple of minutes later you should see Antimalware alert in Azure Security Center.
     
    Thanks,
    Nadav.
nawolfin's avatar
nawolfin
Former Employee
Jul 01, 2020

Hi brunhuber,

 

First of all welcome to our community :), please always feel free to raise questions, this is what this community is for.

 

To be able to test your scenario, please first validation if you see ProtectionStatus events in your workspace.

ProtectionStatus is an antimalware events that ASC collecting into the workspace and ASC's Antimalware alerts are based on.

 

To test if ProtectionStatus events are avaialble, please run the following query via the "Logs" section in your LogAnalytics workspace.

ProtectionStatus
| where TimeGenerated > ago(1d)
| where ThreatStatusRank == 555
| summarize count() by Computer
 
When the ProtectionStatusRank == 550 it indicates on a malware activity.
 
The best way to test the integration with Antimwalre is to run the EICAR file
Just save the EICAR content into a file on one of your connected VMs and in couple of minutes later you should see Antimalware alert in Azure Security Center.
 
Thanks,
Nadav.
  • brunhuber's avatar
    brunhuber
    Copper Contributor
    Jul 02, 2020
    Thanks for your advise . I see the ProtectionStatus logs but no alerts about the malware. One of my server colleagues said that he tried and defender catched the eicar file but don`t see anything in sentinel 🙂 Do I need to have the Microsoft Defender Advanced Threat Protection connector which is in preview ? I remember that it should work without .
    Thanks
    • nawolfin's avatar
      nawolfin
      Former Employee
      Jul 12, 2020

      Let's first validate that you are seeing the alert in Azure Security Center.

      Could you please go the Azure Security Center portal and see if you are seeing the security alerts on the machine ?

      • brunhuber's avatar
        brunhuber
        Copper Contributor
        Jul 13, 2020

        nawolfin 

        Thanks for your advise. It`s all there now , maybe it was a replication delay between the data in Sentinel and Security Center.