Jun 29 2020 02:42 AM
Hi Everyone ,
This is my first post so please excuse me if I`m no on the right topic.
I`m having 10 Windows servers 2016 in Azure that have Windows Defender installed on them and they are configured to push the events / logs to a workspace . Sentinel is attached to that workspace. Also they are integrated into Security Center. The problem is that I do not see Antimalware alerts in Security Center . I see other alerts like malicious IP`s and so on but not Antivirus / Malware information .
I`m I`m missing something ?
Thanks,
Adrian
Jul 01 2020 11:55 AM
SolutionHi @brunhuber,
First of all welcome to our community :), please always feel free to raise questions, this is what this community is for.
To be able to test your scenario, please first validation if you see ProtectionStatus events in your workspace.
ProtectionStatus is an antimalware events that ASC collecting into the workspace and ASC's Antimalware alerts are based on.
To test if ProtectionStatus events are avaialble, please run the following query via the "Logs" section in your LogAnalytics workspace.
ProtectionStatus
| where TimeGenerated > ago(1d)
| where ThreatStatusRank == 555
| summarize count() by Computer
Jul 02 2020 05:49 AM
Jul 12 2020 04:15 AM
Let's first validate that you are seeing the alert in Azure Security Center.
Could you please go the Azure Security Center portal and see if you are seeing the security alerts on the machine ?
Jul 13 2020 06:14 AM
Thanks for your advise. It`s all there now , maybe it was a replication delay between the data in Sentinel and Security Center.
Jul 13 2020 06:58 AM
Jul 01 2020 11:55 AM
SolutionHi @brunhuber,
First of all welcome to our community :), please always feel free to raise questions, this is what this community is for.
To be able to test your scenario, please first validation if you see ProtectionStatus events in your workspace.
ProtectionStatus is an antimalware events that ASC collecting into the workspace and ASC's Antimalware alerts are based on.
To test if ProtectionStatus events are avaialble, please run the following query via the "Logs" section in your LogAnalytics workspace.
ProtectionStatus
| where TimeGenerated > ago(1d)
| where ThreatStatusRank == 555
| summarize count() by Computer