SOLVED

Windows Defender Malware alerts not shown in Security Center

%3CLINGO-SUB%20id%3D%22lingo-sub-1495591%22%20slang%3D%22en-US%22%3EWindows%20Defender%20Malware%20alerts%20not%20shown%20in%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1495591%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%20%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20my%20first%20post%20so%20please%20excuse%20me%20if%20I%60m%20no%20on%20the%20right%20topic.%26nbsp%3B%3C%2FP%3E%3CP%3EI%60m%20having%2010%20Windows%20servers%202016%20in%20Azure%20that%20have%20Windows%20Defender%20installed%20on%20them%20and%20they%20are%20configured%20to%20push%20the%20events%20%2F%20logs%20to%20a%20workspace%20.%20Sentinel%20is%20attached%20to%20that%20workspace.%20Also%20they%20are%20integrated%20into%20Security%20Center.%20The%20problem%20is%20that%20I%20do%20not%20see%20Antimalware%20alerts%20in%20Security%20Center%20.%20I%20see%20other%20alerts%20like%20malicious%20IP%60s%20and%20so%20on%20but%20not%20Antivirus%20%2F%20Malware%20information%20.%26nbsp%3B%3C%2FP%3E%3CP%3EI%60m%20I%60m%20missing%20something%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3EAdrian%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502124%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Malware%20alerts%20not%20shown%20in%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502124%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F713085%22%20target%3D%22_blank%22%3E%40brunhuber%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirst%20of%20all%20welcome%20to%20our%20community%20%3A)%2C%20please%20always%20feel%20free%20to%20raise%20questions%2C%20this%20is%20what%20this%20community%20is%20for.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20be%20able%20to%20test%20your%20scenario%2C%20please%20first%20validation%20if%20you%20see%20%3CSTRONG%3EProtectionStatus%3C%2FSTRONG%3E%20events%20in%20your%20workspace.%3C%2FP%3E%0A%3CP%3EProtectionStatus%20is%20an%20antimalware%20events%20that%20ASC%20collecting%20into%20the%20workspace%20and%20ASC's%20Antimalware%20alerts%20are%20based%20on.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20test%20if%20ProtectionStatus%20events%20are%20avaialble%2C%20please%20run%20the%20following%20query%20via%20the%20%22Logs%22%20section%20in%20your%20LogAnalytics%20workspace.%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-basic%22%3E%3CCODE%3EProtectionStatus%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(1d)%0A%7C%20where%20ThreatStatusRank%20%3D%3D%20555%0A%7C%20summarize%20count()%20by%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EWhen%20the%20ProtectionStatusRank%20%3D%3D%20550%20it%20indicates%20on%20a%20malware%20activity.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EThe%20best%20way%20to%20test%20the%20integration%20with%20Antimwalre%20is%20to%20run%20the%20%3CA%20href%3D%22https%3A%2F%2Fwww.eicar.org%2F%3Fpage_id%3D3950%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EEICAR%20file%3C%2FA%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EJust%20save%20the%20EICAR%20content%20into%20a%20file%20on%20one%20of%20your%20connected%20VMs%20and%20in%20couple%20of%20minutes%20later%20you%20should%20see%20Antimalware%20alert%20in%20Azure%20Security%20Center.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EThanks%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3ENadav.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1502770%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Malware%20alerts%20not%20shown%20in%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1502770%22%20slang%3D%22en-US%22%3EThanks%20for%20your%20advise%20.%20I%20see%20the%20ProtectionStatus%20logs%20but%20no%20alerts%20about%20the%20malware.%20One%20of%20my%20server%20colleagues%20said%20that%20he%20tried%20and%20defender%20catched%20the%20eicar%20file%20but%20don%60t%20see%20anything%20in%20sentinel%20%3A)%3C%2Fimg%3E%20Do%20I%20need%20to%20have%20the%20Microsoft%20Defender%20Advanced%20Threat%20Protection%20connector%20which%20is%20in%20preview%20%3F%20I%20remember%20that%20it%20should%20work%20without%20.%3CBR%20%2F%3EThanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1516907%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Malware%20alerts%20not%20shown%20in%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1516907%22%20slang%3D%22en-US%22%3E%3CP%3ELet's%20first%20validate%20that%20you%20are%20seeing%20the%20alert%20in%20Azure%20Security%20Center.%3C%2FP%3E%0A%3CP%3ECould%20you%20please%20go%20the%20Azure%20Security%20Center%20portal%20and%20see%20if%20you%20are%20seeing%20the%20security%20alerts%20on%20the%20machine%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1518694%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Malware%20alerts%20not%20shown%20in%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1518694%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F715886%22%20target%3D%22_blank%22%3E%40nawolfin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20advise.%20It%60s%20all%20there%20now%20%2C%20maybe%20it%20was%20a%20replication%20delay%20between%20the%20data%20in%20Sentinel%20and%20Security%20Center.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1518770%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Defender%20Malware%20alerts%20not%20shown%20in%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1518770%22%20slang%3D%22en-US%22%3EGreat%2C%20happy%20to%20hear%20that!%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Everyone , 

 

This is my first post so please excuse me if I`m no on the right topic. 

I`m having 10 Windows servers 2016 in Azure that have Windows Defender installed on them and they are configured to push the events / logs to a workspace . Sentinel is attached to that workspace. Also they are integrated into Security Center. The problem is that I do not see Antimalware alerts in Security Center . I see other alerts like malicious IP`s and so on but not Antivirus / Malware information . 

I`m I`m missing something ? 

 

Thanks, 

Adrian 

5 Replies
Best Response confirmed by brunhuber (Occasional Contributor)
Solution

Hi @brunhuber,

 

First of all welcome to our community :), please always feel free to raise questions, this is what this community is for.

 

To be able to test your scenario, please first validation if you see ProtectionStatus events in your workspace.

ProtectionStatus is an antimalware events that ASC collecting into the workspace and ASC's Antimalware alerts are based on.

 

To test if ProtectionStatus events are avaialble, please run the following query via the "Logs" section in your LogAnalytics workspace.

ProtectionStatus
| where TimeGenerated > ago(1d)
| where ThreatStatusRank == 555
| summarize count() by Computer
 
When the ProtectionStatusRank == 550 it indicates on a malware activity.
 
The best way to test the integration with Antimwalre is to run the EICAR file
Just save the EICAR content into a file on one of your connected VMs and in couple of minutes later you should see Antimalware alert in Azure Security Center.
 
Thanks,
Nadav.
Thanks for your advise . I see the ProtectionStatus logs but no alerts about the malware. One of my server colleagues said that he tried and defender catched the eicar file but don`t see anything in sentinel :) Do I need to have the Microsoft Defender Advanced Threat Protection connector which is in preview ? I remember that it should work without .
Thanks

Let's first validate that you are seeing the alert in Azure Security Center.

Could you please go the Azure Security Center portal and see if you are seeing the security alerts on the machine ?

@nawolfin 

Thanks for your advise. It`s all there now , maybe it was a replication delay between the data in Sentinel and Security Center.

Great, happy to hear that! :)