When is malware not malware?

%3CLINGO-SUB%20id%3D%22lingo-sub-3363905%22%20slang%3D%22en-US%22%3EWhen%20is%20malware%20not%20malware%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3363905%22%20slang%3D%22en-US%22%3E%3CP%3EMy%20365%20Defender%20Dashboard%20has%20populated%20the%20%22Devices%20with%20active%20Malware%22%20tile%2C%20with%201%20affected%20device%2C%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CodnChips_0-1652349764205.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F371130iC337340CD54B7C1B%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22CodnChips_0-1652349764205.png%22%20alt%3D%22CodnChips_0-1652349764205.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20view%20the%20details%2C%20locate%20the%20device%20and%20check%20on%20the%20device%20page.%26nbsp%3B%20The%20risk%20level%20has%20nothing%20and%20no%20365%20and%20Sentinel%20incidents%20triggered.%26nbsp%3B%20If%20I%20hunt%20through%20the%20timeline%2C%20no%20malware%5Cav%20events%20are%20displayed.%26nbsp%3B%20If%20I%20use%20the%20Advanced%20Threat%20hunting%20and%20run%20this%2C%20I%20get%20nothing%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CodnChips_1-1652350136592.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F371131iF1CE9040F0E240F6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22CodnChips_1-1652350136592.png%22%20alt%3D%22CodnChips_1-1652350136592.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EFor%20a%20sanity%20check%2C%20if%20I%20remove%20the%20device%20element%2C%20still%20nothing%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22CodnChips_2-1652350174570.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F371132iE40A46828AD264A5%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22CodnChips_2-1652350174570.png%22%20alt%3D%22CodnChips_2-1652350174570.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI've%20gone%20to%20Sentinel%20and%20searched%20the%20SecurityAlert%20table%20for%20entities%20containing%20the%20hostname%20and%20had%20a%20return%20for%20AD%20Account%20Disabled%20(It%20is%20currently%20enabled).%26nbsp%3B%20The%20owner%20didn't%20mention%20this%20but%20I%20think%20this%20is%20possibly%20part%20of%20the%20cause.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20any%20experience%20with%20this%20mismatch%20of%20information%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3363905%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInvestigation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Endpoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Office%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Hunting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

My 365 Defender Dashboard has populated the "Devices with active Malware" tile, with 1 affected device,

CodnChips_0-1652349764205.png

I view the details, locate the device and check on the device page.  The risk level has nothing and no 365 and Sentinel incidents triggered.  If I hunt through the timeline, no malware\av events are displayed.  If I use the Advanced Threat hunting and run this, I get nothing:

CodnChips_1-1652350136592.png

For a sanity check, if I remove the device element, still nothing:

CodnChips_2-1652350174570.png

I've gone to Sentinel and searched the SecurityAlert table for entities containing the hostname and had a return for AD Account Disabled (It is currently enabled).  The owner didn't mention this but I think this is possibly part of the cause.

 

Does anyone have any experience with this mismatch of information?

Thanks

0 Replies