May 12 2022 03:23 AM
My 365 Defender Dashboard has populated the "Devices with active Malware" tile, with 1 affected device,
I view the details, locate the device and check on the device page. The risk level has nothing and no 365 and Sentinel incidents triggered. If I hunt through the timeline, no malware\av events are displayed. If I use the Advanced Threat hunting and run this, I get nothing:
For a sanity check, if I remove the device element, still nothing:
I've gone to Sentinel and searched the SecurityAlert table for entities containing the hostname and had a return for AD Account Disabled (It is currently enabled). The owner didn't mention this but I think this is possibly part of the cause.
Does anyone have any experience with this mismatch of information?
Thanks