Delay in Alert generation

Occasional Contributor

Hi, we have received from Defender for Endpoint which says a certain malware was detected. The alert was generated on Apr 5, 2022 12:45 PM. But according to the Alert Story and Device Timeline the actual File Interactions took place on March 10, 2022 3:18 PM. I was not able to find these file interactions using advanced hunting queries on both dates.

 

Therefore, does anybody know if Defender for Endpoint is able to generate alerts for events that took place in the past, but would only be detected now due to updated definitions? 

1 Reply

It is nice to know that MDE is looking back on such an amount of time. 

The only thing that comes to my mind is an event that happened now and MDE correlates it to an old event. However, this doesn't explain why you cannot find the evidence in the advanced query. So, still an open question, sorry.