Enable alerts but disable action on detected file

%3CLINGO-SUB%20id%3D%22lingo-sub-2211693%22%20slang%3D%22en-US%22%3EEnable%20alerts%20but%20disable%20action%20on%20detected%20file%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2211693%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20enable%20alerts%20for%20detected%20malicious%20files%20(to%20include%20sending%20an%20email%20notification)%2C%20but%20NOT%20have%20Defender%20block%20files%20or%20actions%20taken%20by%20the%20detected%20file.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20tried%20enabling%20passive%20mode%20which%20does%20not%20block%20malicious%20files%2C%20but%20also%20does%20not%20result%20in%20an%20alert%2Femail%20being%20sent.%20When%20I%20download%20an%20EICAR%20file%2C%20it's%20allowed%20and%20not%20notification%20occurs.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20passive%20mode%20is%20disabled%2C%20the%20file%20is%20blocked%20and%20an%20alert%2Femail%20is%20sent.%20I%20cannot%20download%20an%20EICAR%20file%20and%20a%20notification%20occurs.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20effectively%20%22audit%22%20Defender%2C%20whereby%20files%20are%20NOT%20blocked%2C%20but%20alerts%20are%20sent%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20working%20on%20Linux%20devices.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi, 

 

I'm trying to enable alerts for detected malicious files (to include sending an email notification), but NOT have Defender block files or actions taken by the detected file. 

 

I've tried enabling passive mode which does not block malicious files, but also does not result in an alert/email being sent. When I download an EICAR file, it's allowed and not notification occurs. 

 

When passive mode is disabled, the file is blocked and an alert/email is sent. I cannot download an EICAR file and a notification occurs. 

 

How can I effectively "audit" Defender, whereby files are NOT blocked, but alerts are sent? 

 

I am working on Linux devices. 

 

Thanks. 

 

 

3 Replies
Is the detection log displayed in Advanced Hunting when operating in Passive Mode?
If it is displayed, I think you can use the Custom detection rule to alert without action.

@shoando thanks for the reply. I don't see anything that says "detection logs" in my threat hunting tab. Is that the table name I should be looking for? 

@noooooooo I'm so sorry, If you don't see their events I don't have a solution.