Enable alerts but disable action on detected file

noooooooo · ‎Mar 15 2021

Hi,

I'm trying to enable alerts for detected malicious files (to include sending an email notification), but NOT have Defender block files or actions taken by the detected file.

I've tried enabling passive mode which does not block malicious files, but also does not result in an alert/email being sent. When I download an EICAR file, it's allowed and not notification occurs.

When passive mode is disabled, the file is blocked and an alert/email is sent. I cannot download an EICAR file and a notification occurs.

How can I effectively "audit" Defender, whereby files are NOT blocked, but alerts are sent?

I am working on Linux devices.

Thanks.

shoando · ‎Mar 15 2021

Is the detection log displayed in Advanced Hunting when operating in Passive Mode?
If it is displayed, I think you can use the Custom detection rule to alert without action.

noooooooo · ‎Mar 16 2021

@shoando thanks for the reply. I don't see anything that says "detection logs" in my threat hunting tab. Is that the table name I should be looking for?

shoando · ‎Mar 17 2021

@noooooooo I'm so sorry, If you don't see their events I don't have a solution.

Enable alerts but disable action on detected file

Enable alerts but disable action on detected file

Re: Enable alerts but disable action on detected file

Re: Enable alerts but disable action on detected file

Re: Enable alerts but disable action on detected file

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Enable alerts but disable action on detected file