Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

MDE Alerts tab and quarantine files location

Copper Contributor

Hello,

 

I have a few questions that I hope you can help clarify.

  1. Filtering MDE Alerts by Detection Source: In Microsoft Defender for Endpoint (MDE), is it possible to filter alerts based on their detection source? Specifically, if we want to view only those alerts generated by MDE itself, how can we achieve that? Any guidance on this would be greatly appreciated.

  2. Quarantine Location in MDE: According to a Google search, the quarantine location for MDE is specified as "/ProgramData/Microsoft/Windows Defender/Quarantine". Could you please confirm if this information is accurate? If there's an official reference from Microsoft documentation, I would appreciate it if you could share the link.Regards,

2 Replies
best response confirmed by drivesafely (Copper Contributor)
Solution

Hello @drivesafely,

 

The Alerts page (https://security.microsoft.com/alerts) supports filtering by Product name, which can be helpful if you're looking for MDE alerts without specifying the exact source within MDE product. You can achieve that by clicking on the "Add filter" option and choose Product name.

If you're still looking for Detection Source filter, you can export the Alerts page and filter in Excel.

 

Or, to filter alerts by detection source, you can use the following Advanced Hunting query:

AlertInfo
| where DetectionSource == "Source"
| project AlertId, Timestamp, DetectionSource, Title, Severity, Category
| sort by Timestamp desc

 

The quarantine location you mentioned for MDAV is correct. Noting that it is recommended to only interact with Quarantine folder through Microsoft Defender/Windows Security App.

 

Best regards,

Adel

 

 

@AdelAlDabbas 

 

Thanks for the response and guidance.

I would like to take this oppurtunity to ask a question related to Alerts notification via email. We have configured the same, and receive quite limited information in the email. Is there a way to natively configure MDE to send more details we want in the email itself when it sent for any alert?

Regards,

1 best response

Accepted Solutions
best response confirmed by drivesafely (Copper Contributor)
Solution

Hello @drivesafely,

 

The Alerts page (https://security.microsoft.com/alerts) supports filtering by Product name, which can be helpful if you're looking for MDE alerts without specifying the exact source within MDE product. You can achieve that by clicking on the "Add filter" option and choose Product name.

If you're still looking for Detection Source filter, you can export the Alerts page and filter in Excel.

 

Or, to filter alerts by detection source, you can use the following Advanced Hunting query:

AlertInfo
| where DetectionSource == "Source"
| project AlertId, Timestamp, DetectionSource, Title, Severity, Category
| sort by Timestamp desc

 

The quarantine location you mentioned for MDAV is correct. Noting that it is recommended to only interact with Quarantine folder through Microsoft Defender/Windows Security App.

 

Best regards,

Adel

 

 

View solution in original post