Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Accessing a device scan results in Defender portal

Brass Contributor

Hi,

 

I have been asked by our service desk if they start a scan using the Defender portal against an onboarded device can they see the final scan results. I believe all we can see is when the last scan completed.

 

Have I missed something?

 

Regards

 

Mike

3 Replies

Hi @MikeP751860,

Yes, you are correct, you won't get an ultra-detailed breakdown of the scan results right within the portal, but you can still use various reports and data related to scans and security threats on those devices. Here are the options:

1. Security Alerts: Start by checking out the "Security alerts" section within the Microsoft Defender portal. This is where you'll find info on any security incidents detected on your devices. You'll get insights into what threats were found, how severe they are, and what actions were taken. Security alerts and incidents - Microsoft Defender for Cloud | Microsoft Learn

2. Device Page: To get more device-specific details, head over to the "Devices" section in the portal. This includes recent scan results, threat history, and protection status. Device profile in Microsoft 365 security portal | Microsoft Learn

3. Reports: The portal lets you generate reports that cover scan results and threat detection in detail. These reports can provide a comprehensive view of what's been going on. 
Reports in Microsoft Defender for Business | Microsoft Learn

4. Advanced Hunting: This feature allows you to craft custom queries to fetch specific scan results and threat data. 
Overview - Advanced hunting | Microsoft Learn



Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic

Get-MpThreatDetection can help to see detected potential threats(if any) but would require to run on the device. Not sure but maybe worth to run via live response on Defender portal?
in the end scan results may have a lot of entry we are not interested in, al we want to see if anything malicious is detected.

@MikeP751860 

 

I noticed the same. The answer from Microsoft was that when the manual scan (triggered through the portal) comes back with a hit another incident/alert is being generated. If it doesn't then the manual scan did not find anything ... of course this is not satisfying from an admin view.

You can use Advanced Hunting to search for and create a custom alert when a scan was successful:

 

//name: Defender for Antivirus (MDAV) Scan Status
//description:
//This query will provide a report with devices and their antivirus scan status, e.g. a full scan was completed, cancelled.
//This query can also be used to create a custom detection rule to create an informational alert when a manually triggered quick or full scan was completed.
//Colum StartedBy contains the following values:
//NETWORK SERVICE – Scheduled scan
//SYSTEM- Triggered manually via cloud, e.g. Intune
//USER – Triggered manually locally

DeviceEvents
| where ActionType has_any ("AntivirusScan", "AntivirusScanCompleted", "AntivirusScanCancelled")
| extend AdditionalFields = parse_json(AdditionalFields)
| extend ScanType = AdditionalFields.["ScanTypeIndex"], StartedBy= AdditionalFields.["User"]
| project Timestamp, DeviceId, ReportId, DeviceName, ActionType, ScanType, StartedBy