SOLVED

Devices with malware detections Report

%3CLINGO-SUB%20id%3D%22lingo-sub-2778349%22%20slang%3D%22en-US%22%3EDevices%20with%20malware%20detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2778349%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20in%20our%20MDE%20portal%20the%20'%3CSPAN%3EDevices%20with%20malware%20detections'%20contains%20a%20few%20devices%20which%20supposedly%20have%20active%20malware%2C%20however%2C%20the%20devices%20do%20not%20have%20any%20(active)%20alerts%20in%20Defender%20for%20Endpoint.%20It%20seems%20the%20information%20in%20the%20report%20is%20gathered%20from%20Intune%2C%20but%20the%20same%20information%20is%20displayed%20there%20and%20does%20not%20provide%20any%20further%26nbsp%3Bindications%20other%20than%20the%20threat%20name.%20How%2Fwhere%20can%20I%20find%20the%20alerts%20associated%26nbsp%3Bwith%20the%20'active%20malware'%2C%20if%20they%20are%20not%20in%20Defender%20for%20Endpoint%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2793929%22%20slang%3D%22en-US%22%3ERe%3A%20Devices%20with%20malware%20detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2793929%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1052057%22%20target%3D%22_blank%22%3E%40Juulw%3C%2FA%3E%3CBR%20%2F%3EI%20have%20encountered%20the%20same%20issue%20in%20my%20tenant%20as%20well%20where%20in%20Intune%20I%20can%20see%20devices%20with%20active%20malware%20however%20when%20I%20go%20the%20MDE%20portal%2C%20I%20can't%20see%20any%20active%20alerts%20on%20the%20devices.%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20validate%20the%20same%2C%20I%20checked%20for%20the%20presence%20of%20malware%20on%20machines%20as%20well%20by%20going%20to%20Windows%20Security%20App%20on%20the%20device%20however%20couldn't%20find%20anything%20on%20the%20device%20also.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20seems%20to%20be%20a%20bug%20on%20the%20Microsoft%20reporting%20side%20which%20needs%20to%20be%20highlighted%20to%20Microsoft.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2969455%22%20slang%3D%22en-US%22%3ERe%3A%20Devices%20with%20malware%20detections%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2969455%22%20slang%3D%22en-US%22%3EWhile%20reverse%20engineering%20the%20reports%20in%20M365D%20I%20was%20able%20to%20find%20out%20the%20'Devices%20with%20malware%20detections'%20report%20contains%20hosts%20that%20were%20active%20within%20the%20last%2024h%2C%20and%20had%20malware%20detections%20within%20at%20least%20the%20past%2015%20days%2C%20but%20that%20might%20be%20a%20longer%20period.%20I%20used%20the%20following%20query%3A%3CBR%20%2F%3E%3CBR%20%2F%3EDeviceInfo%3CBR%20%2F%3E%2F%2F%7C%20summarize%20by%20DeviceName%3CBR%20%2F%3E%7C%20where%20Timestamp%20%26gt%3B%20startofday(datetime(2021-11-15%2000%3A00%3A01))%3CBR%20%2F%3E%7C%20join%20(AlertEvidence%20%7C%20where%20Timestamp%20%26gt%3B%20ago(15d))%20on%20DeviceName%3CBR%20%2F%3E%7C%20summarize%20count()%20by%20DeviceName%3C%2FLINGO-BODY%3E
New Contributor

Hi, in our MDE portal the 'Devices with malware detections' contains a few devices which supposedly have active malware, however, the devices do not have any (active) alerts in Defender for Endpoint. It seems the information in the report is gathered from Intune, but the same information is displayed there and does not provide any further indications other than the threat name. How/where can I find the alerts associated with the 'active malware', if they are not in Defender for Endpoint?

2 Replies
@Juulw
I have encountered the same issue in my tenant as well where in Intune I can see devices with active malware however when I go the MDE portal, I can't see any active alerts on the devices.

To validate the same, I checked for the presence of malware on machines as well by going to Windows Security App on the device however couldn't find anything on the device also.

This seems to be a bug on the Microsoft reporting side which needs to be highlighted to Microsoft.
best response confirmed by Juulw (New Contributor)
Solution
While reverse engineering the reports in M365D I was able to find out the 'Devices with malware detections' report contains hosts that were active within the last 24h, and had malware detections within at least the past 15 days, but that might be a longer period. I used the following query:

DeviceInfo
//| summarize by DeviceName
| where Timestamp > startofday(datetime(2021-11-15 00:00:01))
| join (AlertEvidence | where Timestamp > ago(15d)) on DeviceName
| summarize count() by DeviceName
www.000webhost.com