Share via

Is there a way in the Defender admin portal to see what triggered Defender client to block an action on an endpoint?

Anonymous
2023-07-21T17:54:17+00:00

I have a user who is getting numerous Defender messages saying the an action was blocked. I am trying to figure out what action is actually being blocked, and what is triggering it. Is there a way to see what Defender is blocking on an endpoint in the Defender Admin portal? We have E5 and Defender Plan 2 licenses. We also have most devices AAD joined, and are using Defender 365 for Endpoint and Intune. So the Defender client should be syncing data with Microsoft 365.

Thanks.

Microsoft 365 and Office | Microsoft 365 Defender | Other | Windows

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-07-21T18:43:30+00:00

    Hi,

    I'm Ajibola, an Independent Consultant here and a Microsoft user like you. I don't work for Microsoft and cannot access any of your data on their system.

    Yes, with Microsoft Defender for Endpoint and Intune, you can view the details of actions that were blocked on an endpoint in the Microsoft Defender Security Center (formerly known as the Defender Admin portal). Here's how you can access this information:

    1. Sign in to the Microsoft Defender Security Center (https://securitycenter.windows.com) using your Microsoft 365 admin credentials.
    2. In the left-hand navigation pane, click on "Incidents."
    3. In the "Incidents" page, you will see a list of security incidents. Look for incidents with "Blocked" actions. Click on the incident you want to investigate further.
    4. In the incident details page, you can see a timeline of events related to the blocked action. This timeline will show you the sequence of events leading up to the block, including the actions that were blocked.
    5. Click on the specific blocked action to get more details. You will see information such as the threat name, threat severity, threat ID, and the process or file that was blocked.
    6. To get even more details about the blocked action, click on the "Investigate" button at the top right corner of the page. This will take you to the Microsoft Defender for Endpoint portal, where you can access more advanced investigation and response capabilities.

    Keep in mind that the level of detail available in the Microsoft Defender Security Center may vary depending on your organization's security settings and the specific features and capabilities enabled for your Defender for Endpoint and Intune deployments.

    By investigating these blocked actions, you can identify potential threats and take appropriate actions to ensure the security of your endpoints and data. If you need further assistance, Microsoft support can provide more in-depth guidance based on your specific environment and configuration.

    Kind regards Ajibola

    3 people found this answer helpful.
    0 comments