Hello guys…
My organization uses Intune and Defender XDR, and occasionally employees have apps blocked by the antivirus. I only find out about these issues when the employees inform me. How can I set up notifications in the Security panel or Intune to alert me when an app is blocked? I already receive notifications for “Incidents” and “Alerts,” but I’m not getting updates about blocked apps. Thanks…
After constructing a KQL query to find apps that have been prohibited as an action, establish a custom detection rule.
I had the same issue with Intune and Defender XDR. To get notifications for blocked apps, you need to set up a policy in Intune specifically for app protection. Go to Intune > Endpoint security > Attack surface reduction > Configure > Notifications. You can customize alerts for different actions, including blocked apps. I did this and it really helped me stay on top of issues before employees even noticed