SCEP Antimalware detection history view does not show accurate remediation detail
The v_AM_NormalizedDetectionHistory view in the SCCM database does not accurately reflect the RemediationType for detected threats. It almost always shows NoAction, even though the threat was quarantined or removed.
We are using this view to report status to our SIEM system, and our security team would prefer that it actually show how the threat was remediated.
I am currently dealing with the same issue.
We are experiencing this behavior as well. Exactly as stated, and the alerts show NoAction 95 percent of the time. We need more clear status on these. Defender is doing it's job, so we should see the remediation status reflect this.
I've also experienced this issue - And the alerts being sent out by Endpoint Protection almost always say "NoAction", when we check them closer they have been quarantined. Why is this?