Why the delay in sending MAV detections?
With the recent launch of our Managed Antivirus service, we are allocating a significant amount of our human hours to decrease the time it takes responding to detections of the highest value. Based on our daily reviews of these detections, we are making adjustments every 48 to 72 hours on how we internally operationalize Managed Antivirus detections. We are currently prioritizing detections where Defender failed to block/remediate.
An output of this work is to identify which detections are candidates for already existing automation workflows which will lessen the time between alert ingestion and a report being published. I anticipate over the coming weeks that we will continue to make exponential progress on Managed Antivirus detections. This should, on average, bring our response times down to the response times of our long established service offerings (persistence items, ransomware canaries, etc.)