MicrosoftAnyone using MS365 Defender, I have written this query to identify devices in an organization that are still running the bad AV signature versions. Just in case anyone finds it useful:
//Search for AV signitures listed by Microsoft as vulnerable to the error where AV and ASR rules detect legitimate links as threats.
//Information gathered from https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/recovering-from-attack-surface-reduction-rule-shortcut-deletions/ba-p/3716011
let avSigList = dynamic(["1.381.2134.0", "1.381.2135.0", "1.381.2136.0", "1.381.2137.0", "1.381.2138.0", "1.381.2139.0", "1.381.2140.0",
"1.381.2141.0", "1.381.2142.0", "1.381.2143.0", "1.381.2144.0", "1.381.2145.0", "1.381.2146.0", "1.381.2147.0", "1.381.2148.0", "1.381.2149.0", "1.381.2150.0",
"1.381.2151.0", "1.381.2152.0", "1.381.2153.0", "1.381.2154.0", "1.381.2155.0", "1.381.2156.0", "1.381.2157.0", "1.381.2158.0", "1.381.2159.0", "1.381.2160.0"]);
DeviceTvmInfoGathering
|join DeviceTvmInfoGathering on DeviceId
| where OSPlatform contains "windows10"
| extend AddFields = todynamic(AdditionalFields)
| mv-expand AdditionalFields
| extend AvSigVersion = tostring(AddFields.AvSignatureVersion)
| where isnotnull(AvSigVersion)
| project-away AdditionalFields, AddFields
| where AvSigVersion in (avSigList)
| summarize by DeviceName, AvSigVersion, OSPlatform, DeviceId, LastSeenTime
Thanks!
