Forum Discussion

Maddenk's avatar
Maddenk
Copper Contributor
Mar 11, 2022

KQL query for AntiVirus policy report

Hello all,   Does anybody know of an KQL query that would return a list of AntiVirus policy configuration settings. I've been looking online and I can't find anything. I am aware of the 'Endpoint S...
thomasdefise's avatar
thomasdefise
Brass Contributor
Mar 12, 2022

Hi Maddenk 

 

One possibility is to look what is available in the Windows Event Log 

  1. Applications and Services Logs > Microsoft > Windows > SENSE and click on Operational. cc https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide

  2. Applications and Services Logs > Microsoft > Windows > Windows Defender and click on Operational cc https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#:~:text=Open%20Event%20Viewer.,events%20to%20find%20your%20event.

However, you may not find the information that is available through the Get-MpPreference PowerShell cmdlet.
If the goal is to have a desired state on machines managed by Azure (Either within Azure, either through Azure Arc) you could use https://docs.microsoft.com/en-us/powershell/dsc/getting-started/wingettingstarted?view=dsc-1.1 .If the goal is to have an overview, maybe that an https://docs.microsoft.com/en-us/azure/automation/automation-create-alert-triggered-runbook could help

Kind Regards,
Thomas

Maddenk's avatar
Maddenk
Copper Contributor
Mar 14, 2022
Hi thomasdefise

Thanks for the reply. I understand that you can check the event logs for the machine, but can I get the same information using a KQL query?

Also, do you know where the KQL query is pulling the ConfigurationID information from?

Thanks for the reply.

Resources