Forum Discussion
Solved
Microsoft Defender Antivirus Modes
Hello,
Is there a way from Microsoft Sentinel using a Query to check when a device turn off the Defender Antivirus.
BR,
Qusai_Ismail I would have thought this query is closer to the ask
Microsoft-365-Defender-Hunting-Queries/Endpoint Agent Health Status Report.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries · GitHub
However, the Table (DeviceTvmSecureConfigurationAssessment) isn't one you can (today) connect to Sentinel using the bult-in Preview connector, so you only have the data on security.microsoft.com rather than Sentinel to generate an Alert there.
4 Replies
- You can try use this:
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/General%20queries/MD%20AV%20Signature%20and%20Platform%20Version.md- Thanks, but it's for Defender Hunting, we need to make a rule for periodic check.
- Like Clive said, this table is only available on security.microsoft.com, so the best option would be to just use a custom detection rule there. This can create MDE incidents when a device with AV disabled is found, and this incident can then be synced to Sentinel through the M365D connector if you want it over there.
