Forum Discussion

Qusai_Ismail

Brass Contributor

Oct 11, 2022

Solved

Microsoft Defender Antivirus Modes

Hello, Is there a way from Microsoft Sentinel using a Query to check when a device turn off the Defender Antivirus. BR,

Clive_Watson
Oct 11, 2022
Qusai_Ismail I would have thought this query is closer to the ask
Microsoft-365-Defender-Hunting-Queries/Endpoint Agent Health Status Report.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries · GitHub

However, the Table (DeviceTvmSecureConfigurationAssessment) isn't one you can (today) connect to Sentinel using the bult-in Preview connector, so you only have the data on security.microsoft.com rather than Sentinel to generate an Alert there.

P4tr8k

Brass Contributor

Oct 11, 2022

You can try use this:
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/General%20queries/MD%20AV%20Signature%20and%20Platform%20Version.md

Qusai_Ismail
Brass Contributor
Oct 11, 2022
Thanks, but it's for Defender Hunting, we need to make a rule for periodic check.
- Jonhed
  Iron Contributor
  Oct 11, 2022
  Like Clive said, this table is only available on security.microsoft.com, so the best option would be to just use a custom detection rule there. This can create MDE incidents when a device with AV disabled is found, and this incident can then be synced to Sentinel through the M365D connector if you want it over there.
- Clive_Watson
  Bronze Contributor
  Oct 11, 2022
  Qusai_Ismail I would have thought this query is closer to the ask
  Microsoft-365-Defender-Hunting-Queries/Endpoint Agent Health Status Report.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries · GitHub
  
  However, the Table (DeviceTvmSecureConfigurationAssessment) isn't one you can (today) connect to Sentinel using the bult-in Preview connector, so you only have the data on security.microsoft.com rather than Sentinel to generate an Alert there.