Forum Discussion
Solved
Microsoft Defender Antivirus Modes
Hello, Is there a way from Microsoft Sentinel using a Query to check when a device turn off the Defender Antivirus. BR,
Qusai_Ismail I would have thought this query is closer to the ask
Microsoft-365-Defender-Hunting-Queries/Endpoint Agent Health Status Report.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries · GitHub
However, the Table (DeviceTvmSecureConfigurationAssessment) isn't one you can (today) connect to Sentinel using the bult-in Preview connector, so you only have the data on security.microsoft.com rather than Sentinel to generate an Alert there.
Thanks, but it's for Defender Hunting, we need to make a rule for periodic check.
Like Clive said, this table is only available on security.microsoft.com, so the best option would be to just use a custom detection rule there. This can create MDE incidents when a device with AV disabled is found, and this incident can then be synced to Sentinel through the M365D connector if you want it over there.