Jan 17 2023 01:20 PM
Hello,
I would like to get the Protection History without the user intervention. I don't understand why is not in the device page in Microsoft 365 Defender initially...
I tried to find a way to doing it in the Advanced hunting, but it's new for me, if some one have the command, thanks in advance.
I tried with the Live response, but you can only use the CMD(Is it a way to initiate the Live response with Powershell ?) run a powershell script and tried to get the output file, but i got every time the error : Empty file, even if i doing a -outfile with my PP script and tried to get this specific file...
Someone can help me please :) ?
Thanks
Jan 17 2023 10:53 PM
Hi @EtienneFiset,
you could try some queries at Advanced hunting > Queries > Community queries > Protection events, probably Antivirus detections would fit your search.
You can specify the device if you are interested in narrowing down your search with the line:
| where DeviceName contains "PLACEDEVICENAMEHERE"
And also narrow down recent results by specifying days (or hours):
| where Timestamp > ago(1d)
Hope this answers your request.
Jan 19 2023 07:27 AM
@cyb3rmik3Hi ! Thanks a lot for this, that help me a lot !
Question : Is it a way to add the "Affected Item" & "Detail" of the detection ?
Regards
Jan 20 2023 01:02 AM
Hello @EtienneFiset,
I am not quite sure that you can get that information exactly as it is stored locally. However, you may try the following query which brings the title of the alert and the related information about filename and path.