How to get the Protection History fro a device

Occasional Contributor

Hello,

 

I would like to get the Protection History without the user intervention. I don't understand why is not in the device page in Microsoft 365 Defender initially...

 

I tried to find a way to doing it in the Advanced hunting, but it's new for me, if some one have the command, thanks in advance.

 

I tried with the Live response, but you can only use the CMD(Is it a way to initiate the Live response with Powershell ?) run a powershell script and tried to get the output file, but i got every time the error : Empty file, even if i doing a -outfile with my PP script and tried to get this specific file...

 

Someone can help me please :) ?

 

Thanks

 

3 Replies

Hi @EtienneFiset,

 

you could try some queries at Advanced hunting > Queries > Community queries > Protection events, probably Antivirus detections would fit your search.

 

You can specify the device if you are interested in narrowing down your search with the line:
| where DeviceName contains "PLACEDEVICENAMEHERE"

 

And also narrow down recent results by specifying days (or hours):
| where Timestamp > ago(1d)

 

Hope this answers your request.

@cyb3rmik3Hi ! Thanks a lot for this, that help me a lot !

 

Question : Is it a way to add the "Affected Item" & "Detail" of the detection ?

 

Regards

Hello @EtienneFiset,

 

I am not quite sure that you can get that information exactly as it is stored locally. However, you may try the following query which brings the title of the alert and the related information about filename and path.

 

AlertEvidence
| where Timestamp > ago(3d) // Define days or hours
| where EntityType contains "File"
| where DetectionSource contains "Antivirus"
| project Title, FolderPath, FileName
 
I truly hope this will help you in some way.