What do people use for alerting on out of date signatures for Windows Server on-prem? I'm looking to see if this Advanced Hunting query below can be adjusted to alert on out of date signatures.
Our on-prem Win Servers are administered by GPO and updates are from SCCM, but switching over to WSUS. The order is: InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC
I'm curious what others are using.
Built in query.
// 'This query will identify the Microsoft Defender Antivirus Security Intelligence version, Security Intelligence up to date value, Engine version, Engine up to date value, Product version (aka Platform version),Product (aka Platform) up to date value, Security Intelligence publish/build timestamp, Security intel refresh timestamp and provide a list of devices with these details.'
let expiringPublishdate = ago(8d);
union DeviceTvmInfoGathering
| extend AvMode = iif(tostring(AdditionalFields.AvMode) == '0', 'Active', iif(tostring(AdditionalFields.AvMode) == '1', 'Passive',iif(tostring(AdditionalFields.AvMode) == '2', 'Disabled', iif(tostring(AdditionalFields.AvMode) == '5', 'PassiveAudit',iif(tostring(AdditionalFields.AvMode) == '4', 'EDR Blocked' ,'Unknown')))))
| extend AvIsSignatureUpToDateTemp = tostring(AdditionalFields.AvIsSignatureUptoDate), DataRefreshTimestamp= Timestamp,
AvIsPlatformUptodateTemp=tostring(AdditionalFields.AvIsPlatformUptodate),
AvIsEngineUptodateTemp = tostring(AdditionalFields.AvIsEngineUptodate),
AvSignatureDataRefreshTime = todatetime(AdditionalFields.AvSignatureDataRefreshTime),
AvSignaturePublishTime = todatetime(AdditionalFields.AvSignaturePublishTime),
AvSignatureVersion = tostring(AdditionalFields.AvSignatureVersion),
AvEngineVersion = tostring(AdditionalFields.AvEngineVersion),
AvPlatformVersion = tostring(AdditionalFields.AvPlatformVersion)
| extend AvIsSignatureUpToDate = iif(((((isnull(AvIsSignatureUpToDateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime))))
or (AvIsSignatureUpToDateTemp == "true"
and AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsSignatureUpToDateTemp))
| extend AvIsEngineUpToDate = iif(((((isnull(AvIsEngineUptodateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignatureDataRefreshTime < expiringPublishdate))
or (AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsEngineUptodateTemp))
| extend AvIsPlatformUpToDate = iif(((((isnull(AvIsPlatformUptodateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignatureDataRefreshTime < expiringPublishdate))
or (AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsPlatformUptodateTemp))
| project DeviceId, DeviceName, DataRefreshTimestamp, OSPlatform, AvMode, AvSignatureVersion, AvIsSignatureUpToDate, AvEngineVersion, AvIsEngineUpToDate, AvPlatformVersion , AvIsPlatformUpToDate, AvSignaturePublishTime, AvSignatureDataRefreshTime
//| where DataRefreshTimestamp between (datetime("2022-07-19 00:00:00") .. datetime("2022-07-19 18:01:00"))
| where DataRefreshTimestamp > ago(6h) and OSPlatform contains "WindowsServer"
| order by DeviceName asc
| limit 10000
