SOLVED

Hunting query for MacOS - Antivirus version report

New Contributor

Hello all,

 

I've been testing for defender for few weeks and I have 2 questions. 1) Is there Antiviurs version report for MacOS. 2) Is there any resources for MacOS query.

 

I'm looking for a report of Antiviurs version report for MacOS, but I only found for Windows. 

 

Endpoint AV version report
When running this report, MacOS device appears on table, but no version information.

 

M_Rice19044_0-1657214556671.png

 

There's a report called Antivirus Agent Status on MEM and it's also Windows only.

M_Rice19044_2-1657214669973.png

 

I can retrieve MacOS client version information from Inventory > software > Find software called "Defender For Endpoint for Mac". then Export as CSV. 

M_Rice19044_3-1657214811632.png

 

Version information is available on Defender admin page, so I thought there's a way to run query for MacOS. I'd appreciated if any information for MacOS report. 

 

Thank you,

 

 

2 Replies
Hi M_Rice19044,

You can use the following query to get MacOS version information via Advanced Hunting:

DeviceTvmSecureConfigurationAssessment
| where ConfigurationId == "scid-5095" and isnotnull(Context)
| where OSPlatform =="macOS"
| extend avdata=parsejson(Context)
| extend AVSigVersion = tostring(avdata[0][0])
| extend AVEngineVersion = tostring(avdata[0][1])
| extend AVSigLastUpdateTime = tostring(avdata[0][2])
| extend AVProductVersion = tostring(avdata[0][3])
| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime,AVProductVersion, IsCompliant, IsApplicable

Thanks,
Thomas
best response confirmed by M_Rice19044 (New Contributor)
Solution

@Thomas_Doucette 

Yes! It works so perfect!! Thank you so much!!!

M_Rice19044_1-1657300016598.png