cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use case to check for new installed application on Windows devices

dmarquesgn
Iron Contributor

‎May 09 2022 12:18 PM

‎May 09 2022 12:18 PM

Use case to check for new installed application on Windows devices

Hi,

I need to build a use case to detect and create an alert (weekly for example) for new installed application on my Windows workstations and servers.

On the TVM I have the list of installed application with versioning, but I don't have the install date. 
From the event viewer of each machine I can extract the event logs from applications installations with it's event date.

Is it possible to create some use case with a custom defender query to check all onboarded machines for all new installed ap

2,174 Views
0 Likes
1 Reply
Reply
1 Reply
MichaelJMelone

‎Jun 08 2022 01:51 PM

‎Jun 08 2022 01:51 PM

Re: Use case to check for new installed application on Windows devices

Hello dmarquesgn! I am not 100% sure this will be totally accurate at the moment, but I think you might be able to get newly detected software after a specified datetime by using the export software inventory API. If you look at the parameters in section 1.6.1 you'll notice an option for sincetime. You can also use it without that parameter and you'll be able to get the time it was first seen in the softwareFirstSeenTimestamp field. doc: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-assessment-software-in...
1 Like
Reply