Forum Discussion
Use case to check for new installed application on Windows devices
Hi,
I need to build a use case to detect and create an alert (weekly for example) for new installed application on my Windows workstations and servers.
On the TVM I have the list of installed application with versioning, but I don't have the install date.
From the event viewer of each machine I can extract the event logs from applications installations with it's event date.
Is it possible to create some use case with a custom defender query to check all onboarded machines for all new installed ap
1 Reply
- MichaelJMelone
Microsoft
Hello dmarquesgn! I am not 100% sure this will be totally accurate at the moment, but I think you might be able to get newly detected software after a specified datetime by using the export software inventory API. If you look at the parameters in section 1.6.1 you'll notice an option for sincetime. You can also use it without that parameter and you'll be able to get the time it was first seen in the softwareFirstSeenTimestamp field. doc: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-assessment-software-inventory?view=o365-worldwide#1-export-software-inventory-assessment-json-response
