Advanced hunting
2 TopicsDefender AV - Active/Passive Mode - Advanced Hunting
While researching how to verify if Defender AV is in active or passive mode I found an Advanced Hunting query that searches "DeviceTvmSecureConfigurationAssessment" and then filters "ConfigurationId" by "scid-2010" as the "Context" column contains the status of Defender AV. So far, I discovered that: "0" = Defender AV is active, "1" = Defender AV is passive, "4" = Defender AV is in "EDR Block Mode" I am not sure what "Unknown" in the "Context" column means though. Does it mean that Defender AV is not installed, or that it was manually disabled (via registry keys, GPO, ...) or that it running but not reporting?25KViews0likes8CommentsInterval of ReportID used
Hi. Regarding the ReportID for AdvancedHunting, the Docs states the following. """ Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. """ When will the Report ID be repeated? I want to identify the event using the ReportID and Table listed in the DeviceAlertEvent. But multiple ReportIDs exist on the same device and cannot be identified. Maybe I need to narrow down the Timestamp. Is there a better way? Thanks,