Forum Discussion

Anonymous's avatar
Anonymous
Jan 17, 2023

How to get the Protection History from a device

Hello,   I would like to get the Protection History without the user intervention. I don't understand why is not in the device page in Microsoft 365 Defender initially...   I tried to find a way ...
microsoft defender for endpoint
cyb3rmik3's avatar
cyb3rmik3
Icon for Microsoft rankMicrosoft
Jan 18, 2023

Hi Deleted,

 

you could try some queries at Advanced hunting > Queries > Community queries > Protection events, probably Antivirus detections would fit your search.

 

You can specify the device if you are interested in narrowing down your search with the line:
| where DeviceName contains "PLACEDEVICENAMEHERE"

 

And also narrow down recent results by specifying days (or hours):
| where Timestamp > ago(1d)

 

Hope this answers your request.

  • Anonymous's avatar
    Anonymous
    Jan 19, 2023

    cyb3rmik3Hi ! Thanks a lot for this, that help me a lot !

     

    Question : Is it a way to add the "Affected Item" & "Detail" of the detection ?

     

    Regards

    • cyb3rmik3's avatar
      cyb3rmik3
      Icon for Microsoft rankMicrosoft
      Jan 20, 2023

      Hello Deleted,

       

      I am not quite sure that you can get that information exactly as it is stored locally. However, you may try the following query which brings the title of the alert and the related information about filename and path.

       

      AlertEvidence
      | where Timestamp > ago(3d) // Define days or hours
      | where EntityType contains "File"
      | where DetectionSource contains "Antivirus"
      | project Title, FolderPath, FileName
       
      I truly hope this will help you in some way.

Resources