cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Microsoft Defender Antivirus Modes

Qusai_Ismail
Brass Contributor

‎Oct 10 2022 11:47 PM

‎Oct 10 2022 11:47 PM

Microsoft Defender Antivirus Modes

Hello,

 

Is there a way from Microsoft Sentinel using a Query to check when a device turn off the Defender Antivirus.

 

 

BR,

 

1,975 Views
0 Likes
4 Replies
Reply
4 Replies
Qusai_Ismail

‎Oct 11 2022 01:33 AM

‎Oct 11 2022 01:33 AM

Re: Microsoft Defender Antivirus Modes

Thanks, but it's for Defender Hunting, we need to make a rule for periodic check.
0 Likes
Reply
best response confirmed by Qusai_Ismail (Brass Contributor)
Clive_Watson

‎Oct 11 2022 02:22 AM

‎Oct 11 2022 02:22 AM

Solution

Re: Microsoft Defender Antivirus Modes

@Qusai_Ismail I would have thought this query is closer to the ask

Microsoft-365-Defender-Hunting-Queries/Endpoint Agent Health Status Report.md at master · microsoft/...

However, the Table (DeviceTvmSecureConfigurationAssessment) isn't one you can (today) connect to Sentinel using the bult-in Preview connector, so you only have the data on security.microsoft.com rather than Sentinel to generate an Alert there. 

Clive_Watson_0-1665479512839.png

 

0 Likes
Reply
Jonhed

‎Oct 11 2022 09:14 AM

‎Oct 11 2022 09:14 AM

Re: Microsoft Defender Antivirus Modes

Like Clive said, this table is only available on security.microsoft.com, so the best option would be to just use a custom detection rule there. This can create MDE incidents when a device with AV disabled is found, and this incident can then be synced to Sentinel through the M365D connector if you want it over there.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Qusai_Ismail (Brass Contributor)
Clive_Watson

‎Oct 11 2022 02:22 AM

‎Oct 11 2022 02:22 AM

Solution

Re: Microsoft Defender Antivirus Modes

@Qusai_Ismail I would have thought this query is closer to the ask

Microsoft-365-Defender-Hunting-Queries/Endpoint Agent Health Status Report.md at master · microsoft/...

However, the Table (DeviceTvmSecureConfigurationAssessment) isn't one you can (today) connect to Sentinel using the bult-in Preview connector, so you only have the data on security.microsoft.com rather than Sentinel to generate an Alert there. 

Clive_Watson_0-1665479512839.png

 

View solution in original post

0 Likes
Reply