Oct 10 2022 11:47 PM
Hello,
Is there a way from Microsoft Sentinel using a Query to check when a device turn off the Defender Antivirus.
BR,
Oct 11 2022 12:05 AM
Oct 11 2022 01:33 AM
Oct 11 2022 02:22 AM
Solution@Qusai_Ismail I would have thought this query is closer to the ask
Microsoft-365-Defender-Hunting-Queries/Endpoint Agent Health Status Report.md at master · microsoft/...
However, the Table (DeviceTvmSecureConfigurationAssessment) isn't one you can (today) connect to Sentinel using the bult-in Preview connector, so you only have the data on security.microsoft.com rather than Sentinel to generate an Alert there.
Oct 11 2022 09:14 AM
Oct 11 2022 02:22 AM
Solution@Qusai_Ismail I would have thought this query is closer to the ask
Microsoft-365-Defender-Hunting-Queries/Endpoint Agent Health Status Report.md at master · microsoft/...
However, the Table (DeviceTvmSecureConfigurationAssessment) isn't one you can (today) connect to Sentinel using the bult-in Preview connector, so you only have the data on security.microsoft.com rather than Sentinel to generate an Alert there.