Help with KQL / Advanced Hunting - Antivirus Scan
Hi, Trying to come up with a solution to find all devices via Advanced Hunting where a full scan was never successful. The report that can be downloaded via `Defender XDR > Reports > Device Health > Microsoft Defender Antivirus Health` as well as the device health page only provide the result of the last antivirus scan. If a device ran a full scan successfully in the past but the most recent full scan was cancelled the report shows that the full scan failed. Here's an example of what I mean: The device health status shows "Full scan failed" with a failed scan on March 28, 2024 at 3:35:57PM. When querying the device via Advanced Hunting (see query below) I receive the information that a full scan successfully ran on March 28, 2024 at 3:35:36PM. Here's the query I am currently using and I already played around with it a little bit (distinct, summarize). I could export it to Excel and then remove duplicate entries but was hoping that can be done with KQL: DeviceEvents | where ActionType has_any ("AntivirusScanCompleted", "AntivirusScanCancelled") | extend AdditionalFields = parse_json(AdditionalFields) | extend ScanType = AdditionalFields.["ScanTypeIndex"] | where ScanType == "Full" | project Timestamp, DeviceName, ActionType This is the result I would like the query to return. If any device has had an entry for `ActionType == AntivirusScanCompleted` and `ScanType == Full` then all rows for that device should be removed.
KQL script report last reboot/reset endpoint devices (Workstations/Laptops)
Hello everyone, I'm reaching out for assistance with a challenge I'm facing in Microsoft Defender. In my organization, we have numerous endpoint devices with vulnerabilities, and I suspect that the issues may stem from either inadequate patching or misconfigured Group Policy Object (GPO) settings preventing updates or reboots. To investigate further, I need a KQL script that can generate a report showing when each endpoint device was last rebooted or reset, along with the computer name and the last user who logged in to that device. I've attempted to use the following KQL script in different ways without success: DeviceEvents | where ActionType == "Restarted" or ActionType == "Shutdown" | summarize LastReboot = max(EventTime) by DeviceName Despite trying various approaches and searching through online forums, I haven't been able to obtain the desired results. I'm unsure if this information can be retrieved through Defender or if there's an alternative method I should explore. Any guidance or suggestions would be greatly appreciated as I work to identify and resolve these issues. Thank you for your assistance! Best regards, Sergio
Hunting API error: Query execution has exceeded the allowed limits.
I encounter an intermittent error when running a hunting query on https://security.microsoft.com/advanced-hunting. Although the query sometimes executes successfully, it occasionally produces the following error: "Query execution has exceeded the allowed limits. The query execution was preempted. This could possibly be due to high CPU and/or memory resource consumption. Optimize your query by following best practices and try again." I'm curious if there are any other restrictions on the number of requests other than mentioned in Doc? Upon reviewing the Query resource, it indicates 0 instances of excessive usage in the last 30 days for both API and portal.How to query/report on Defender Portal admin changes to policies
Hi there, If someone makes a change to, say, the Cloud apps policies, I should be able run an Audit report to see that change. I tried running an Audit search (from the Audit menu/blade in the Defender portal), but it didn't return any results related to the policy change. Does anyone here have an example of how to test the Defender portal audit logs? Pretty sure these logs don't go through the Sentinel data connector so I'd like to know how to audit changes in the Defender portal. Thanks!
DeviceNetworkEvents does not refer to any known table.
When attempting to run an advanced hunting query, I'm receiving this error message at more than half of our clients. Most are on business premium licensing which includes Defender for Business. Does anyone have any information regarding this error? Is this a licensing issue or do we need to turn on more audit logs at the device level to include this table in queries?
Search in alerts and incidents fails
When trying to perform searches in Defender Incidents and Alerts, most fields, are not searchable. This makes the search function mostly useless as I often need to find out if any users in a group or with a name context. Also, Administrative Units do not appear to apply to Defender making it even harder to find useful data. https://security.microsoft.com/alerts?tid=How to generate an alert using an Alert policy when a "User administration activity" occurs?
As Activity alerts are being deprecated by Microsoft, I wanted to create an Alert policy for "User administration activities": In the "old" Activity alerts it was quite easy to select the corresponding activity types: How can I do the same using an Alert policy? There is nothing similar to the Activity alert types:
