Devices without successful AV scan in the last n days // As of 27. The second one can be found in the DeviceEvents table. The first event is nothing I could pinpoint using advanced hunting. This is because scheduled scans do not have this trigger and just the final scan result is reported. Windows Defender Antivirus scan completedĪnd this event is triggered when the Microsoft Defender Antivirus agent has completed the job.Īs you can see in the following screenshot the “AntivirusScanResponse” event is not always present before a AV scan has completed.This is the indication that the agent has received the command to scan the device. You should find at least two events after you triggered the AV scan:
Just search for “AntivirusScan” in the device timeline. This could be to isolate the device from the network, start an automated investigation, collect an investigation package, restrict app execution or run an full antivirus scan on the device in question.īut how do you know if Microsoft Defender Antivirus has finished to scan the device?
Put that together and you can trigger many on-client events using those custom detection.
Microsoft Defender for Endpoint has great automation capabilities and you can alert using custom detection rules.
0 kommentar(er)
