Adversaries may trigger Microsoft Defender Antivirus alerts to evade detection, indicating potential malicious activity or evasion tactics. Proactively hunting for such behavior in Azure Sentinel can help identify and mitigate advanced threats that bypass traditional detection mechanisms.
KQL Query
DeviceEvents
| where ActionType == "AntivirusDetection"
| extend ParsedFields=parse_json(AdditionalFields)
| project ThreatName=tostring(ParsedFields.ThreatName),
WasRemediated=tobool(ParsedFields.WasRemediated),
WasExecutingWhileDetected=tobool(ParsedFields.WasExecutingWhileDetected),
FileName, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine,
DeviceName, Timestamp
| limit 100
id: aa9ad4ae-a19a-4262-b151-8a723227bc4e
name: Antivirus detections
description: |
Query for Microsoft Defender Antivirus detections.
Query #1: Query for Antivirus detection events.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
DeviceEvents
| where ActionType == "AntivirusDetection"
| extend ParsedFields=parse_json(AdditionalFields)
| project ThreatName=tostring(ParsedFields.ThreatName),
WasRemediated=tobool(ParsedFields.WasRemediated),
WasExecutingWhileDetected=tobool(ParsedFields.WasExecutingWhileDetected),
FileName, SHA1, InitiatingProcessFileName, InitiatingProcessCommandLine,
DeviceName, Timestamp
| limit 100
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: Scheduled Antivirus Scan Execution
Description: A legitimate scheduled scan initiated by Microsoft Defender Antivirus can trigger alerts due to the high volume of files being scanned.
Filter/Exclusion: process.parent_process == "Microsoft Defender Antivirus Service" or process.name == "MsMpEng.exe" with a condition that the process is running as the system or a known antivirus service account.
Scenario: Windows Update or Patching Job
Description: During a Windows Update or patching process, Microsoft Defender may scan newly deployed files, leading to false positives.
Filter/Exclusion: process.name == "wusa.exe" or process.name == "dism.exe" with a condition that the process is associated with a known update or patching task.
Scenario: System File Integrity Check (SFC) or DISM Scan
Description: System File Checker (SFC) or Deployment Image Servicing and Management (DISM) scans can trigger Microsoft Defender alerts as they scan system files.
Filter/Exclusion: process.name == "sfc.exe" or process.name == "dism.exe" with a condition that the process is initiated by the system or a known administrative task.
Scenario: Microsoft Defender Antivirus Quarantine or Cleanup Task
Description: Automated tasks that move files to quarantine or clean up detected threats can generate alerts if the system is configured to log such actions.
Filter/Exclusion: process.name == "MpCmdRun.exe" with a condition that the command line includes /quarantine or /delete and is initiated by a scheduled task or service.
Scenario: Third-Party Antivirus Integration or Coexistence
Description: When multiple antivirus solutions are installed, they may conflict, leading to false positives as each solution scans the same files.
*Filter