Adversaries may attempt to evade detection by ensuring their malware is compatible with the latest Defender AV engine version. SOC teams should proactively hunt for this behavior to identify potential compromise indicators and assess the effectiveness of endpoint defenses.
KQL Query
let expiringPublishdate = ago(8d);
DeviceTvmInfoGathering
| extend DataRefreshTimestamp = Timestamp,
AvIsEngineUpToDateTemp = tostring(AdditionalFields.AvIsEngineUptodate),
AvSignatureDataRefreshTime = todatetime(AdditionalFields.AvSignatureDataRefreshTime),
AvSignaturePublishTime = todatetime(AdditionalFields.AvSignaturePublishTime),
AvEngineVersion = tostring(AdditionalFields.AvEngineVersion)
| extend AvIsEngineUpToDate = iif(((((isempty(AvIsEngineUpToDateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignatureDataRefreshTime < expiringPublishdate))
or (AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsEngineUpToDateTemp))
| extend AvEngineVersion = iif(AvEngineVersion == "", "Unknown", AvEngineVersion)
| project DeviceId, DeviceName, OSPlatform, AvEngineVersion, DataRefreshTimestamp, AvIsEngineUpToDate, AvSignaturePublishTime, AvSignatureDataRefreshTime
| summarize DeviceCount = count(), DataRefreshTimestamp = max(DataRefreshTimestamp), EngineUpToDateDeviceCount = countif(AvIsEngineUpToDate == "true"), EngineNotUpToDateDeviceCount = countif(AvIsEngineUpToDate == "false"), EngineNotAvailableDeviceCount = countif(AvIsEngineUpToDate == "Unknown") by OSPlatform,AvEngineVersion
id: 02BE358B-8733-46B7-8E3D-624B1F918237
name: Microsoft Defender AV Engine up to date info
description: |
'Provides the Engine version and total count of up to date devices, not up to date devices and count of devices whose status is not available relevant to the Engine version.'
requiredDataConnectors: []
tactics: []
relevantTechniques: []
query: |
let expiringPublishdate = ago(8d);
DeviceTvmInfoGathering
| extend DataRefreshTimestamp = Timestamp,
AvIsEngineUpToDateTemp = tostring(AdditionalFields.AvIsEngineUptodate),
AvSignatureDataRefreshTime = todatetime(AdditionalFields.AvSignatureDataRefreshTime),
AvSignaturePublishTime = todatetime(AdditionalFields.AvSignaturePublishTime),
AvEngineVersion = tostring(AdditionalFields.AvEngineVersion)
| extend AvIsEngineUpToDate = iif(((((isempty(AvIsEngineUpToDateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignatureDataRefreshTime < expiringPublishdate))
or (AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsEngineUpToDateTemp))
| extend AvEngineVersion = iif(AvEngineVersion == "", "Unknown", AvEngineVersion)
| project DeviceId, DeviceName, OSPlatform, AvEngineVersion, DataRefreshTimestamp, AvIsEngineUpToDate, AvSignaturePublishTime, AvSignatureDataRefreshTime
| summarize DeviceCount = count(), DataRefreshTimestamp = max(DataRefreshTimestamp), EngineUpToDateDeviceCount = countif(AvIsEngineUpToDate == "true"), EngineNotUpToDateDeviceCount = countif(AvIsEngineUpToDate == "false"), EngineNotAvailableDeviceCount = countif(AvIsEngineUpToDate == "Unknown") by OSPlatform,AvEngineVersion
Scenario: A system administrator manually updates the Microsoft Defender AV engine via the Microsoft Endpoint Manager (MEM) console.
Filter/Exclusion: Exclude events where the update action is initiated from the Microsoft Endpoint Manager or where the source is the Microsoft Intune console.
Scenario: A scheduled task runs to update the Defender engine on a large number of endpoints using Group Policy Preferences (GPP).
Filter/Exclusion: Exclude events where the update source is Group Policy Preferences or where the task is initiated by a scheduled task with a known update policy.
Scenario: A third-party endpoint security tool (e.g., CrowdStrike, Palo Alto Networks, or SentinelOne) is installed alongside Microsoft Defender, and it updates the Defender engine as part of its integration.
Filter/Exclusion: Exclude events where the update source is a third-party tool or where the process name includes the third-party vendor’s executable.
Scenario: A system update via Windows Update includes a Defender engine update, and the rule is triggered as part of the update process.
Filter/Exclusion: Exclude events where the update is initiated by Windows Update or where the update source is WSUS (Windows Server Update Services).
Scenario: An administrator runs a script to push updates to multiple devices using PowerShell or PowerShell DSC.
Filter/Exclusion: Exclude events where the process is initiated by PowerShell or where the script is sourced from a known admin script repository or central management system.