A large number of devices in a specific Microsoft Defender AV mode may indicate an adversary attempting to evade detection by leveraging AV mode configurations. SOC teams should proactively hunt for this behavior to identify potential evasion tactics and assess the effectiveness of endpoint protection in their Azure Sentinel environment.
KQL Query
DeviceTvmInfoGathering
| extend AvMode = iif(tostring(AdditionalFields.AvMode) == '0', 'Active', iif(tostring(AdditionalFields.AvMode) == '1', 'Passive',iif(tostring(AdditionalFields.AvMode) == '2', 'Disabled', iif(tostring(AdditionalFields.AvMode) == '5', 'PassiveAudit',iif(tostring(AdditionalFields.AvMode) == '4', 'EDR Blocked' ,'Unknown')))))
| summarize DeviceCount = count() by AvMode
id: 9FDDF2F5-88AC-4186-BA48-7A4187A4F755
name: Microsoft Defender AV mode device count
description: |
'Provides the Anti virus mode and device count falling under that AV mode.'
requiredDataConnectors: []
tactics: []
relevantTechniques: []
query: |
DeviceTvmInfoGathering
| extend AvMode = iif(tostring(AdditionalFields.AvMode) == '0', 'Active', iif(tostring(AdditionalFields.AvMode) == '1', 'Passive',iif(tostring(AdditionalFields.AvMode) == '2', 'Disabled', iif(tostring(AdditionalFields.AvMode) == '5', 'PassiveAudit',iif(tostring(AdditionalFields.AvMode) == '4', 'EDR Blocked' ,'Unknown')))))
| summarize DeviceCount = count() by AvMode
Scenario: Microsoft Defender AV is enabled on a device during a scheduled system scan.
Filter/Exclusion: Exclude devices where the Microsoft Defender AV is running and the scan is initiated by a known scheduled task (e.g., Microsoft Defender Scheduled Scan).
Scenario: A system administrator manually runs a full system scan using the Microsoft Defender GUI or PowerShell.
Filter/Exclusion: Exclude devices where the scan was initiated by a user with administrative privileges and the process is associated with msdefender.exe or Windows Defender UI.
Scenario: A third-party endpoint security tool is installed alongside Microsoft Defender, and the system is reporting both AV modes.
Filter/Exclusion: Exclude devices where a third-party AV (e.g., Bitdefender, Kaspersky) is detected and the Microsoft Defender AV mode is not active.
Scenario: A device is running a Windows update or system maintenance task that temporarily activates Microsoft Defender AV.
Filter/Exclusion: Exclude devices where the AV mode is active during a known Windows update or system maintenance process (e.g., wuauclt.exe, schtasks.exe).
Scenario: A device is part of a managed environment where Microsoft Defender AV is configured to run in “Real-time protection” mode as part of a compliance policy.
Filter/Exclusion: Exclude devices where the AV mode is active due to a group policy or compliance setting (e.g., Microsoft Defender Advanced Threat Protection policy).