Adversaries may leverage outdated or non-compliant Microsoft Defender AV platforms to exploit known vulnerabilities, making it critical to proactively hunt for deviations in platform version consistency across devices. Monitoring up-to-date device counts helps identify potential gaps in endpoint protection that could be exploited by advanced threats in an Azure Sentinel environment.
KQL Query
let expiringPublishdate = ago(8d);
DeviceTvmInfoGathering
| extend DataRefreshTimestamp = Timestamp,
AvIsPlatformUpToDateTemp=tostring(AdditionalFields.AvIsPlatformUptodate),
AvSignatureDataRefreshTime = todatetime(AdditionalFields.AvSignatureDataRefreshTime),
AvSignaturePublishTime = todatetime(AdditionalFields.AvSignaturePublishTime),
AvPlatformVersion = tostring(AdditionalFields.AvPlatformVersion)
| extend AvIsPlatformUpToDate = iif(((((isempty(AvIsPlatformUpToDateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignatureDataRefreshTime < expiringPublishdate))
or (AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsPlatformUpToDateTemp))
| extend AvPlatformVersion = iif(AvPlatformVersion == "", "Unknown", AvPlatformVersion)
| project DeviceId, DeviceName, OSPlatform, AvPlatformVersion, DataRefreshTimestamp, AvIsPlatformUpToDate, AvSignaturePublishTime, AvSignatureDataRefreshTime
| summarize DeviceCount = count(), DataRefreshTimestamp = max(DataRefreshTimestamp), PlatformUpToDateDeviceCount = countif(AvIsPlatformUpToDate == "true"), PlatformNotUpToDateDeviceCount = countif(AvIsPlatformUpToDate == "false"), PlatformNotAvailableDeviceCount = countif(AvIsPlatformUpToDate == "Unknown") by OSPlatform,AvPlatformVersion
id: 4EBA78B0-8E8E-4E9A-9AFF-160372BDD201
name: Microsoft Defender AV Platform up to date information
description: |
'Provides the Platform version and total count of up to date devices, not up to date devices and count of devices whose status is not available relevant to the Platform version.'
requiredDataConnectors: []
tactics: []
relevantTechniques: []
query: |
let expiringPublishdate = ago(8d);
DeviceTvmInfoGathering
| extend DataRefreshTimestamp = Timestamp,
AvIsPlatformUpToDateTemp=tostring(AdditionalFields.AvIsPlatformUptodate),
AvSignatureDataRefreshTime = todatetime(AdditionalFields.AvSignatureDataRefreshTime),
AvSignaturePublishTime = todatetime(AdditionalFields.AvSignaturePublishTime),
AvPlatformVersion = tostring(AdditionalFields.AvPlatformVersion)
| extend AvIsPlatformUpToDate = iif(((((isempty(AvIsPlatformUpToDateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignatureDataRefreshTime < expiringPublishdate))
or (AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsPlatformUpToDateTemp))
| extend AvPlatformVersion = iif(AvPlatformVersion == "", "Unknown", AvPlatformVersion)
| project DeviceId, DeviceName, OSPlatform, AvPlatformVersion, DataRefreshTimestamp, AvIsPlatformUpToDate, AvSignaturePublishTime, AvSignatureDataRefreshTime
| summarize DeviceCount = count(), DataRefreshTimestamp = max(DataRefreshTimestamp), PlatformUpToDateDeviceCount = countif(AvIsPlatformUpToDate == "true"), PlatformNotUpToDateDeviceCount = countif(AvIsPlatformUpToDate == "false"), PlatformNotAvailableDeviceCount = countif(AvIsPlatformUpToDate == "Unknown") by OSPlatform,AvPlatformVersion
Scenario: Scheduled Microsoft Defender AV updates
Description: A scheduled update task runs during off-hours, temporarily marking some devices as “not up to date” while the update is in progress.
Filter/Exclusion: Exclude devices where the update status is In progress or Pending for the Microsoft Defender AV service.
Scenario: Manual Microsoft Defender AV scan initiated by an admin
Description: An administrator manually initiates a full system scan, which may temporarily affect the status of devices in the platform.
Filter/Exclusion: Exclude devices where the scan status is Running or In progress for the Microsoft Defender AV service.
Scenario: Microsoft Defender AV policy reconfiguration
Description: An admin reconfigures the Defender AV policy, which may cause a temporary status change in the platform version reporting.
Filter/Exclusion: Exclude devices where the policy update status is Pending or Reconfiguring.
Scenario: Microsoft Endpoint Manager (MEM) deployment of new Defender AV version
Description: A deployment via Microsoft Endpoint Manager is in progress, which may temporarily mark some devices as not up to date during the rollout.
Filter/Exclusion: Exclude devices where the deployment status is In progress or Pending for the Microsoft Defender AV update.
Scenario: Third-party tool compatibility testing
Description: A security tool or third-party application is being tested for compatibility with the current Defender AV version, temporarily affecting the status.
Filter/Exclusion: Exclude devices where a third-party tool (e.g., Microsoft Baseline Security Analyzer (MSBAS) or Windows Defender Application Control) is in use and marked as Testing or Compatibility check.