Adversaries may attempt to disable or bypass up-to-date security intelligence to evade detection by Microsoft Defender AV. SOC teams should proactively hunt for this behavior to identify potential tampering with endpoint security configurations in their Azure Sentinel environment.
KQL Query
let expiringPublishdate = ago(8d);
DeviceTvmInfoGathering
| extend DataRefreshTimestamp = Timestamp,
AvIsSignatureUpToDateTemp = tostring(AdditionalFields.AvIsSignatureUptoDate),
AvSignatureDataRefreshTime = todatetime(AdditionalFields.AvSignatureDataRefreshTime),
AvSignaturePublishTime = todatetime(AdditionalFields.AvSignaturePublishTime),
AvSignatureVersion = tostring(AdditionalFields.AvSignatureVersion)
| extend AvIsSignatureUpToDate = iif(((((isempty(AvIsSignatureUpToDateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignaturePublishTime < expiringPublishdate))
or (AvIsSignatureUpToDateTemp == True
and AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsSignatureUpToDateTemp))
| extend AvSecurityIntelVersion = iif(AvSignatureVersion == "", "Unknown", AvSignatureVersion)
| project DeviceId, DeviceName, OSPlatform, AvSecurityIntelVersion, DataRefreshTimestamp, AvIsSignatureUpToDate, AvSignaturePublishTime, AvSignatureDataRefreshTime
| summarize DeviceCount = count(), DataRefreshTimestamp = max(DataRefreshTimestamp), SecurityIntelUpToDateDeviceCount = countif(AvIsSignatureUpToDate == "true"), SecurityIntelNotUpToDateDeviceCount = countif(AvIsSignatureUpToDate == "false"), SecurityIntelNotAvailableDeviceCount = countif(AvIsSignatureUpToDate == "Unknown") by OSPlatform,AvSecurityIntelVersion
id: 0F2179FB-BACC-4B71-80B3-29DE436E965C
name: Microsoft Defender AV Security Intelligence up to date information
description: |
'Provides the Security Intelligence version and total count of up to date devices, not up to date devices and count of devices whose status is not available relevant to the security intelligence version.'
requiredDataConnectors: []
tactics: []
relevantTechniques: []
query: |
let expiringPublishdate = ago(8d);
DeviceTvmInfoGathering
| extend DataRefreshTimestamp = Timestamp,
AvIsSignatureUpToDateTemp = tostring(AdditionalFields.AvIsSignatureUptoDate),
AvSignatureDataRefreshTime = todatetime(AdditionalFields.AvSignatureDataRefreshTime),
AvSignaturePublishTime = todatetime(AdditionalFields.AvSignaturePublishTime),
AvSignatureVersion = tostring(AdditionalFields.AvSignatureVersion)
| extend AvIsSignatureUpToDate = iif(((((isempty(AvIsSignatureUpToDateTemp)
or (isnull(AvSignatureDataRefreshTime)))
or (isnull(AvSignaturePublishTime)))
or (AvSignaturePublishTime < expiringPublishdate))
or (AvIsSignatureUpToDateTemp == True
and AvSignaturePublishTime < expiringPublishdate)), "Unknown", tostring(AvIsSignatureUpToDateTemp))
| extend AvSecurityIntelVersion = iif(AvSignatureVersion == "", "Unknown", AvSignatureVersion)
| project DeviceId, DeviceName, OSPlatform, AvSecurityIntelVersion, DataRefreshTimestamp, AvIsSignatureUpToDate, AvSignaturePublishTime, AvSignatureDataRefreshTime
| summarize DeviceCount = count(), DataRefreshTimestamp = max(DataRefreshTimestamp), SecurityIntelUpToDateDeviceCount = countif(AvIsSignatureUpToDate == "true"), SecurityIntelNotUpToDateDeviceCount = countif(AvIsSignatureUpToDate == "false"), SecurityIntelNotAvailableDeviceCount = countif(AvIsSignatureUpToDate == "Unknown") by OSPlatform,AvSecurityIntelVersion
Scenario: A system administrator manually updates the Microsoft Defender AV security intelligence using the Microsoft Defender Security Center or Group Policy.
Filter/Exclusion: Exclude events where the update action is initiated by a user with administrative privileges or where the update source is the Microsoft Defender Security Center.
Scenario: A scheduled task runs to update security intelligence across the network using Windows Update or Microsoft Endpoint Manager (MEM).
Filter/Exclusion: Exclude events where the update is initiated by a known scheduled task or where the update source is a managed endpoint configuration tool.
Scenario: A third-party security tool (e.g., Microsoft Defender for Endpoint) synchronizes with Microsoft Defender AV and updates the security intelligence on behalf of the endpoint.
Filter/Exclusion: Exclude events where the update is initiated by a third-party tool or where the update source is a known integration with Microsoft Defender for Endpoint.
Scenario: A system health agent or Windows Defender service performs a background update of the security intelligence without user interaction.
Filter/Exclusion: Exclude events where the update is initiated by the Windows Defender service or a system health agent running under a system account.
Scenario: An IT automation tool (e.g., PowerShell, Ansible, or SCOM) is used to push updates to multiple endpoints, including security intelligence.
Filter/Exclusion: Exclude events where the update is initiated by an automation tool or where the update is part of a known configuration management process.