How to Add the Antimalware Assessment to Your Azure Sentinel Workspace

The Antimalware Assessment has been part of the Azure Marketplace for a long while and contains some valuable information like Threat Status Rank, Threat Status, Threat Status Details, Protection Status Rank, Protection Status, Protection Status Details, Type of Protection, Scan Date, Date Collected, Product Version, and others.

With all this valuable information wouldn’t it be great for use to help bolster and enhance security operations for Azure Sentinel environments?

Of course it would. And, here’s how to enable it.

Adding the Antimalware Assessment to the Log Analytics Workspace for Azure Sentinel

In the search space in the Azure portal, search for antimalware. The Antimalware Assessment will show up in the Marketplace section. Click on it.

Locating it in the Marketplace

After you click on the Antimalware Assessment component to initiate it, you’ll need to select the Log Analytics Workspace that is being utilized for Azure Sentinel. This is where the data from this assessment will reside. Once you select the correct one, click the Create button.

Creating the assessment in the LAW

After a short bit of waiting for Azure deploying the assessment, you can then go into Azure Sentinel and start kicking the tires.

A new table called ProtectionStatus gets created under the Antimalware Assessment area as shown in the next image.

Run the getschema KQL operator to see the columns you can query against.

Run getshema to see all the query potential

If this provides value for you, let me know. And, if you develop some crazy-cool new KQL queries and Analytics Rules from this, don’t hesitate to share with the rest of us. šŸ™‚

What You Get

Here’s the list of all columns available to query against…

TenantId
SourceSystem
TimeGenerated
SourceComputerId
DeviceName
DetectionId
Threat
ThreatStatusRank
ThreatStatus
ThreatStatusDetails
ProtectionStatusRank
ProtectionStatus
ProtectionStatusDetails
SignatureVersion
TypeofProtection
ScanDate
DateCollected
AMProductVersion
MG
ManagementGroupName
Computer
ComputerIP_Hidden
ResourceId
ComputerEnvironment
Resource
SubscriptionId
ResourceGroup
ResourceProvider
ResourceType
VMUUID
Type
_ResourceId

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Authors