If you’d like to get a sense of the versions for the threat protection signature files that are installed in your environment, here’s a quick KQL query to do that.
ProtectionStatus
| project DeviceName, ThreatStatus, TenantId, ProtectionStatus, SignatureVersion, ScanDate, ProtectionStatusDetails
| summarize sig_count=count() by SignatureVersion
| render piechart by sig_count
This particular KQL query displays the result in a PIE chart like the following…
The most current version of this query will always be located in my GitHub repo at: SignatureVersionPie.txt
The ProtectionStatus table is available through the Antimalware Assessment, Security and Audit, SecurityCenter, and SecurityCenterFree solutions. Its supplied to us to use for Azure Sentinel by connecting any of these to the same Log Analytics workspace.
EXTRA: How to Add the Antimalware Assessment to Your Azure Sentinel Workspace
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
[Subscribe to the Bi-Weekly Azure Security Center Newsletter]
You must log in to post a comment.