View Other Properties

Contents

View Other Properties

How to List Defender Threat Detections Across All Windows Devices

Using Kolide, you can easily view and query Windows Defender Threat Detections across your fleet.

Introduction

Windows Defender is the name for the built-in antivirus software that comes with Windows. It can serve as either a full antivirus and anti-malware service or it can augment commercial antivirus software that is installed on the device.

If a Windows Defender Antivirus scan detects a threat (ex: malware) information about that threat is enumerated and stored on the device. This device property collects and aggregates these threat detections.

What Windows Defender Threat Detection Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Windows Defender Threat Detections from Windows devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Windows Defender Threat Detections Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

action_success Boolean

Was the action Windows Defender took in response to the threat successful?

additional_actions Enum::Text

Information about the current running state or future activation potential of the threat

Can be one of the following:

  • None
  • Full Scan Required
  • Full Scan and Reboot Required
  • Manual Steps Required
  • Full Scan and Manual Steps Required
  • Reboot and Manual Steps Required
  • Full Scan, Reboot, and Manual Steps Required
  • Offline Scan Required
  • Full Scan and Offline Scan Required
  • Reboot and Offline Scan Required
  • Full Scan, Reboot and Offline Scan Required
  • Manual Steps and Offline Scan Required
  • Full Scan, Manual Steps, and Offline Scan Required
  • Reboot, Manual Steps, and Offline Scan Required
  • Full Scan, Reboot, Manual Steps, and Offline Scan Required
am_product_version Text

The version of the Antimalware portion of Windows Defender

am_product_version_major Bigint

am_product_version's semver major version (ex: 4.2.1 would yield 4)

am_product_version_minor Bigint

am_product_version's semver minor version (ex: 4.2.1 would yield 2)

am_product_version_patch Bigint

am_product_version's semver patch version (ex: 4.2.1 would yield 1)

am_product_version_subpatch Bigint

am_product_version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)

cleaning_action_id Integer

The cleaning action taken by Windows Defender.

Note on data collection: This value is an enum, but Microsoft has not documented what the values currently represent.

current_threat_execution_status_id Enum::Text

Information about the current running state or future activation potential of the threat

Can be one of the following:

  • Unknown
  • Blocked
  • Allowed
  • Executing
  • Not Executing
detection_id Text

A unique identifier associated with each threat detection

detection_source_type_id Enum::Text

The method used to detect the threat

Can be one of the following:

  • Unknown
  • User
  • System
  • Real Time
  • IOAV
  • NRI
  • ELAM
  • Local Attestation
  • Remote Attestation
domain_user Text

The user associated with the scan or who requested remediation

initially_detected_at Timestamp

The initial threat detection time

process_name Text

The name of the process involved (otherwise unknown)

remediated_at Timestamp

The time of the remediation

resources Text[]

List of resources affected by the detection (ex: files)

threat_id Bigint

A unique identifier associated with the threat discovered (eg. 2147519003). You can translate these IDs into common names in PowerShell by running the cmdlet Get-MpThreat -ThreatID 2147519003

threat_status_changed_at Timestamp

The most recent time of the threat status change

threat_status_error_code Bigint

Windows Defender threat error codes in decimal notation (eg. 2142207965). A lookup table can be found in Microsoft's Windows Defender Documentation.

threat_status_id Enum::Text

Information about the current running state or future activation potential of the threat

Can be one of the following:

  • Unknown
  • Detected
  • Cleaned
  • Quarantined
  • Removed
  • Allowed
  • Blocked
  • Cleaned Failed
  • Quarantined Failed
  • Removed Failed
  • Allowed Failed
  • Abandoned
  • Block Failed
collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

Why Should I Collect Windows Defender Threat Detections?

IT & Security administrators may review this information to discover confirmed malware that may have been downloaded and executed on a device.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

Windows Defender Threat Detections can contain references to full path of the file (or files) associated with any discovered threat and the name of the user associated with the antivirus scan.

While administrators are unable to enumerate the contents of any files, the names themselves could contain sensitive information. See the example data collected to get a representative idea of what information is shared with administrators.

When you use Kolide to list Windows Defender Threat Detection data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed by employees through Slack or Google Workspace account.

Share this story:

Related Device Properties:

New
Windows Defender Settings
defender, anti-virus, security
New
Mac XProtect Reports
anti-virus, threats, security
New
Windows Update Settings
updates, operating-system, security
View full list of Kolide's Device Properties
Try Kolide Free
Try Kolide Free