Contents

How to List Defender Threat Detections Across All Windows Devices

Using Kolide, you can easily view and query Windows Defender Threat Detections across your fleet.

Introduction

Windows Defender is the name for the built-in antivirus software that comes with Windows. It can serve as either a full antivirus and anti-malware service or it can augment commercial antivirus software that is installed on the device.

If a Windows Defender Antivirus scan detects a threat (ex: malware) information about that threat is enumerated and stored on the device. This device property collects and aggregates these threat detections.

What Windows Defender Threat Detection Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Windows Defender Threat Detections from Windows devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Windows Defender Threat Detections Schema

Column	Type	Description
id	Primary Key	Unique identifier for the object
device_id	Foreign Key	Device associated with the entry
device_name	Text	Display name of the device associated with the entry
action_success	Boolean	Was the action Windows Defender took in response to the threat successful?
additional_actions	Enum::Text	Information about the current running state or future activation potential of the threat Can be one of the following: `None` `Full Scan Required` `Full Scan and Reboot Required` `Manual Steps Required` `Full Scan and Manual Steps Required` `Reboot and Manual Steps Required` `Full Scan, Reboot, and Manual Steps Required` `Offline Scan Required` `Full Scan and Offline Scan Required` `Reboot and Offline Scan Required` `Full Scan, Reboot and Offline Scan Required` `Manual Steps and Offline Scan Required` `Full Scan, Manual Steps, and Offline Scan Required` `Reboot, Manual Steps, and Offline Scan Required` `Full Scan, Reboot, Manual Steps, and Offline Scan Required`
am_product_version	Text	The version of the Antimalware portion of Windows Defender
am_product_version_major	Bigint	`am_product_version`'s semver major version (ex: `4.2.1` would yield `4`)
am_product_version_minor	Bigint	`am_product_version`'s semver minor version (ex: `4.2.1` would yield `2`)
am_product_version_patch	Bigint	`am_product_version`'s semver patch version (ex: `4.2.1` would yield `1`)
am_product_version_subpatch	Bigint	`am_product_version`'s numeric status fourth position number (ex: `4.2.1.6` would yield `6`)
cleaning_action_id	Integer	The cleaning action taken by Windows Defender. Note on data collection: This value is an enum, but Microsoft has not documented what the values currently represent.
current_threat_execution_status_id	Enum::Text	Information about the current running state or future activation potential of the threat Can be one of the following: `Unknown` `Blocked` `Allowed` `Executing` `Not Executing`
detection_id	Text	A unique identifier associated with each threat detection
detection_source_type_id	Enum::Text	The method used to detect the threat Can be one of the following: `Unknown` `User` `System` `Real Time` `IOAV` `NRI` `ELAM` `Local Attestation` `Remote Attestation`
domain_user	Text	The user associated with the scan or who requested remediation
initially_detected_at	Timestamp	The initial threat detection time
process_name	Text	The name of the process involved (otherwise `unknown`)
remediated_at	Timestamp	The time of the remediation
resources	Text[]	List of resources affected by the detection (ex: files)
threat_id	Bigint	A unique identifier associated with the threat discovered (eg. `2147519003`). You can translate these IDs into common names in PowerShell by running the cmdlet `Get-MpThreat -ThreatID 2147519003`
threat_status_changed_at	Timestamp	The most recent time of the threat status change
threat_status_error_code	Bigint	Windows Defender threat error codes in decimal notation (eg. `2142207965`). A lookup table can be found in Microsoft's Windows Defender Documentation.
threat_status_id	Enum::Text	Information about the current running state or future activation potential of the threat Can be one of the following: `Unknown` `Detected` `Cleaned` `Quarantined` `Removed` `Allowed` `Blocked` `Cleaned Failed` `Quarantined Failed` `Removed Failed` `Allowed Failed` `Abandoned` `Block Failed`
collected_at	Timestamp	Time the row of data was first collected in the database
updated_at	Timestamp	Time the row of data was last changed in the database

Why Should I Collect Windows Defender Threat Detections?

IT & Security administrators may review this information to discover confirmed malware that may have been downloaded and executed on a device.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

Windows Defender Threat Detections can contain references to full path of the file (or files) associated with any discovered threat and the name of the user associated with the antivirus scan.

While administrators are unable to enumerate the contents of any files, the names themselves could contain sensitive information. See the example data collected to get a representative idea of what information is shared with administrators.

When you use Kolide to list Windows Defender Threat Detection data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.