KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Defender XDR Services And Features Disabled On Devices

Query

**Detect DefenderXDR services and features disabled on devices**

**Description:** This KQL Query is oriented to detect devices with DefenderXDR and associated features disabled which can be identified by the reg. keys as:

Enabled Value == 1
Disabled Value ==0

A bit confusing, If you enable these policy settings (RegistryValueData == 1), means that Windows Defender will not automatically take actions or report possible threats. On the other hand if is disabled (RegistryValueData == 0), Defender will automatically take action on all detected threats.

```
DeviceRegistryEvents
//If you enable these policy settings (RegistryValueData == 1), Windows Defender will not take actions or report possible threats.
//Windows Defender - Defender service itself.
//Spynet = Microsoft Active Protection Service is an online community that helps you choose how to respond to potential threats. This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
//Real-Time Protection = protection to scan for malware and other unwanted software. Once this has been disabled, it won’t scan anything of it.
| where RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" or RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\spynet" or RegistryKey == "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Microsoft Antimalware\\Real-Time Protection"
| where RegistryValueData == 1
| distinct Timestamp, DeviceName, RegistryKey, RegistryValueName, PreviousRegistryValueData, RegistryValueData, IsInitiatingProcessRemoteSession
```

Explanation

This KQL query is designed to identify devices where certain Windows Defender features are disabled. It checks specific registry keys to determine the status of Defender services and features. Here's a simple breakdown:

  1. Purpose: The query aims to detect devices where DefenderXDR services and features are disabled, which can affect the device's protection level.

  2. Registry Keys: It looks at three specific registry keys:

    • The main Windows Defender service.
    • The Microsoft Active Protection Service (Spynet), which provides real-time threat assessment.
    • Real-Time Protection, which scans for malware and unwanted software.

  3. Logic:

    • If the RegistryValueData is 1, it means that the feature is enabled, but paradoxically, this setting prevents Windows Defender from taking automatic actions or reporting threats.
    • If the RegistryValueData is 0, the feature is disabled, allowing Defender to automatically handle threats.

  4. Query Details:

    • The query filters for registry entries with a RegistryValueData of 1, indicating that the feature is enabled but not actively protecting.
    • It retrieves distinct records with details like the timestamp, device name, registry key, and other relevant data.

In summary, this query helps identify devices where certain Defender features are enabled in a way that might reduce their protective capabilities, allowing administrators to take corrective action.

Details

Sergio Albea profile picture

Sergio Albea

Released: December 8, 2024

Tables

DeviceRegistryEvents

Keywords

Devices

Operators

DeviceRegistryEvents|whereordistinct

Actions