Query Details
MDE Defenderpassivemode
Query
# Defender for Endpoint - identify devices running in Passive mode ## Query Information ### Description identify devices running Defender Antivirus in Passive mode #### References ### Author - ***Microsoft*** ### Microsoft Defender XDR ```kql DeviceTvmInfoGathering | where Timestamp > ago(3d) | extend AvModeTemp = AdditionalFields.AvMode | extend AVMode = iif(tostring(AvModeTemp) == '0', 'Active', iif(tostring(AvModeTemp) == '1', 'Passive', iif(tostring(AvModeTemp) == '4', 'EDR Blocked', 'Unknown'))) | summarize arg_max(LastSeenTime, *) by DeviceId | project DeviceName, OSPlatform, AVMode ```
Explanation
This query is designed to identify devices that are running Microsoft Defender Antivirus in Passive mode. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by accessing data from the
DeviceTvmInfoGatheringtable. -
Time Filter: It filters the data to include only records from the last 3 days.
-
AV Mode Extraction: It extracts the antivirus mode information from a field called
AdditionalFields.AvModeand temporarily stores it in a variable calledAvModeTemp. -
Mode Interpretation: It interprets the antivirus mode:
- '0' is translated to 'Active'
- '1' is translated to 'Passive'
- '4' is translated to 'EDR Blocked'
- Any other value is labeled as 'Unknown'
-
Latest Record Selection: It selects the most recent record for each device using the
arg_maxfunction, which ensures that only the latest information is considered. -
Output: Finally, it projects (or selects) the relevant information to display: the device name (
DeviceName), the operating system platform (OSPlatform), and the antivirus mode (AVMode).
In summary, this query helps identify which devices have their antivirus running in Passive mode by looking at the most recent data from the last three days.
Details
Alex Verboon
Released: June 15, 2025
Tables
Keywords
Operators