Non Supported Agent Version Required For The Contain User Action By Attack Disruption
Query
DeviceRegistryEvents
| where Timestamp > ago(30d)
| where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection"
| extend version_s = replace(@"[.]", "", InitiatingProcessVersionInfoProductVersion)
| extend FirstFiveChars = substring(version_s, 0, 6)
| extend FirstFiveChars = toint(FirstFiveChars)
| where FirstFiveChars < 108470
| summarize by DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessVersionInfoProductVersionAbout this query
Non-supported Agent version required for the Contain User action by Attack Disruption
Description: The following query checks if the devices have the minimum sense agent version(v10.8470) required for the Contain User action triggered by Microsoft DefenderXDR Attack disruption.
Explanation
This query checks if devices have an outdated version of the Microsoft Defender ATP agent that is below the required version (v10.8470) for the "Contain User" action in Microsoft DefenderXDR's Attack Disruption feature. Here's a breakdown of what the query does:
- Data Source: It looks at the
DeviceRegistryEventstable. - Time Frame: It considers events from the last 30 days.
- Registry Key Filter: It filters events related to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection. - Version Extraction: It extracts and processes the version number of the initiating process.
- Removes dots from the version string.
- Takes the first six characters of the cleaned version string.
- Converts these characters to an integer.
- Version Comparison: It checks if this integer version number is less than 108470 (which corresponds to version 10.8470).
- Summarization: It summarizes the results by
DeviceId,DeviceName,InitiatingProcessFileName, andInitiatingProcessVersionInfoProductVersion.
In simple terms, this query identifies devices that are running an older version of the Microsoft Defender ATP agent that does not support the "Contain User" action, by checking their version numbers against the required minimum version.
Details

Sergio Albea
Released: September 3, 2024
Tables
Keywords
Operators