KQL Search

Query Details

HomeAI ToolsDevice Query

Non Supported Agent Version Required For The Contain User Action By Attack Disruption

Query

**Non-supported Agent version required for the Contain User action by Attack Disruption**

**Description:** The following query checks if the devices have the minimum sense agent version(v10.8470) required for the Contain User action triggered by Microsoft DefenderXDR Attack disruption.
```
DeviceRegistryEvents
| where Timestamp > ago(30d)
| where RegistryKey contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection" 
| extend version_s = replace(@"[.]", "", InitiatingProcessVersionInfoProductVersion)
| extend FirstFiveChars = substring(version_s, 0, 6)
| extend FirstFiveChars = toint(FirstFiveChars)
| where FirstFiveChars < 108470
| summarize by DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessVersionInfoProductVersion
```

Explanation

This query checks if devices have an outdated version of the Microsoft Defender ATP agent that is below the required version (v10.8470) for the "Contain User" action in Microsoft DefenderXDR's Attack Disruption feature. Here's a breakdown of what the query does:

  1. Data Source: It looks at the DeviceRegistryEvents table.
  2. Time Frame: It considers events from the last 30 days.
  3. Registry Key Filter: It filters events related to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection.
  4. Version Extraction: It extracts and processes the version number of the initiating process.
    • Removes dots from the version string.
    • Takes the first six characters of the cleaned version string.
    • Converts these characters to an integer.
  5. Version Comparison: It checks if this integer version number is less than 108470 (which corresponds to version 10.8470).
  6. Summarization: It summarizes the results by DeviceId, DeviceName, InitiatingProcessFileName, and InitiatingProcessVersionInfoProductVersion.

In simple terms, this query identifies devices that are running an older version of the Microsoft Defender ATP agent that does not support the "Contain User" action, by checking their version numbers against the required minimum version.

Details

Sergio Albea profile picture

Sergio Albea

Released: September 3, 2024

Tables

DeviceRegistryEvents

Keywords

Devices

Operators

DeviceRegistryEvents|where>agocontainsextendreplacesubstringtointsummarizeby

Actions