How to Add the Antimalware Assessment to Your Azure Sentinel Workspace

The Antimalware Assessment has been part of the Azure Marketplace for a long while and contains some valuable information like Threat Status Rank, Threat Status, Threat Status Details, Protection Status Rank, Protection Status, Protection Status Details, Type of Protection, Scan Date, Date Collected, Product Version, and others.

With all this valuable information wouldn’t it be great for use to help bolster and enhance security operations for Azure Sentinel environments?

Of course it would. And, here’s how to enable it.

Adding the Antimalware Assessment to the Log Analytics Workspace for Azure Sentinel

In the search space in the Azure portal, search for antimalware. The Antimalware Assessment will show up in the Marketplace section. Click on it.

After you click on the Antimalware Assessment component to initiate it, you’ll need to select the Log Analytics Workspace that is being utilized for Azure Sentinel. This is where the data from this assessment will reside. Once you select the correct one, click the Create button.

After a short bit of waiting for Azure deploying the assessment, you can then go into Azure Sentinel and start kicking the tires.

A new table called ProtectionStatus gets created under the Antimalware Assessment area as shown in the next image.

Run the getschema KQL operator to see the columns you can query against.

If this provides value for you, let me know. And, if you develop some crazy-cool new KQL queries and Analytics Rules from this, don’t hesitate to share with the rest of us. 

What You Get

Here’s the list of all columns available to query against…

Reference: https://azurecloudai.blog/2020/10/15/how-to-add-the-antimalware-assessment-to-your-azure-sentinel-workspace/