⭐️ Add Support for Microsoft Defender in EDR Policy (#405)

Signed-off-by: Hossein Rouhani <[email protected]>
mondoohq · Jun 7, 2024 · c393a41 · c393a41
1 parent 2d73eb3
commit c393a41
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/core/mondoo-edr-policy.mql.yaml b/core/mondoo-edr-policy.mql.yaml
@@ -3,7 +3,7 @@
 policies:
   - uid: mondoo-edr-policy
     name: Endpoint Detection and Response (EDR) Policy
-    version: 1.2.1
+    version: 1.3.0
     license: BUSL-1.1
     tags:
       mondoo.com/category: security
@@ -19,6 +19,12 @@ policies:
 
         By implementing this policy, we take a proactive approach to instill confidence in our security posture and reinforce our commitment to safeguarding sensitive data, critical assets, and the integrity of our digital infrastructure.
 
+        Additionally, it is highly recommended that antivirus signatures are updated daily to ensure protection against the latest threats. For instance, Windows Defender signatures can be updated using the following PowerShell command:
+  
+        ```powershell
+        Update-MpSignature
+        ```
+
         ## Local scan
 
         Local scan refer to scans of files and operating systems where cnspec is installed.
@@ -88,7 +94,7 @@ queries:
   - uid: mondoo-edr-policy-ensure-edr-agent-is-installed-windows
     filters: asset.family.contains('windows')
     mql: |
-      package('CrowdStrike Sensor Platform').installed || package('Sentinel Agent').installed || package('ESET Endpoint Security').installed || package('ESET Server Security').installed
+      package('CrowdStrike Sensor Platform').installed || package('Sentinel Agent').installed || package('ESET Endpoint Security').installed || package('ESET Server Security').installed || service('WinDefend').installed
 
   - uid: mondoo-edr-policy-ensure-edr-agent-is-running
     title: Ensure EDR Agent is running
@@ -110,6 +116,7 @@ queries:
       - uid: mondoo-edr-policy-ensure-eset-agent-is-running-macos
       - uid: mondoo-edr-policy-ensure-eset-agent-is-running-linux
       - uid: mondoo-edr-policy-ensure-eset-agent-is-running-windows
+      - uid: mondoo-edr-policy-ensure-defender-agent-is-running-and-updated-windows
   - uid: mondoo-edr-policy-ensure-crowdstrike-agent-is-running-macos
     filters: |
       asset.platform == 'macos'
@@ -184,3 +191,11 @@ queries:
     mql: |
       service('EraAgentSvc').running
       service('EraAgentSvc').enabled
+  - uid: mondoo-edr-policy-ensure-defender-agent-is-running-and-updated-windows
+    filters: |
+      asset.family.contains('windows')
+      service('WinDefend').installed
+    mql: |
+      service('WinDefend').running
+      service('WinDefend').enabled
+      parse.json(content: powershell("Get-MpComputerStatus | Select-Object -Property AntivirusSignatureAge | ConvertTo-JSON").stdout).params.AntivirusSignatureAge == 0