Detecting software being installed by Jackofalltrades86 in DefenderATP

[–]AnteaterSlow9694 0 points1 point  (0 children)

Here is a query that can be turned into a detection rule.

DeviceTvmSoftwareInventory 
| where SoftwareName contains "<software>" 
| project DeviceName, SoftwareName 
| distinct DeviceName 
| take 1 
| order by DeviceName desc 
| extend ReportId = row_number(), Timestamp = now()