KQL Search

Query Details

HomeAI ToolsDevice Query

Device TVM Secure Configuration Assessment Summary

Query

# *Device TVM Secure Configuration Assessment Summary*

## Query Information

#### Description
This rule summarizes the compliance status of security configurations across devices using data from DeviceTvmSecureConfigurationAssessment and DeviceTvmSecureConfigurationAssessmentKB. It identifies and prioritizes security misconfigurations by counting compliant, non-compliant, and not-applicable devices for each configuration, ordered by the highest number of non-compliant devices.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References

## Defender XDR
```KQL
DeviceTvmSecureConfigurationAssessment
| join kind=leftouter (
    DeviceTvmSecureConfigurationAssessmentKB
    | project ConfigurationId, ConfigurationName
) on ConfigurationId
| summarize 
    Total = count(),
    Compliant = countif(IsCompliant == 1),
    NonCompliant = countif(IsCompliant == 0),
    NotApplicable = countif(IsApplicable == 0)
  by ConfigurationId, ConfigurationName
| order by NonCompliant desc

```

Explanation

This query is designed to provide a summary of how well devices adhere to security configuration standards. It uses data from two sources: DeviceTvmSecureConfigurationAssessment and DeviceTvmSecureConfigurationAssessmentKB. Here's a simple breakdown of what the query does:

  1. Join Data Sources: It combines information from two tables to get details about each security configuration, including its ID and name.

  2. Count Compliance Status: For each security configuration, it calculates:

    • The total number of devices assessed.
    • The number of devices that are compliant with the configuration.
    • The number of devices that are non-compliant.
    • The number of devices for which the configuration is not applicable.

  3. Prioritize Issues: It sorts the configurations by the number of non-compliant devices, showing the configurations with the most issues at the top.

In summary, this query helps identify which security configurations are most problematic across devices by highlighting those with the highest number of non-compliant devices.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: March 30, 2026

Tables

DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB

Keywords

DeviceTvmSecureConfigurationAssessmentDevicesConfigurationCompliance

Operators

joinprojectsummarizecountcountiforder by

Actions