KQL Search

Query Details

HomeAI ToolsDevice Query

Device Tvm Secure Configuration Assessment Enrichment With SCID Details

Query

# *DeviceTvmSecureConfigurationAssessment Enrichment with SCID Details*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
|  |  |  |

#### Shout out 
A big THX to Kaido Järvemets for the Defender SCID Explorer. His SCID Explorer is the source of my ScidList CSV. The List will be freshly created on every monday
https://docs.kaidojarvemets.com/defender-scid-explorer

#### Description
This Query enriches 'DeviceTvmSecureConfigurationAssessment' data by joining it with an external list of Security Content IDs (SCIDs). The SCID list provides additional context such as platform, configuration name, function, compliant/non-compliant values, and descriptions for security configuration assessments. This helps in better understanding and prioritizing security posture findings.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://docs.kaidojarvemets.com/defender-scid-explorer

## Defender XDR
```KQL
//thx to Kaido Järvemets for the Defender SCID Explorer
let ScidList = materialize(externaldata(line: string)
[@"https://raw.githubusercontent.com/benscha/KQLAdvancedHunting/main/MISC/scid.csv?v2"]
with (format="txt")
| where line !startswith "#" and line !startswith "SCID,"
| extend fields = split(line, '","')
| extend
	SCID = trim('"', tostring(fields[0])),
	Platform = trim('"', tostring(fields[1])),
	ConfigurationName = trim('"', tostring(fields[2])),
	Function = trim('"', tostring(fields[3])),
	CompliantValue = trim('"', tostring(fields[4])),
	NonCompliantValue = trim('"', tostring(fields[5])),
	CrossPlatformSCIDs = trim('"', tostring(fields[6])),
	Description = trim('"', tostring(fields[7]))
| project-away line, fields);
DeviceTvmSecureConfigurationAssessment 
| join kind=inner ScidList on $left.ConfigurationId == $right.SCID

```

Explanation

This query is designed to enhance the data from 'DeviceTvmSecureConfigurationAssessment' by integrating it with additional information from an external list of Security Content IDs (SCIDs). Here's a simplified breakdown of what the query does:

  1. External Data Source: It pulls data from an external CSV file hosted on GitHub. This file contains a list of SCIDs along with details like platform, configuration name, function, compliant and non-compliant values, and descriptions.

  2. Data Processing: The query processes the CSV file to extract and clean the necessary fields, such as SCID, Platform, ConfigurationName, Function, CompliantValue, NonCompliantValue, CrossPlatformSCIDs, and Description.

  3. Data Enrichment: It then performs an inner join between the 'DeviceTvmSecureConfigurationAssessment' data and the processed SCID list. This means it combines records from both datasets where the 'ConfigurationId' from the assessment data matches the 'SCID' from the SCID list.

  4. Purpose: By enriching the assessment data with SCID details, the query provides additional context and insights into security configuration assessments. This helps in better understanding and prioritizing security posture findings, making it easier to identify and address security issues.

Overall, this query is a tool for enhancing security data analysis by providing more detailed information about security configurations through the integration of external SCID data.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 19, 2026

Tables

DeviceTvmSecureConfigurationAssessment

Keywords

DeviceTvmSecureConfigurationAssessmentSecurityContentIDsPlatformConfigurationNameFunctionCompliantValueNonCompliantValueCrossPlatformSCIDsDescription

Operators

materializeexternaldatawithwhere!startswithextendsplittrimtostringproject-awayjoin

Actions