Query Details
Endpoint Status Report
Query
// Best practice endpoint configurations for Microsoft Defender for Endpoint deployment.
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-91", "scid-2000", "scid-2001", "scid-2002", "scid-2003", "scid-2010", "scid-2011", "scid-2012", "scid-2013", "scid-2014", "scid-2016")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceName, ConfigurationId
| extend Test = case(
ConfigurationId == "scid-2000", "SensorEnabled",
ConfigurationId == "scid-2001", "SensorDataCollection",
ConfigurationId == "scid-2002", "ImpairedCommunications",
ConfigurationId == "scid-2003", "TamperProtection",
ConfigurationId == "scid-2010", "AntivirusEnabled",
ConfigurationId == "scid-2011", "AntivirusSignatureVersion",
ConfigurationId == "scid-2012", "RealtimeProtection",
ConfigurationId == "scid-91", "BehaviorMonitoring",
ConfigurationId == "scid-2013", "PUAProtection",
ConfigurationId == "scid-2014", "AntivirusReporting",
ConfigurationId == "scid-2016", "CloudProtection",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed) by DeviceName
| evaluate bag_unpack(Tests)
Explanation
This query is retrieving the best practice endpoint configurations for Microsoft Defender for Endpoint deployment. It filters the results based on specific configuration IDs and summarizes the data by device name and configuration ID. It also assigns a test name to each configuration ID and determines if the configuration is compliant or applicable. The results are then packed into a single field and summarized by device name. Finally, the packed results are unpacked and evaluated.
Details
C.J. May
Released: January 3, 2022
Tables
DeviceTvmSecureConfigurationAssessment
Keywords
DeviceTvmSecureConfigurationAssessment,ConfigurationId,Timestamp,IsCompliant,IsApplicable,DeviceName,Test,Result,packed,Tests
Operators
whereinsummarizearg_maxbyextendcase=="N/A"=make_bagpackevaluatebag_unpack