Query Details
MDE TVM Exposure Level
Query
# Defender for Endpoint - Exposure Level
## Query Information
### Description
Summaries of devices with Exposure Levels.
You could use this query to run in a Sentinel Summarization rule every 24 hours to keep a log of your exposure levels.
#### References
### Microsoft Sentinel
```kql
DeviceInfo
//| where TimeGenerated > ago(1d)
| where OnboardingStatus == 'Onboarded'
| summarize arg_max(TimeGenerated, *) by DeviceId
| summarize
Low = dcountif(DeviceId, ExposureLevel == 'Low'),
Medium = dcountif(DeviceId, ExposureLevel == 'Medium'),
High = dcountif(DeviceId, ExposureLevel == 'High'),
None = dcountif(DeviceId, ExposureLevel == 'None')
| extend Time = now()
```kql
Explanation
This KQL (Kusto Query Language) query is designed to summarize the exposure levels of devices managed by Microsoft Defender for Endpoint. Here's a simple breakdown of what the query does:
- Source Table: The query starts by pulling data from the
DeviceInfotable. - Filter by Onboarding Status: It filters the data to include only devices that are currently 'Onboarded'.
- Latest Record per Device: For each device, it selects the most recent record based on the
TimeGeneratedtimestamp. - Count Devices by Exposure Level: It then counts the number of devices in each exposure level category ('Low', 'Medium', 'High', 'None').
- Add Timestamp: Finally, it adds the current timestamp to the results.
The output will give you a summary of how many devices fall into each exposure level category at the current time. This query can be scheduled to run every 24 hours in Microsoft Sentinel to keep a daily log of device exposure levels.
Details
Alex Verboon
Released: September 12, 2024
Tables
DeviceInfo
Keywords
Devices
Operators
where==ago()summarizearg_max()*bydcountif()extendnow()