Query Details

Defender for Endpoint - Exposure Level

MDE TVM Exposure Level

Query

DeviceInfo
//| where TimeGenerated > ago(1d)
| where OnboardingStatus == 'Onboarded'
| summarize arg_max(TimeGenerated, *) by DeviceId
| summarize
    Low = dcountif(DeviceId, ExposureLevel == 'Low'),
    Medium = dcountif(DeviceId, ExposureLevel == 'Medium'), 
    High = dcountif(DeviceId, ExposureLevel == 'High'),
    None = dcountif(DeviceId, ExposureLevel == 'None')
| extend Time = now()    
```kql

About this query

Defender for Endpoint - Exposure Level

Query Information

Description

Summaries of devices with Exposure Levels.

You could use this query to run in a Sentinel Summarization rule every 24 hours to keep a log of your exposure levels.

References

Microsoft Sentinel

Explanation

This KQL (Kusto Query Language) query is designed to summarize the exposure levels of devices managed by Microsoft Defender for Endpoint. Here's a simple breakdown of what the query does:

  1. Source Table: The query starts by pulling data from the DeviceInfo table.
  2. Filter by Onboarding Status: It filters the data to include only devices that are currently 'Onboarded'.
  3. Latest Record per Device: For each device, it selects the most recent record based on the TimeGenerated timestamp.
  4. Count Devices by Exposure Level: It then counts the number of devices in each exposure level category ('Low', 'Medium', 'High', 'None').
  5. Add Timestamp: Finally, it adds the current timestamp to the results.

The output will give you a summary of how many devices fall into each exposure level category at the current time. This query can be scheduled to run every 24 hours in Microsoft Sentinel to keep a daily log of device exposure levels.

Details

Alex Verboon profile picture

Alex Verboon

Released: September 12, 2024

Tables

DeviceInfo

Keywords

Devices

Operators

where==ago()summarizearg_max()*bydcountif()extendnow()

Actions

GitHub