KQL Search

Query Details

HomeAI ToolsDevice Query

MDE TVM Network Network Protection

Query

# MDE - TVM - Security Configuration - Network Protection

## Query Information

Use the below query to retrieve Network Protection configuration compliance

#### References

### Microsoft 365 Defender


```kql
// Network - Network Protection - Compliance Summary 
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-96")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
    ConfigurationId == "scid-96", "EnableNetworkProtection",
    "N/A"),
    Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| summarize toint(Compliant = dcountif(DeviceId ,Result=="GOOD")) ,toint(NonCompliant = dcountif(DeviceId,Result=="BAD")), toint(NotApplicable = dcountif(DeviceId, Result =="N/A")) by Configuration, ConfigurationId
| join DeviceTvmSecureConfigurationAssessmentKB 
on $left.ConfigurationId == $right.ConfigurationId
| extend TotalDevices = toint((Compliant + NonCompliant + NotApplicable))
| extend PctCompliant = toint((Compliant*100) / TotalDevices)
| project ConfigurationName, ConfigurationSubcategory, Compliant,NonCompliant, NotApplicable,TotalDevices, PctCompliant, ConfigurationDescription, ConfigurationCategory, RiskDescription 
| sort by ConfigurationSubcategory
// | summarize by ConfigurationName, TotalDevices,Compliant,NonCompliant
// | render columnchart with(kind=stacked100) 
```

```kql
// Network - Network Protection - Non-Compliance Details
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-96")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
    ConfigurationId == "scid-96", "EnableNetworkProtection",
    "N/A"),
    Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| where IsCompliant == 0    
| join kind=leftouter  DeviceTvmSecureConfigurationAssessmentKB 
on $left.ConfigurationId == $right.ConfigurationId
| project DeviceName, ConfigurationName, ConfigurationSubcategory, ConfigurationCategory
| sort by DeviceName, ConfigurationSubcategory
```

Explanation

The first query retrieves the compliance status of Network Protection configuration for devices. It summarizes the compliance status by configuration and calculates the number of compliant, non-compliant, and not applicable devices. It also calculates the percentage of compliant devices. The query then joins the results with the configuration knowledge base to include additional information about the configuration. Finally, it projects and sorts the results by configuration subcategory.

The second query retrieves the non-compliant details of Network Protection configuration for devices. It filters for non-compliant devices, joins the results with the configuration knowledge base, and projects and sorts the results by device name and configuration subcategory.

Details

Alex Verboon profile picture

Alex Verboon

Released: September 19, 2023

Tables

DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB

Keywords

Devices,Intune,User,NetworkProtection,SecurityConfiguration

Operators

| wheresummarizearg_maxbyextendcasetointdcountifjoinonprojectsort

Actions