Query Details

MDE - TVM - Security Configuration - Windows Firewall

MDE TVM Security Controls Firewall

Query

//  Security Controls - Firewall - Compliance Summary 
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-51","scid-50","scid-49","scid-46","scid-43","scid-2073","scid-2072","scid-2071","scid-2070")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
    ConfigurationId == "scid-51", "DisableMergeFWConnectionRules",
    ConfigurationId == "scid-50", "DisableMergeFWRules",
    ConfigurationId == "scid-49", "DisableFWNotProgPublic",
    ConfigurationId == "scid-46", "DisableFWNotProgPrivate",
    ConfigurationId == "scid-43", "DisableFWNotProgDomain",
    ConfigurationId == "scid-2073", "SecFwPublic",
    ConfigurationId == "scid-2072", "SecFwPrivate",
    ConfigurationId == "scid-2071", "SecFwDomain",
    ConfigurationId == "scid-2070", "TurnOnFw",
    "N/A"),
    Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| summarize toint(Compliant = dcountif(DeviceId ,Result=="GOOD")) ,toint(NonCompliant = dcountif(DeviceId,Result=="BAD")), toint(NotApplicable = dcountif(DeviceId, Result =="N/A")) by Configuration, ConfigurationId
| join DeviceTvmSecureConfigurationAssessmentKB 
on $left.ConfigurationId == $right.ConfigurationId
| extend TotalDevices = toint((Compliant + NonCompliant + NotApplicable))
| extend PctCompliant = toint((Compliant*100) / TotalDevices)
| project ConfigurationName, ConfigurationSubcategory, Compliant,NonCompliant, NotApplicable,TotalDevices, PctCompliant, ConfigurationDescription, ConfigurationCategory, RiskDescription 
| sort by ConfigurationSubcategory
// | summarize by ConfigurationName, TotalDevices,Compliant,NonCompliant
// | render columnchart with(kind=stacked100)

About this query

Explanation

The first query retrieves the compliance status of Windows Firewall configurations. It summarizes the compliance status for each configuration and calculates the number of compliant, non-compliant, and not applicable devices. It also provides additional information such as the configuration name, subcategory, description, category, and risk description.

The second query focuses on the non-compliant details of the Windows Firewall configurations. It retrieves the devices that are not compliant with the configurations and provides information about the device name, configuration name, subcategory, and category.

Details

Alex Verboon profile picture

Alex Verboon

Released: September 19, 2023

Tables

DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB

Keywords

DevicesIntuneUserMDETVMSecurity ConfigurationWindows Firewall

Operators

whereinsummarizearg_maxbyextendcasedcountifjoinontointprojectsort

Actions

GitHub