KQL Search

Query Details

HomeAI ToolsDevice Query

MDE TVM Security Controls Smart Screen

Query

# MDE - TVM - Security Configuration - Smartscreen

## Query Information

Use the below query to retrieve Smartscreen configuration compliance

#### References

### Microsoft 365 Defender


```kql
//  Security Controls - SmartScreen - Compliance Summary 
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2061","scid-2060")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
    ConfigurationId == "scid-2061", "SmartScreenEdge",
    ConfigurationId == "scid-2060", "SmartScreenAppFile",
    "N/A"),
    Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| summarize toint(Compliant = dcountif(DeviceId ,Result=="GOOD")) ,toint(NonCompliant = dcountif(DeviceId,Result=="BAD")), toint(NotApplicable = dcountif(DeviceId, Result =="N/A")) by Configuration, ConfigurationId
| join DeviceTvmSecureConfigurationAssessmentKB 
on $left.ConfigurationId == $right.ConfigurationId
| extend TotalDevices = toint((Compliant + NonCompliant + NotApplicable))
| extend PctCompliant = toint((Compliant*100) / TotalDevices)
| project ConfigurationName, ConfigurationSubcategory, Compliant,NonCompliant, NotApplicable,TotalDevices, PctCompliant, ConfigurationDescription, ConfigurationCategory, RiskDescription 
| sort by ConfigurationSubcategory
// | summarize by ConfigurationName, TotalDevices,Compliant,NonCompliant
// | render columnchart with(kind=stacked100) 
```



```kql
// Security Controls - SmartScreen - Non-Compliance Details
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2061","scid-2060")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
    ConfigurationId == "scid-2061", "SmartScreenEdge",
    ConfigurationId == "scid-2060", "SmartScreenAppFile",
    "N/A"),
    Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| where IsCompliant == 0    
| join kind=leftouter  DeviceTvmSecureConfigurationAssessmentKB 
on $left.ConfigurationId == $right.ConfigurationId
| project DeviceName, ConfigurationName, ConfigurationSubcategory, ConfigurationCategory
| sort by DeviceName, ConfigurationSubcategory
```

Explanation

The first query retrieves the compliance status of Smartscreen configurations on devices. It summarizes the compliance status by device, configuration, and device name. It also calculates the number of compliant, non-compliant, and not applicable devices for each configuration. The query then joins the results with additional information from the DeviceTvmSecureConfigurationAssessmentKB table and calculates the total number of devices and the percentage of compliant devices. Finally, it projects and sorts the results by configuration subcategory.

The second query retrieves the details of non-compliant Smartscreen configurations on devices. It follows a similar process as the first query but only includes devices that are not compliant. It also joins the results with additional information from the DeviceTvmSecureConfigurationAssessmentKB table and projects and sorts the results by device name and configuration subcategory.

Details

Alex Verboon profile picture

Alex Verboon

Released: September 19, 2023

Tables

DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB

Keywords

Devices,Intune,User,MDE,TVM,SecurityConfiguration,Smartscreen

Operators

| wheresummarizearg_maxbyextendcasedcountifjointointprojectsort

Actions