Query Details

Prioritize Secure Configuration

Query

DeviceTvmSecureConfigurationAssessment
| summarize TotalDevices = dcount(DeviceId) by ConfigurationId, ConfigurationCategory
| join kind=inner DeviceTvmSecureConfigurationAssessmentKB on ConfigurationId
| sort by ConfigurationImpact, TotalDevices
| project-reorder ConfigurationId, ConfigurationImpact, TotalDevices, ConfigurationName,  ConfigurationCategory, ConfigurationSubcategory

About this query

Prioritize Secure Configuration

Query Information

Description

This query helps you prioritize configuration changes that affect your devices based on the Microsoft Defender TVM modules.

References

Defender XDR

Explanation

This query is designed to help prioritize configuration changes for devices using data from Microsoft Defender's Threat and Vulnerability Management (TVM) modules. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by accessing the DeviceTvmSecureConfigurationAssessment table, which contains information about the security configuration assessments of devices.

  2. Summarization: It calculates the total number of unique devices (TotalDevices) affected by each configuration issue, grouping the results by ConfigurationId and ConfigurationCategory.

  3. Joining Data: The query then combines this summarized data with another table, DeviceTvmSecureConfigurationAssessmentKB, using a common field, ConfigurationId. This helps enrich the data with additional details.

  4. Sorting: The results are sorted by ConfigurationImpact and the number of affected devices (TotalDevices). This helps in identifying which configurations have the most significant impact and affect the most devices.

  5. Reordering Columns: Finally, it rearranges the columns in the output to display ConfigurationId, ConfigurationImpact, TotalDevices, ConfigurationName, ConfigurationCategory, and ConfigurationSubcategory in a specific order.

Overall, this query helps identify and prioritize security configuration changes by showing which configurations impact the most devices and have the highest impact, allowing for more effective security management.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB

Keywords

DeviceTvmSecureConfigurationAssessmentIdCategoryImpactNameSubcategoryTotalDevices

Operators

summarizedcountbyjoinkind=innersort byproject-reorder

Actions

GitHub