KQL Search

Query Details

HomeAI ToolsDevice Query

Prioritize Secure Configuration

Query

# Prioritize Secure Configuration

## Query Information

#### Description
This query helps you prioritize configuration changes that affect your devices based on the Microsoft Defender TVM modules.

#### References
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicetvmsecureconfigurationassessment-table

## Defender XDR
```KQL
DeviceTvmSecureConfigurationAssessment
| summarize TotalDevices = dcount(DeviceId) by ConfigurationId, ConfigurationCategory
| join kind=inner DeviceTvmSecureConfigurationAssessmentKB on ConfigurationId
| sort by ConfigurationImpact, TotalDevices
| project-reorder ConfigurationId, ConfigurationImpact, TotalDevices, ConfigurationName,  ConfigurationCategory, ConfigurationSubcategory
```

Explanation

This query is designed to help prioritize changes to device configurations based on their security impact, using data from Microsoft Defender's Threat and Vulnerability Management (TVM) modules. Here's a simplified breakdown of what the query does:

  1. Data Collection: It starts by gathering data from the DeviceTvmSecureConfigurationAssessment table, which contains information about the security configuration of devices.

  2. Count Unique Devices: It calculates the total number of unique devices (TotalDevices) that are affected by each configuration setting, grouping the results by ConfigurationId and ConfigurationCategory.

  3. Join with Knowledge Base: The query then joins this summarized data with another table, DeviceTvmSecureConfigurationAssessmentKB, which likely contains additional details about each configuration setting, using ConfigurationId as the key.

  4. Sorting: The results are sorted by ConfigurationImpact and the number of affected devices (TotalDevices). This helps in identifying which configurations have the most significant impact and affect the most devices.

  5. Reordering Columns: Finally, it rearranges the columns in the output to prioritize information about the configuration ID, its impact, the number of devices affected, the configuration name, category, and subcategory.

In essence, this query helps security teams identify and prioritize which configuration changes should be made first, based on their potential impact on security and the number of devices affected.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 14, 2024

Tables

DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB

Keywords

DevicesConfigurationAssessmentImpactCategorySubcategoryName

Operators

summarizedcountbyjoinkind=innersort byproject-reorder

Actions