KQL Search

Query Details

HomeAI ToolsDevice Query

Signature Ring Distribution

Query

# Function: SignatureRingDistribution()

## Query Information

#### Description
This function returns the Signature Ring Distribution for the gradual rollout of AvPlatformRing, AvSignatureRing and AvEngineRing. The function can be called using one of these parameters to return the total devices and their rollout configuration.

#### References
- https://learn.microsoft.com/en-us/defender-endpoint/manage-gradual-rollout


## Defender XDR
```
let SignatureRingDistribution = (RingName:string) { 
    DeviceTvmInfoGathering
    | extend AvSignatureRing = tostring(parse_json(AdditionalFields).AvSignatureRing), AvPlatformRing = tostring(parse_json(AdditionalFields).AvPlatformRing), AvEngineRing = tostring(parse_json(AdditionalFields).AvEngineRing)
    | summarize TotalDevices = dcount(DeviceId) by column_ifexists(RingName, "AvSignatureRing")
    | extend RingDescription = case(
        column_ifexists(RingName, "AvSignatureRing") == "1", "Beta Channel - Prerelease",
        column_ifexists(RingName, "AvSignatureRing") == "2", "Current Channel (Preview)",
        column_ifexists(RingName, "AvSignatureRing") == "3", "Current Channel (Staged)",
        column_ifexists(RingName, "AvSignatureRing") == "4", "Current Channel (Broad)",
        column_ifexists(RingName, "AvSignatureRing") == "5", "Critical: Time Delay",
        "Unknown Ring")
    | project RingDescription, TotalDevices
    | render piechart
};
//SignatureRingDistribution("AvPlatformRing")
SignatureRingDistribution("AvSignatureRing")
//SignatureRingDistribution("AvEngineRing")
```

Explanation

This query defines a function called SignatureRingDistribution that takes a parameter RingName and returns a distribution of devices based on their rollout configuration for antivirus signature, platform, or engine rings. Here's a simplified summary:

  1. Function Purpose: The function calculates how many devices are in each rollout ring (e.g., Beta Channel, Current Channel) for a specified ring type (AvPlatformRing, AvSignatureRing, or AvEngineRing).

  2. Data Source: It uses data from DeviceTvmInfoGathering.

  3. Data Processing:

    • Extracts the ring information (AvSignatureRing, AvPlatformRing, AvEngineRing) from the AdditionalFields column.
    • Counts the total number of devices in each specified ring.

  4. Ring Description: It assigns a human-readable description to each ring value (e.g., "Beta Channel - Prerelease" for ring value "1").

  5. Output: The function outputs the ring descriptions and the total number of devices in each ring, and visualizes this data as a pie chart.

  6. Usage Example: The function is called with "AvSignatureRing" to get the distribution for antivirus signature rings.

In essence, this query helps visualize how devices are distributed across different rollout rings for antivirus updates.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: September 19, 2024

Tables

DeviceTvmInfoGathering

Keywords

DevicesDefenderEndpoint

Operators

letextendtostringparse_jsonsummarizedcountcolumn_ifexistscaseprojectrender

Actions