Query Details

Function: SignatureRingDistribution()

Signature Ring Distribution

Query

let SignatureRingDistribution = (RingName:string) { 
    DeviceTvmInfoGathering
    | extend AvSignatureRing = tostring(parse_json(AdditionalFields).AvSignatureRing), AvPlatformRing = tostring(parse_json(AdditionalFields).AvPlatformRing), AvEngineRing = tostring(parse_json(AdditionalFields).AvEngineRing)
    | summarize TotalDevices = dcount(DeviceId) by column_ifexists(RingName, "AvSignatureRing")
    | extend RingDescription = case(
    column_ifexists(RingName, "AvSignatureRing") == "1", "Beta Channel - Prerelease",
    column_ifexists(RingName, "AvSignatureRing") == "2", "Current Channel (Preview)",
    column_ifexists(RingName, "AvSignatureRing") == "3", "Current Channel (Staged)",
    column_ifexists(RingName, "AvSignatureRing") == "4", "Current Channel (Broad)",
    column_ifexists(RingName, "AvSignatureRing") == "5", "Not Configured",
    column_ifexists(RingName, "AvSignatureRing") == "6", "Critical: Time Delay",
            "Unknown")
    | project RingDescription, TotalDevices
    | render piechart
};
//SignatureRingDistribution("AvPlatformRing")
SignatureRingDistribution("AvSignatureRing")
//SignatureRingDistribution("AvEngineRing")

About this query

Function: SignatureRingDistribution()

Query Information

Description

This function returns the Signature Ring Distribution for the gradual rollout of AvPlatformRing, AvSignatureRing and AvEngineRing. The function can be called using one of these parameters to return the total devices and their rollout configuration.

References

Defender XDR

Explanation

This KQL query defines a function called SignatureRingDistribution that helps visualize the distribution of devices across different rollout configurations for antivirus components in Microsoft Defender. Here's a simple breakdown of what the query does:

  1. Function Purpose: The function is designed to show how many devices are in each rollout stage (or "ring") for antivirus signature, platform, or engine updates.

  2. Parameters: The function takes one parameter, RingName, which specifies which type of rollout configuration you want to analyze (e.g., AvPlatformRing, AvSignatureRing, or AvEngineRing).

  3. Data Extraction: It retrieves data from a table called DeviceTvmInfoGathering and extracts the specific ring information (like AvSignatureRing, AvPlatformRing, and AvEngineRing) from a field called AdditionalFields.

  4. Device Counting: It counts the number of unique devices (TotalDevices) for each ring configuration specified by the RingName.

  5. Ring Description: It assigns a human-readable description to each ring based on its numeric value. For example, "1" corresponds to "Beta Channel - Prerelease", "2" to "Current Channel (Preview)", and so on.

  6. Visualization: The results are displayed as a pie chart, showing the distribution of devices across the different rollout rings.

  7. Example Usage: The function is called with AvSignatureRing as the parameter, meaning it will show the distribution for antivirus signature updates.

In summary, this query helps administrators understand how antivirus updates are being rolled out across their devices by visualizing the distribution of devices in different update channels.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 27, 2024

Tables

DeviceTvmInfoGathering

Keywords

Devices

Operators

letextendtostringparse_jsonsummarizedcountbycolumn_ifexistscaseprojectrender

Actions

GitHub