Query Details
Identify Non Compliant Controls With Relevant Remediation Actions
Query
# Identify non-compliant controls with relevant remediation actions
# Description
The following query leverages DeviceBaselineComplianceAssessment and DeviceBaselineComplianceAssessmentKB. You may choose a baseline assessment profile and then focus on controls that have been found not to be compliant with their relevant remediation options.
### Microsoft Defender XDR
```
let Profile = ""; // Insert ProfileId here
DeviceBaselineComplianceAssessment
| where ProfileId == Profile
| where IsCompliant == "0"
| where IsExempt == "0"
| join kind=inner (
DeviceBaselineComplianceAssessmentKB
) on ConfigurationId
| summarize by ConfigurationId, ConfigurationName, ConfigurationDescription, ConfigurationCategory, RemediationOptions, ConfigurationBenchmark
```
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ---------------------------------------|
| 1.0 | 05/12/2024 | Initial publish |
Explanation
This query is designed to identify security controls that are not compliant within a specified baseline assessment profile in Microsoft Defender XDR. Here's a simple breakdown of what the query does:
-
Profile Selection: You start by specifying a particular baseline assessment profile using its
ProfileId. -
Filter Non-Compliant Controls: The query filters out controls that are not compliant (
IsCompliant == "0") and are not exempt from compliance (IsExempt == "0"). -
Join with Knowledge Base: It then joins this data with another dataset (
DeviceBaselineComplianceAssessmentKB) to gather additional information about these non-compliant controls. -
Summarize Results: Finally, it summarizes the results to provide details such as the control's ID, name, description, category, available remediation options, and benchmark information.
This helps in identifying which controls need attention and what actions can be taken to remediate them.
Details
Michalis Michalos
Released: December 5, 2024
Tables
Keywords
Operators