0
(0)

 Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.

Applies to:

  • Microsoft 365 Defender
  • Microsoft Defender for Endpoint

Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from Threat & Vulnerability Management. Use this reference to check the latest assessment results and determine whether devices are compliant.

You can join this table with the DeviceTvmSecureConfigurationAssessmentKB table using ConfigurationId so you can, for example, view the text description of the configuration from the ConfigurationDescription column of the DeviceTvmSecureConfigurationAssessmentKB table, in the configuration assessment results.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

TABLE 1
Column name Data type Description
DeviceId string Unique identifier for the device in the service
DeviceName string Fully qualified domain name (FQDN) of the device
OSPlatform string Platform of the operating system running on the device. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7.
Timestamp datetime Date and time when the record was generated
ConfigurationId string Unique identifier for a specific configuration
ConfigurationCategory string Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls
ConfigurationSubcategory string Subcategory or subgrouping to which the configuration belongs. In many cases, string describes specific capabilities or features.
ConfigurationImpact string Rated impact of the configuration to the overall configuration score (1-10)
IsCompliant boolean Indicates whether the configuration or policy is properly configured
IsApplicable boolean Indicates whether the configuration or policy applies to the device
Context string Additional contextual information about the configuration or policy
IsExpectedUserImpact boolean Indicates whether there will be user impact if the configuration or policy is applied

You can try this example query to return information on devices with non-compliant antivirus configurations along with the relevant configuration metadata from the DeviceTvmSecureConfigurationAssessmentKB table:

Kusto

// Get information on devices with antivirus configurations issues
DeviceTvmSecureConfigurationAssessment
| where ConfigurationSubcategory == 'Antivirus' and IsApplicable == 1 and IsCompliant == 0
| join kind=leftouter (
    DeviceTvmSecureConfigurationAssessmentKB
    | project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, Tags, ConfigurationImpact
) on ConfigurationId
| project DeviceName, OSPlatform, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact, Tags

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.