0
(0)

 Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.

Applies to:

  • Microsoft 365 Defender
  • Microsoft Defender for Endpoint

The DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema contains information about the various secure configurations checked by Threat & Vulnerability Management. It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics.

This table doesn’t return events or records. We recommend joining this table to the DeviceTvmSecureConfigurationAssessment table using ConfigurationId to view text information about the security configurations in the returned assessments.

For example, when you query the DeviceTvmSecureConfigurationAssessment table you might want to view the ConfigurationDescription for the security configurations that come up in the assessment results. You can see this information by joining this table to DeviceTvmSecureConfigurationAssessment using ConfigurationId and project ConfigurationDescription.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

TABLE 1
Column name Data type Description
ConfigurationId string Unique identifier for a specific configuration
ConfigurationImpact string Rated impact of the configuration to the overall configuration score (1-10)
ConfigurationName string Display name of the configuration
ConfigurationDescription string Description of the configuration
RiskDescription string Description of the associated risk
ConfigurationCategory string Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls
ConfigurationSubcategory string Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features.
ConfigurationBenchmarks string List of industry benchmarks recommending the same or similar configuration
Tags string Labels representing various attributes used to identify or categorize a security configuration
RemediationOptions string Recommended actions to reduce or address any associated risks

You can try this example query to return relevant configuration metadata along with information on devices with non-compliant antivirus configurations from the DeviceTvmSecureConfigurationAssessment table:

Kusto

// Get information on devices with antivirus configurations issues
DeviceTvmSecureConfigurationAssessment
| where ConfigurationSubcategory == 'Antivirus' and IsApplicable == 1 and IsCompliant == 0
| join kind=leftouter (
    DeviceTvmSecureConfigurationAssessmentKB
    | project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, Tags, ConfigurationImpact
) on ConfigurationId
| project DeviceName, OSPlatform, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact, Tags

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.