Advanced Hunting Query to include logged on users

Question

Hello&nbsp;&nbsp;I am using the below query to get an endpoint status report. The query works great, however requesting help on modifying the query to show me the logged on users. Thank you in advance&nbsp;"//&nbsp;Best&nbsp;practice&nbsp;endpoint&nbsp;configurations&nbsp;for&nbsp;Microsoft&nbsp;Defender&nbsp;for&nbsp;Endpoint&nbsp;deployment.DeviceTvmSecureConfigurationAssessment|&nbsp;where&nbsp;ConfigurationId&nbsp;in&nbsp;("scid-91",&nbsp;"scid-2000",&nbsp;"scid-2001",&nbsp;"scid-2002",&nbsp;"scid-2003",&nbsp;"scid-2010",&nbsp;"scid-2011",&nbsp;"scid-2012",&nbsp;"scid-2013",&nbsp;"scid-2014",&nbsp;"scid-2016")|&nbsp;summarize&nbsp;arg_max(Timestamp,&nbsp;IsCompliant,&nbsp;IsApplicable)&nbsp;by&nbsp;DeviceName,&nbsp;ConfigurationId|&nbsp;extend&nbsp;Test&nbsp;=&nbsp;case(&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2000",&nbsp;"SensorEnabled",&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2001",&nbsp;"SensorDataCollection",&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2002",&nbsp;"ImpairedCommunications",&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2003",&nbsp;"TamperProtection",&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2010",&nbsp;"AntivirusEnabled",&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2011",&nbsp;"AntivirusSignatureVersion",&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2012",&nbsp;"RealtimeProtection",&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-91",&nbsp;"BehaviorMonitoring",&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2013",&nbsp;"PUAProtection",&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2014",&nbsp;"AntivirusReporting",&nbsp;&nbsp;&nbsp;&nbsp;ConfigurationId&nbsp;==&nbsp;"scid-2016",&nbsp;"CloudProtection",&nbsp;&nbsp;&nbsp;&nbsp;"N/A"),&nbsp;&nbsp;&nbsp;&nbsp;Result&nbsp;=&nbsp;case(IsApplicable&nbsp;==&nbsp;0,&nbsp;"N/A",&nbsp;IsCompliant&nbsp;==&nbsp;1,&nbsp;"GOOD",&nbsp;"BAD")|&nbsp;extend&nbsp;packed&nbsp;=&nbsp;pack(Test,&nbsp;Result)|&nbsp;summarize&nbsp;Tests&nbsp;=&nbsp;make_bag(packed)&nbsp;by&nbsp;DeviceName|&nbsp;evaluate&nbsp;bag_unpack(Tests)"

cjmay1 · Answer

Skipster311-1&nbsp;if you're still looking for help on this, I created a correlation query that includes grabbing logged in users from an endpoint name. You can reference it to get you started on solving your problem -&gt;&nbsp;https://github.com/lawndoc/AdvancedHuntingQueries/tree/main/Utilities

skipster311-175 · Answer

Very helpful. Thank you

cjmay1 · Answer

Skipster311-1 Nevermind, I went ahead and did it for you -- this is what you wanted: https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA7VX2U7bQBSd50r9hyhPiQQNBoTUVjy4QFGqsoikfUVZTDDEIfISoOLje-6ZGdtZxqRVolFi-965-zbTUi1VU4lKVaCmePPUF_wP1JOKsQI1Vj3ianiOsWrqHjjZnxA2UUM8Q_wHeE_xJr8A2I_qA_YH-F7mF-J7AvgxfqeAzgAZ4NkG9A44oX0Dbgh4wv0T4NOF3ZfgFeG5A_hPUI2wAtBcYfcv0AWQmOS8pvh6Ug-AVnM6UZnRVewp-Ghtp9gZE3YLXgntaFRIb-byI0jbBfUUa6xeKyVp7zRIWzNrXf0tH62vS8an_L1M20EETt-l7DDeolvzn71r-UwMTMtKTU7FjPQIltt9TVKJT6-pS2Sku-i0BYVeD9gR0pvtuRx9zXPNentZhuURqBfWgM717_CLVMLlnAVaiwGzu6HOQT8jRdn2On_az1nJB83_yPdFLQT2A5b0VZf2jQ3sDNgeIGPlg_uQ9iVYq2Kx2tMC9SFfajij_64gxUZavPqV-rcWOsk-O8kIvHrYXzP-m5p4iG0xd0pnSE2dlq3t4k10EDkZ954wUnfAjwgpOolPm7RlkYmy9ekzOlZA-loFh7bpY7ru6uAzoPW76jN6Yt3Er4Duqz0uF8ZNs-_EHDgwnlOO55TjOeV4FXIOnZgjwIo8TeC9iJkllffHzIcYXr0l9AU-lDyMGJOU-TUl5za-JQoRu2DICZLmGN90x5CV1GcWN4Hrs1-6O3ZVVFdXcddopqtXpEn-zHfc97LlmLRVWdGhvIQ5fsY60zYNuWMTsryVsk5J3yPXMSUOcn6bklzkV5vRlC4T0zYd34jdIjQ9UXNMNia9yOGuyS6p8WtOoXQL9pZr0DdTZEaLM-zcRmzLtb0ssUNuE_LS3fG3mc-btbqI8g34yxkwNXW9HV-Xu-038L4HzYw0sbogZcipbyf-puws8ukac9HfaiYdVsT1pjQTN2vhUS71BFGUWT5cy8o6em0LmtZ5FitjbthDM-bEYh91dXOr357RxfJ2zwZL4RmKc5w_rtDhiizx-dV0dHrpTAP1yMoszvACaeRTYGfBmupJZ6nsnUCwj7wR9PEmp9CyzOr5Veg8Y3Vl-X1L87plF13W2N4sFk9dBzx1Fafe1Tcv0Tzl2XedU9nbGhztKbrKxvk7gtyFnvFzecZbad8h7dOc7tgL_gIzSDq1wg4AAA&amp;timeRangeId=week

Forum Discussion

Advanced Hunting Query to include logged on users

3 Replies

Resources