Forum Discussion
Advanced Hunting Query to include logged on users
Hello
I am using the below query to get an endpoint status report. The query works great, however requesting help on modifying the query to show me the logged on users. Thank you in advance
"// Best practice endpoint configurations for Microsoft Defender for Endpoint deployment.
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-91", "scid-2000", "scid-2001", "scid-2002", "scid-2003", "scid-2010", "scid-2011", "scid-2012", "scid-2013", "scid-2014", "scid-2016")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceName, ConfigurationId
| extend Test = case(
ConfigurationId == "scid-2000", "SensorEnabled",
ConfigurationId == "scid-2001", "SensorDataCollection",
ConfigurationId == "scid-2002", "ImpairedCommunications",
ConfigurationId == "scid-2003", "TamperProtection",
ConfigurationId == "scid-2010", "AntivirusEnabled",
ConfigurationId == "scid-2011", "AntivirusSignatureVersion",
ConfigurationId == "scid-2012", "RealtimeProtection",
ConfigurationId == "scid-91", "BehaviorMonitoring",
ConfigurationId == "scid-2013", "PUAProtection",
ConfigurationId == "scid-2014", "AntivirusReporting",
ConfigurationId == "scid-2016", "CloudProtection",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed) by DeviceName
| evaluate bag_unpack(Tests)"
3 Replies
Skipster311-1 if you're still looking for help on this, I created a correlation query that includes grabbing logged in users from an endpoint name. You can reference it to get you started on solving your problem -> AdvancedHuntingQueries/Utilities at main · lawndoc/AdvancedHuntingQueries (github.com)
Skipster311-1 Nevermind, I went ahead and did it for you -- this is what you wanted: https://security.microsoft.com/v2/advanced-hunting?query=H4sIAAAAAAAAA7VX2U7bQBSd50r9hyhPiQQNBoTUVjy4QFGqsoikfUVZTDDEIfISoOLje-6ZGdtZxqRVolFi-965-zbTUi1VU4lKVaCmePPUF_wP1JOKsQI1Vj3ianiOsWrqHjjZnxA2UUM8Q_wHeE_xJr8A2I_qA_YH-F7mF-J7AvgxfqeAzgAZ4NkG9A44oX0Dbgh4wv0T4NOF3ZfgFeG5A_hPUI2wAtBcYfcv0AWQmOS8pvh6Ug-AVnM6UZnRVewp-Ghtp9gZE3YLXgntaFRIb-byI0jbBfUUa6xeKyVp7zRIWzNrXf0tH62vS8an_L1M20EETt-l7DDeolvzn71r-UwMTMtKTU7FjPQIltt9TVKJT6-pS2Sku-i0BYVeD9gR0pvtuRx9zXPNentZhuURqBfWgM717_CLVMLlnAVaiwGzu6HOQT8jRdn2On_az1nJB83_yPdFLQT2A5b0VZf2jQ3sDNgeIGPlg_uQ9iVYq2Kx2tMC9SFfajij_64gxUZavPqV-rcWOsk-O8kIvHrYXzP-m5p4iG0xd0pnSE2dlq3t4k10EDkZ954wUnfAjwgpOolPm7RlkYmy9ekzOlZA-loFh7bpY7ru6uAzoPW76jN6Yt3Er4Duqz0uF8ZNs-_EHDgwnlOO55TjOeV4FXIOnZgjwIo8TeC9iJkllffHzIcYXr0l9AU-lDyMGJOU-TUl5za-JQoRu2DICZLmGN90x5CV1GcWN4Hrs1-6O3ZVVFdXcddopqtXpEn-zHfc97LlmLRVWdGhvIQ5fsY60zYNuWMTsryVsk5J3yPXMSUOcn6bklzkV5vRlC4T0zYd34jdIjQ9UXNMNia9yOGuyS6p8WtOoXQL9pZr0DdTZEaLM-zcRmzLtb0ssUNuE_LS3fG3mc-btbqI8g34yxkwNXW9HV-Xu-038L4HzYw0sbogZcipbyf-puws8ukac9HfaiYdVsT1pjQTN2vhUS71BFGUWT5cy8o6em0LmtZ5FitjbthDM-bEYh91dXOr357RxfJ2zwZL4RmKc5w_rtDhiizx-dV0dHrpTAP1yMoszvACaeRTYGfBmupJZ6nsnUCwj7wR9PEmp9CyzOr5Veg8Y3Vl-X1L87plF13W2N4sFk9dBzx1Fafe1Tcv0Tzl2XedU9nbGhztKbrKxvk7gtyFnvFzecZbad8h7dOc7tgL_gIzSDq1wg4AAA&timeRangeId=week
- Very helpful. Thank you
