Forum Discussion

Maddenk's avatar
Maddenk
Copper Contributor
Mar 11, 2022

KQL query for AntiVirus policy report

Hello all,

 

Does anybody know of an KQL query that would return a list of AntiVirus policy configuration settings. I've been looking online and I can't find anything. I am aware of the 'Endpoint Status Report' AHQ. I'm looking for a similar query that would return a list of antivirus policy settings, such as Scan time, ControlledFolderAccessProtectedFolders, AttackSurfaceReductionOnlyExclusions, etc. What I'm really asking is to display some of the content from the Get-MpPreference command.

 

Side note: I've been searching all over the place for a list of all the ConfigurationId's (ConfigurationId == "scid-2000", "SensorEnabled",) that you can query against. Does anybody know if there is a complete list online I can view?

3 Replies

  • Kausd's avatar
    Kausd
    Icon for Microsoft rankMicrosoft
    Mar 15, 2022

    Maddenk 

     

    You could join the two tables mentioned in the query and get a list of configuration id's that are related to your environment 

     

    DeviceTvmSecureConfigurationAssessment
    | where ConfigurationSubcategory == 'Antivirus' and IsApplicable == 1 and IsCompliant == 0 // you can remove this line to get all the configuration Id's and then filter later if needed.
    | join kind=innerunique (
        DeviceTvmSecureConfigurationAssessmentKB
        | project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, Tags, ConfigurationImpact
    ) on ConfigurationId
    | project DeviceName, OSPlatform, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact, Tags
     

     

     
  • thomasdefise's avatar
    thomasdefise
    Brass Contributor
    Mar 12, 2022

    Hi Maddenk 

     

    One possibility is to look what is available in the Windows Event Log 

    1. Applications and Services Logs > Microsoft > Windows > SENSE and click on Operational. cc https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide

    2. Applications and Services Logs > Microsoft > Windows > Windows Defender and click on Operational cc https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#:~:text=Open%20Event%20Viewer.,events%20to%20find%20your%20event.

    However, you may not find the information that is available through the Get-MpPreference PowerShell cmdlet.
    If the goal is to have a desired state on machines managed by Azure (Either within Azure, either through Azure Arc) you could use https://docs.microsoft.com/en-us/powershell/dsc/getting-started/wingettingstarted?view=dsc-1.1 .If the goal is to have an overview, maybe that an https://docs.microsoft.com/en-us/azure/automation/automation-create-alert-triggered-runbook could help

    Kind Regards,
    Thomas

    • Maddenk's avatar
      Maddenk
      Copper Contributor
      Mar 14, 2022
      Hi thomasdefise

      Thanks for the reply. I understand that you can check the event logs for the machine, but can I get the same information using a KQL query?

      Also, do you know where the KQL query is pulling the ConfigurationID information from?

      Thanks for the reply.

Resources