Forum Discussion

Maddenk's avatar
Maddenk
Copper Contributor
Mar 11, 2022

KQL query for AntiVirus policy report

Hello all,

 

Does anybody know of an KQL query that would return a list of AntiVirus policy configuration settings. I've been looking online and I can't find anything. I am aware of the 'Endpoint Status Report' AHQ. I'm looking for a similar query that would return a list of antivirus policy settings, such as Scan time, ControlledFolderAccessProtectedFolders, AttackSurfaceReductionOnlyExclusions, etc. What I'm really asking is to display some of the content from the Get-MpPreference command.

 

Side note: I've been searching all over the place for a list of all the ConfigurationId's (ConfigurationId == "scid-2000", "SensorEnabled",) that you can query against. Does anybody know if there is a complete list online I can view?

  • thomasdefise's avatar
    thomasdefise
    Brass Contributor

    Hi Maddenk 

     

    One possibility is to look what is available in the Windows Event Log 

    1. Applications and Services Logs > Microsoft > Windows > SENSE and click on Operational. cc Review events and errors using Event Viewer | Microsoft Docs

    2. Applications and Services Logs > Microsoft > Windows > Windows Defender and click on Operational cc Microsoft Defender Antivirus event IDs and error codes | Microsoft Docs

    However, you may not find the information that is available through the Get-MpPreference PowerShell cmdlet.
    If the goal is to have a desired state on machines managed by Azure (Either within Azure, either through Azure Arc) you could use Desired State Configuration .If the goal is to have an overview, maybe that an Azure automation runbook could help

    Kind Regards,
    Thomas

    • Maddenk's avatar
      Maddenk
      Copper Contributor
      Hi thomasdefise

      Thanks for the reply. I understand that you can check the event logs for the machine, but can I get the same information using a KQL query?

      Also, do you know where the KQL query is pulling the ConfigurationID information from?

      Thanks for the reply.
  • Maddenk 

     

    You could join the two tables mentioned in the query and get a list of configuration id's that are related to your environment 

     

    DeviceTvmSecureConfigurationAssessment
    | where ConfigurationSubcategory == 'Antivirus' and IsApplicable == 1 and IsCompliant == 0 // you can remove this line to get all the configuration Id's and then filter later if needed.
    | join kind=innerunique (
        DeviceTvmSecureConfigurationAssessmentKB
        | project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, Tags, ConfigurationImpact
    ) on ConfigurationId
    | project DeviceName, OSPlatform, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact, Tags
     

     

     

Resources