Forum Discussion

SergioT1228's avatar
SergioT1228
Brass Contributor
May 11, 2022

KQL OSPlatform count, DeviceTvmSecureConfigurationAssessment

I'm working with a query that was posted on Github for "Endpoint Agent Health Status Report" however I only want to show for our Servers.  I was able to put in a Where for specific OS but the server ...
Rod_Trent's avatar
Rod_Trent
Icon for Microsoft rankMicrosoft
May 12, 2022
Spoiler
 

Try something like the following:

let serverbuilds = dynamic(["20349" , "20348" , "19042" , "18363" , "17763" , "14393"]);
DeviceTvmSecureConfigurationAssessment
| where isnotempty(DeviceName)
| join kind=leftouter (
    DeviceInfo    
) on DeviceName
| where isnotempty(OSBuild)
| where OSBuild in (serverbuilds)
| distinct DeviceName, OSPlatform, OSBuild
| summarize count() by DeviceName, OSPlatform, OSBuild
  • SergioT1228's avatar
    SergioT1228
    Brass Contributor
    May 12, 2022
    Thank you for the response. I get results, unfortunately Windows 10 are included. I was looking for only Servers, Linux and Window Servers. I'm going to work on resolving the issue.
    I wanted to let you know I really appreciated your Must Learn KQL series. It is what has gotten me into learning KQL. A lot more to learn but I'm trying to write something everyday to help build my skill set.
    Keep you posted.
    Cheers,
    • Rod_Trent's avatar
      Rod_Trent
      Icon for Microsoft rankMicrosoft
      May 12, 2022
      That is great to hear! Thanks for letting me know it has helped!

      I don't have the same data that you do, but this should give you a start. DeviceTvmSecureConfigurationAssessment doesn't contain what you need to get server vs workstation. You need to 'join' the table with DeviceInfo.

Resources