Forum Discussion

LocalAlien's avatar
LocalAlien
Copper Contributor
Mar 15, 2022

Advance Hunting - SCID

Hi,

 

Where can I find a reference sheet/document for the SCID's used in below query. I have searched pretty much everywhere but haven't been able find anything on this. It would be great if someone can please direct me towards any info or anywhere I can find it. Cheers!

 

/ Best practice endpoint configurations for Microsoft Defender for Endpoint deployment. DeviceTvmSecureConfigurationAssessment

| where ConfigurationId in ("scid-91", "scid-2000", "scid-2001", "scid-2002", "scid-2003", "scid-2010", "scid-2011", "scid-2012", "scid-2013", "scid-2014", "scid-2016")

| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceName, ConfigurationId, OSPlatform

| extend Test = case( ConfigurationId == "scid-2000", "SensorEnabled", ConfigurationId == "scid-2001", "SensorDataCollection", ConfigurationId == "scid-2002", "ImpairedCommunications", ConfigurationId == "scid-2003", "TamperProtection", ConfigurationId == "scid-2010", "AntivirusEnabled", ConfigurationId == "scid-2011", "AntivirusSignatureVersion", ConfigurationId == "scid-2012", "RealtimeProtection", ConfigurationId == "scid-91", "BehaviorMonitoring", ConfigurationId == "scid-2013", "PUAProtection", ConfigurationId == "scid-2014", "AntivirusReporting", ConfigurationId == "scid-2016", "CloudProtection", "N/A"), Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")

| extend packed = pack(Test, Result) | summarize Tests = make_bag(packed) by DeviceName, OSPlatform

| evaluate bag_unpack(Tests)

 

 

  • Hi,

    The best way I found was to pull the data directly from Defender by joining DeviceTvmSecureConfigurationAssessment & DeviceTvmSecureConfigurationAssessmentKB. Then I exported the list to Excel for reference.

    DeviceTvmSecureConfigurationAssessment
    | join kind=leftouter (
    DeviceTvmSecureConfigurationAssessmentKB
    | project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, ConfigurationImpact
    ) on ConfigurationId
    | distinct ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact

    Please note that I am very new to kusto - and data quering in general - so the report is likely not optimized, but it gave me what I needed
    • JeffreyM1580's avatar
      JeffreyM1580
      Copper Contributor
      Great stuff. I was looking for the same things the OP was. Thank you for sharing this.

Resources