Forum Discussion

Lars_Gjulem's avatar
Lars_Gjulem
Copper Contributor
Feb 28, 2024

Reference sheet/document for the SCID's used by Defender.

Where can I find a reference sheet/document for the SCID's used by Defender. I would like to have a list of all SCID´s. Is there a SCID# for almost all security settings like CIS benchmark?
learning
microsoft defender for endpoint
threat hunting
am1357's avatar
am1357
Brass Contributor
Mar 01, 2024

Lars_Gjulem 

 

You can get an overview of all SCIDs with Advanced Hunting. The query will display all SCIDs that apply to your devices onboarded to MDE.

 

//name: Overview of SCIDs from Threat and Vulnerability Management (TVM) module recommendations in MDE
//description:
//This query will provide a list of all SCIDs in Defender XDR
//Line 2 in the query can be adjusted to your needs to get a list for a specific config category (e.g. Antivirus), if that category applies to the devices in your instance and
//if devices onboarded to MDE in your instance are compliant to specific category items.
//IsCompliant == 1 will also return TVM category items even if some devices are still exposed to the specific item. 

DeviceTvmSecureConfigurationAssessment
//| where ConfigurationSubcategory == 'Antivirus' and IsApplicable == 1 and IsCompliant == 0
| join kind=leftouter (
    DeviceTvmSecureConfigurationAssessmentKB
    | project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, Tags, ConfigurationImpact
) on ConfigurationId
| summarize any(*) by ConfigurationId
| project ConfigurationId, any_ConfigurationName, any_ConfigurationCategory, any_ConfigurationSubcategory, any_ConfigurationDescription, any_RiskDescription