Advanced Hunting Query to include logged on users

%3CLINGO-SUB%20id%3D%22lingo-sub-2594564%22%20slang%3D%22en-US%22%3EAdvanced%20Hunting%20Query%20to%20include%20logged%20on%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2594564%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20using%20the%20below%20query%20to%20get%20an%20endpoint%20status%20report.%20The%20query%20works%20great%2C%20however%20requesting%20help%20on%20modifying%20the%20query%20to%20show%20me%20the%20logged%20on%20users.%20Thank%20you%20in%20advance%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%22%2F%2F%26nbsp%3BBest%26nbsp%3Bpractice%26nbsp%3Bendpoint%26nbsp%3Bconfigurations%26nbsp%3Bfor%26nbsp%3BMicrosoft%26nbsp%3BDefender%26nbsp%3Bfor%26nbsp%3BEndpoint%26nbsp%3Bdeployment.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EDeviceTvmSecureConfigurationAssessment%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bwhere%26nbsp%3BConfigurationId%26nbsp%3Bin%26nbsp%3B(%22scid-91%22%2C%26nbsp%3B%22scid-2000%22%2C%26nbsp%3B%22scid-2001%22%2C%26nbsp%3B%22scid-2002%22%2C%26nbsp%3B%22scid-2003%22%2C%26nbsp%3B%22scid-2010%22%2C%26nbsp%3B%22scid-2011%22%2C%26nbsp%3B%22scid-2012%22%2C%26nbsp%3B%22scid-2013%22%2C%26nbsp%3B%22scid-2014%22%2C%26nbsp%3B%22scid-2016%22)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bsummarize%26nbsp%3Barg_max(Timestamp%2C%26nbsp%3BIsCompliant%2C%26nbsp%3BIsApplicable)%26nbsp%3Bby%26nbsp%3BDeviceName%2C%26nbsp%3BConfigurationId%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bextend%26nbsp%3BTest%26nbsp%3B%3D%26nbsp%3Bcase(%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BConfigurationId%26nbsp%3B%3D%3D%26nbsp%3B%22scid-2000%22%2C%26nbsp%3B%22SensorEnabled%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BConfigurationId%26nbsp%3B%3D%3D%26nbsp%3B%22scid-2001%22%2C%26nbsp%3B%22SensorDataCollection%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BConfigurationId%26nbsp%3B%3D%3D%26nbsp%3B%22scid-2002%22%2C%26nbsp%3B%22ImpairedCommunications%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BConfigurationId%26nbsp%3B%3D%3D%26nbsp%3B%22scid-2003%22%2C%26nbsp%3B%22TamperProtection%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BConfigurationId%26nbsp%3B%3D%3D%26nbsp%3B%22scid-2010%22%2C%26nbsp%3B%22AntivirusEnabled%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BConfigurationId%26nbsp%3B%3D%3D%26nbsp%3B%22scid-2011%22%2C%26nbsp%3B%22AntivirusSignatureVersion%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BConfigurationId%26nbsp%3B%3D%3D%26nbsp%3B%22scid-2012%22%2C%26nbsp%3B%22RealtimeProtection%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BConfigurationId%26nbsp%3B%3D%3D%26nbsp%3B%22scid-91%22%2C%26nbsp%3B%22BehaviorMonitoring%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BConfigurationId%26nbsp%3B%3D%3D%26nbsp%3B%22scid-2013%22%2C%26nbsp%3B%22PUAProtection%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BConfigurationId%26nbsp%3B%3D%3D%26nbsp%3B%22scid-2014%22%2C%26nbsp%3B%22AntivirusReporting%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BConfigurationId%26nbsp%3B%3D%3D%26nbsp%3B%22scid-2016%22%2C%26nbsp%3B%22CloudProtection%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22N%2FA%22)%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BResult%26nbsp%3B%3D%26nbsp%3Bcase(IsApplicable%26nbsp%3B%3D%3D%26nbsp%3B0%2C%26nbsp%3B%22N%2FA%22%2C%26nbsp%3BIsCompliant%26nbsp%3B%3D%3D%26nbsp%3B1%2C%26nbsp%3B%22GOOD%22%2C%26nbsp%3B%22BAD%22)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bextend%26nbsp%3Bpacked%26nbsp%3B%3D%26nbsp%3Bpack(Test%2C%26nbsp%3BResult)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bsummarize%26nbsp%3BTests%26nbsp%3B%3D%26nbsp%3Bmake_bag(packed)%26nbsp%3Bby%26nbsp%3BDeviceName%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%26nbsp%3Bevaluate%26nbsp%3Bbag_unpack(Tests)%22%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hello 

 

I am using the below query to get an endpoint status report. The query works great, however requesting help on modifying the query to show me the logged on users. Thank you in advance

 

"// Best practice endpoint configurations for Microsoft Defender for Endpoint deployment.
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-91", "scid-2000", "scid-2001", "scid-2002", "scid-2003", "scid-2010", "scid-2011", "scid-2012", "scid-2013", "scid-2014", "scid-2016")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceName, ConfigurationId
| extend Test = case(
    ConfigurationId == "scid-2000", "SensorEnabled",
    ConfigurationId == "scid-2001", "SensorDataCollection",
    ConfigurationId == "scid-2002", "ImpairedCommunications",
    ConfigurationId == "scid-2003", "TamperProtection",
    ConfigurationId == "scid-2010", "AntivirusEnabled",
    ConfigurationId == "scid-2011", "AntivirusSignatureVersion",
    ConfigurationId == "scid-2012", "RealtimeProtection",
    ConfigurationId == "scid-91", "BehaviorMonitoring",
    ConfigurationId == "scid-2013", "PUAProtection",
    ConfigurationId == "scid-2014", "AntivirusReporting",
    ConfigurationId == "scid-2016", "CloudProtection",
    "N/A"),
    Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed) by DeviceName
| evaluate bag_unpack(Tests)"
0 Replies