Mar 11 2022 07:48 AM - edited Mar 11 2022 07:48 AM
Hello all,
Does anybody know of an KQL query that would return a list of AntiVirus policy configuration settings. I've been looking online and I can't find anything. I am aware of the 'Endpoint Status Report' AHQ. I'm looking for a similar query that would return a list of antivirus policy settings, such as Scan time, ControlledFolderAccessProtectedFolders, AttackSurfaceReductionOnlyExclusions, etc. What I'm really asking is to display some of the content from the Get-MpPreference command.
Side note: I've been searching all over the place for a list of all the ConfigurationId's (ConfigurationId == "scid-2000", "SensorEnabled",) that you can query against. Does anybody know if there is a complete list online I can view?
Mar 12 2022 10:25 AM
Hi @Maddenk
One possibility is to look what is available in the Windows Event Log
Applications and Services Logs > Microsoft > Windows > SENSE and click on Operational. cc Review events and errors using Event Viewer | Microsoft Docs
However, you may not find the information that is available through the Get-MpPreference PowerShell cmdlet.
If the goal is to have a desired state on machines managed by Azure (Either within Azure, either through Azure Arc) you could use Desired State Configuration .If the goal is to have an overview, maybe that an Azure automation runbook could help
Kind Regards,
Thomas
Mar 14 2022 04:16 AM
Mar 14 2022 09:28 PM
You could join the two tables mentioned in the query and get a list of configuration id's that are related to your environment