cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KQL query for AntiVirus policy report

Maddenk
Copper Contributor

‎Mar 11 2022 07:48 AM - edited ‎Mar 11 2022 07:48 AM

‎Mar 11 2022 07:48 AM - edited ‎Mar 11 2022 07:48 AM

KQL query for AntiVirus policy report

Hello all,

 

Does anybody know of an KQL query that would return a list of AntiVirus policy configuration settings. I've been looking online and I can't find anything. I am aware of the 'Endpoint Status Report' AHQ. I'm looking for a similar query that would return a list of antivirus policy settings, such as Scan time, ControlledFolderAccessProtectedFolders, AttackSurfaceReductionOnlyExclusions, etc. What I'm really asking is to display some of the content from the Get-MpPreference command.

 

Side note: I've been searching all over the place for a list of all the ConfigurationId's (ConfigurationId == "scid-2000", "SensorEnabled",) that you can query against. Does anybody know if there is a complete list online I can view?

5,506 Views
0 Likes
3 Replies
Reply
3 Replies
thomasdefise

‎Mar 12 2022 10:25 AM

‎Mar 12 2022 10:25 AM

Re: KQL query for AntiVirus policy report

Hi @Maddenk 

 

One possibility is to look what is available in the Windows Event Log 

  1. Applications and Services Logs > Microsoft > Windows > SENSE and click on Operational. cc Review events and errors using Event Viewer | Microsoft Docs

  2. Applications and Services Logs > Microsoft > Windows > Windows Defender and click on Operational cc Microsoft Defender Antivirus event IDs and error codes | Microsoft Docs

However, you may not find the information that is available through the Get-MpPreference PowerShell cmdlet.
If the goal is to have a desired state on machines managed by Azure (Either within Azure, either through Azure Arc) you could use Desired State Configuration .If the goal is to have an overview, maybe that an Azure automation runbook could help

Kind Regards,
Thomas

0 Likes
Reply
Maddenk

‎Mar 14 2022 04:16 AM

‎Mar 14 2022 04:16 AM

Re: KQL query for AntiVirus policy report

Hi @thomasdefise

Thanks for the reply. I understand that you can check the event logs for the machine, but can I get the same information using a KQL query?

Also, do you know where the KQL query is pulling the ConfigurationID information from?

Thanks for the reply.
0 Likes
Reply
Kausd

‎Mar 14 2022 09:28 PM

‎Mar 14 2022 09:28 PM

Re: KQL query for AntiVirus policy report

@Maddenk 

 

You could join the two tables mentioned in the query and get a list of configuration id's that are related to your environment 

 

DeviceTvmSecureConfigurationAssessment
| where ConfigurationSubcategory == 'Antivirus' and IsApplicable == 1 and IsCompliant == 0 // you can remove this line to get all the configuration Id's and then filter later if needed.
| join kind=innerunique (
    DeviceTvmSecureConfigurationAssessmentKB
    | project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, Tags, ConfigurationImpact
) on ConfigurationId
| project DeviceName, OSPlatform, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact, Tags
 
Kausd_0-1647318392226.png

 

 
0 Likes
Reply