KQL query for AntiVirus policy report

New Contributor

Hello all,

 

Does anybody know of an KQL query that would return a list of AntiVirus policy configuration settings. I've been looking online and I can't find anything. I am aware of the 'Endpoint Status Report' AHQ. I'm looking for a similar query that would return a list of antivirus policy settings, such as Scan time, ControlledFolderAccessProtectedFolders, AttackSurfaceReductionOnlyExclusions, etc. What I'm really asking is to display some of the content from the Get-MpPreference command.

 

Side note: I've been searching all over the place for a list of all the ConfigurationId's (ConfigurationId == "scid-2000", "SensorEnabled",) that you can query against. Does anybody know if there is a complete list online I can view?

3 Replies

Hi @Maddenk 

 

One possibility is to look what is available in the Windows Event Log 

  1. Applications and Services Logs > Microsoft > Windows > SENSE and click on Operational. cc Review events and errors using Event Viewer | Microsoft Docs

  2. Applications and Services Logs > Microsoft > Windows > Windows Defender and click on Operational cc Microsoft Defender Antivirus event IDs and error codes | Microsoft Docs

However, you may not find the information that is available through the Get-MpPreference PowerShell cmdlet.
If the goal is to have a desired state on machines managed by Azure (Either within Azure, either through Azure Arc) you could use Desired State Configuration .If the goal is to have an overview, maybe that an Azure automation runbook could help

Kind Regards,
Thomas

Hi @thomasdefise

Thanks for the reply. I understand that you can check the event logs for the machine, but can I get the same information using a KQL query?

Also, do you know where the KQL query is pulling the ConfigurationID information from?

Thanks for the reply.

@Maddenk 

 

You could join the two tables mentioned in the query and get a list of configuration id's that are related to your environment 

 

DeviceTvmSecureConfigurationAssessment
| where ConfigurationSubcategory == 'Antivirus' and IsApplicable == 1 and IsCompliant == 0 // you can remove this line to get all the configuration Id's and then filter later if needed.
| join kind=innerunique (
    DeviceTvmSecureConfigurationAssessmentKB
    | project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, Tags, ConfigurationImpact
) on ConfigurationId
| project DeviceName, OSPlatform, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact, Tags
 
Kausd_0-1647318392226.png