Query Details

MDE - TVM - Security Configuration - Attack Surface Reduction Rules

MDE TVM Security Controls ASR

Query

//  Security Controls - Attack Surface Reduction - Compliance Summary 
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-2514","scid-2513","scid-2512","scid-2511","scid-2510","scid-2509","scid-2508","scid-2507","scid-2506","scid-2505","scid-2504","scid-2503","scid-2502","scid-2501","scid-2500")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId, DeviceName
| extend Configuration = case(
    ConfigurationId == "scid-2541", "BlockPersWMIEventSubscr",
    ConfigurationId == "scid-2513", "BlockAdobeChildProcess",
    ConfigurationId == "scid-2512", "BlockAsrOfficeCommAppChildProcess",
    ConfigurationId == "scid-2511", "BlockAsrUntrustedUsbProcess",
    ConfigurationId == "scid-2510", "BlockAsrPsexecWmiChildProcess",
    ConfigurationId == "scid-2509", "BlocAsrLsassCredentialTheft",
    ConfigurationId == "scid-2508", "AdvProtRansomware",
    ConfigurationId == "scid-2507", "BlockAsrUntrustedExecutable",
    ConfigurationId == "scid-2506", "BlockAsrOfficeMacroWin32ApiCalls",
    ConfigurationId == "scid-2505", "BlockObfuscatedScripts",
    ConfigurationId == "scid-2504", "BlockJavaVBExecContent",
    ConfigurationId == "scid-2503", "BlockAsrOfficeProcessInjection",
    ConfigurationId == "scid-2502", "BlockAsrExecutableOfficeContent",
    ConfigurationId == "scid-2501", "BlockAsrOfficeChildProcess",
    ConfigurationId == "scid-2500", "BlockAsrExecutableEmailContent",
    "N/A"),
    Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| summarize toint(Compliant = dcountif(DeviceId ,Result=="GOOD")) ,toint(NonCompliant = dcountif(DeviceId,Result=="BAD")), toint(NotApplicable = dcountif(DeviceId, Result =="N/A")) by Configuration, ConfigurationId
| join DeviceTvmSecureConfigurationAssessmentKB 
on $left.ConfigurationId == $right.ConfigurationId
| extend TotalDevices = toint((Compliant + NonCompliant + NotApplicable))
| extend PctCompliant = toint((Compliant*100) / TotalDevices)
| project ConfigurationName, ConfigurationSubcategory, Compliant,NonCompliant, NotApplicable,TotalDevices, PctCompliant, ConfigurationDescription, ConfigurationCategory, RiskDescription 
| sort by ConfigurationSubcategory
// | summarize by ConfigurationName, TotalDevices,Compliant,NonCompliant
// | render columnchart with(kind=stacked100)

About this query

Explanation

The first query retrieves the compliance status of Attack Surface Reduction Rules configuration. It summarizes the compliance status by device, configuration ID, and device name. It also provides additional information such as the configuration name, subcategory, compliance count, non-compliance count, and not applicable count. The results are sorted by configuration subcategory.

The second query retrieves the details of non-compliant devices for Attack Surface Reduction Rules configuration. It joins the results with additional configuration information and projects the device name, configuration name, subcategory, and category. The results are sorted by device name and configuration subcategory.

Details

Alex Verboon profile picture

Alex Verboon

Released: September 19, 2023

Tables

DeviceTvmSecureConfigurationAssessmentDeviceTvmSecureConfigurationAssessmentKB

Keywords

DeviceTvmSecureConfigurationAssessmentConfigurationIdDeviceIdDeviceNameConfigurationTimestampIsCompliantIsApplicableResultCompliantNonCompliantNotApplicableTotalDevicesPctCompliantConfigurationNameConfigurationSubcategoryConfigurationDescriptionConfigurationCategoryRiskDescription

Operators

|whereinsummarizearg_maxbyextendcaseon$left$righttointdcountifjoinprojectsort

Actions

GitHub