{"id":29687,"date":"2022-08-23T13:27:48","date_gmt":"2022-08-23T13:27:48","guid":{"rendered":"https:\/\/endusersupports.com\/?page_id=29687"},"modified":"2026-06-02T17:09:06","modified_gmt":"2026-06-02T17:09:06","slug":"kql-for-defender","status":"publish","type":"page","link":"https:\/\/endusersupports.com\/index.php\/kql-for-defender\/","title":{"rendered":"KQL for Defender"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"29687\" class=\"elementor elementor-29687\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7c41670 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"7c41670\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3adb82c\" data-id=\"3adb82c\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ac4e8e5 elementor-invisible elementor-widget elementor-widget-text-editor\" data-id=\"ac4e8e5\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;fadeInDown&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><\/p>\n<p><span style=\"color: #ffffff;\"><strong>Kusto Query Language (KQL) queries for Advanced Hunting (Microsoft Defender for Endpoint)&nbsp;<\/strong><\/span><\/p>\n<p><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-cf10fff elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"cf10fff\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-866a1f3\" data-id=\"866a1f3\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-6e3b1d7 elementor-widget elementor-widget-text-editor\" data-id=\"6e3b1d7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Here is the KQL query list to check the Defender client details with specific areas.\u00a0<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b2f4511 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b2f4511\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-43ef81d\" data-id=\"43ef81d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a6dd05f elementor-invisible elementor-widget elementor-widget-text-editor\" data-id=\"a6dd05f\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;fadeInDown&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\"><strong>Virus Definition status<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-31c8fcf elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"31c8fcf\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-9d19d6a\" data-id=\"9d19d6a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c877abc elementor-widget elementor-widget-toggle\" data-id=\"c877abc\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;none&quot;}\" data-widget_type=\"toggle.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2101\" class=\"elementor-tab-title\" data-tab=\"1\" role=\"button\" aria-controls=\"elementor-tab-content-2101\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Virus Definition Compliance Status<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2101\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"1\" role=\"region\" aria-labelledby=\"elementor-tab-title-2101\"><div>DeviceTvmSecureConfigurationAssessment<\/div>\n<div>| where Timestamp &gt; ago(30d)<\/div>\n<div>| where \u00a0ConfigurationId == &#8216;scid-2011&#8242; and Context !='[]&#8217;<\/div>\n<div>| extend DefUpdate = todatetime(parse_json(Context)[0][2])<\/div>\n<div>| extend DefAge = datetime_diff(&#8216;day&#8217;,now(),DefUpdate)<\/div>\n<div>| extend DefageGroup=case(DefAge &lt;7,&#8217;0 to 7 Days&#8217;, DefAge &lt;14,&#8217;7 to 14 Days&#8217;, DefAge &lt;30,&#8217;15 to 30 Days&#8217;,&#8217;More Than 30 Days&#8217;)<\/div>\n<div>| summarize dcount(DeviceId) by DefageGroup<\/div>\n<p>\u00a0<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2102\" class=\"elementor-tab-title\" data-tab=\"2\" role=\"button\" aria-controls=\"elementor-tab-content-2102\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Virus Definition Device List<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2102\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"2\" role=\"region\" aria-labelledby=\"elementor-tab-title-2102\"><div>DeviceTvmSecureConfigurationAssessment<\/div>\n<div>| where Timestamp &gt; ago(30d)<\/div>\n<div>| where \u00a0ConfigurationId == &#8216;scid-2011&#8242; and Context !='[]&#8217;<\/div>\n<div>| extend SigUpdate = todatetime(parse_json(Context)[0][2])<\/div>\n<div>| extend SigAge = datetime_diff(&#8216;day&#8217;,now(),SigUpdate)<\/div>\n<div>| project Timestamp, DeviceName, SigAge, SigUpdate<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2103\" class=\"elementor-tab-title\" data-tab=\"3\" role=\"button\" aria-controls=\"elementor-tab-content-2103\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Viru Definition Not Updated Device List<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2103\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"3\" role=\"region\" aria-labelledby=\"elementor-tab-title-2103\"><div>\n<div>DeviceTvmSecureConfigurationAssessment<\/div>\n<div>| where Timestamp &gt; ago(30d)<\/div>\n<div>| where \u00a0ConfigurationId == &#8216;scid-2011&#8242; and Context !='[]&#8217;<\/div>\n<div>| extend SigUpdate = todatetime(parse_json(Context)[0][2])<\/div>\n<div>| extend SigAge = datetime_diff(&#8216;day&#8217;,now(),SigUpdate)<\/div>\n<div>| where SigAge &gt; 7<\/div>\n<div>| project Timestamp, DeviceName, SigAge, SigUpdate<\/div>\n<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2104\" class=\"elementor-tab-title\" data-tab=\"4\" role=\"button\" aria-controls=\"elementor-tab-content-2104\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Virus Definition status for specific device<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2104\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"4\" role=\"region\" aria-labelledby=\"elementor-tab-title-2104\"><div>\n<div>DeviceTvmSecureConfigurationAssessment<\/div>\n<div>| where Timestamp &gt; ago(30d)<\/div>\n<div>| where \u00a0ConfigurationId == &#8216;scid-2011&#8242; and Context !='[]&#8217;<\/div>\n<div>| extend SigUpdate = todatetime(parse_json(Context)[0][2])<\/div>\n<div>| extend SigAge = datetime_diff(&#8216;day&#8217;,now(),SigUpdate)<\/div>\n<div>| where SigAge &gt; 7<\/div>\n<div>| where DeviceName contains &#8220;lht00001&#8221;<\/div>\n<div>| project Timestamp, DeviceName, SigAge, SigUpdate<\/div>\n<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b9ed3fd elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b9ed3fd\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3aee401\" data-id=\"3aee401\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-39a1b16 elementor-invisible elementor-widget elementor-widget-text-editor\" data-id=\"39a1b16\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;fadeInDown&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\"><strong>Product AV Version Details<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-74d039e elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"74d039e\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3eeb7a2\" data-id=\"3eeb7a2\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b28b163 elementor-widget elementor-widget-toggle\" data-id=\"b28b163\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;none&quot;}\" data-widget_type=\"toggle.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-1871\" class=\"elementor-tab-title\" data-tab=\"1\" role=\"button\" aria-controls=\"elementor-tab-content-1871\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Product AV version Counts<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-1871\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"1\" role=\"region\" aria-labelledby=\"elementor-tab-title-1871\"><div>\n<div>DeviceTvmSecureConfigurationAssessment<\/div>\n<div>| where ConfigurationId == &#8220;scid-2011&#8221;<\/div>\n<div>| where isnotempty(Context) and Context != &#8220;[]&#8221;<\/div>\n<div>| extend avdata = parse_json(Context)<\/div>\n<div>| extend AVProductVersion = tostring(avdata[0][3])<\/div>\n<div>| where isnotempty(AVProductVersion)<\/div>\n<div>| summarize DeviceCount = dcount(DeviceId) by AVProductVersion<\/div>\n<div>| order by DeviceCount desc<\/div>\n<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-1872\" class=\"elementor-tab-title\" data-tab=\"2\" role=\"button\" aria-controls=\"elementor-tab-content-1872\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Product AV version list<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-1872\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"2\" role=\"region\" aria-labelledby=\"elementor-tab-title-1872\"><div>\n<div>DeviceTvmSecureConfigurationAssessment<\/div>\n<div>| where ConfigurationId == &#8220;scid-2011&#8221;<\/div>\n<div>| where isnotempty(Context) and Context != &#8220;[]&#8221;<\/div>\n<div>| extend avdata = parse_json(Context)<\/div>\n<div>| extend AVProductVersion = tostring(avdata[0][3])<\/div>\n<div>| where isnotempty(AVProductVersion)<\/div>\n<div>| summarize arg_max(Timestamp, *) by DeviceId<\/div>\n<div>| project DeviceName, DeviceId, AVProductVersion, Timestamp<\/div>\n<div>| order by DeviceName asc<\/div>\n<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-1873\" class=\"elementor-tab-title\" data-tab=\"3\" role=\"button\" aria-controls=\"elementor-tab-content-1873\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Product AV version for Specific device<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-1873\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"3\" role=\"region\" aria-labelledby=\"elementor-tab-title-1873\"><div>\n<div>DeviceTvmSecureConfigurationAssessment<\/div>\n<div>| where ConfigurationId == &#8220;scid-2011&#8221;<\/div>\n<div>| where isnotempty(Context) and Context != &#8220;[]&#8221;<\/div>\n<div>| extend avdata = parse_json(Context)<\/div>\n<div>| extend AVProductVersion = tostring(avdata[0][3])<\/div>\n<div>| where isnotempty(AVProductVersion)<\/div>\n<div>| summarize arg_max(Timestamp, *) by DeviceId<\/div>\n<div>| where DeviceName contains &#8220;lht00001&#8221;<\/div>\n<div>| project DeviceName, DeviceId, AVProductVersion, Timestamp<\/div>\n<div>| order by DeviceName asc<\/div>\n<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-1874\" class=\"elementor-tab-title\" data-tab=\"4\" role=\"button\" aria-controls=\"elementor-tab-content-1874\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Devices with specific product AV version<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-1874\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"4\" role=\"region\" aria-labelledby=\"elementor-tab-title-1874\"><div>\n<div>DeviceTvmSecureConfigurationAssessment<\/div>\n<div>| where ConfigurationId == &#8220;scid-2011&#8221;<\/div>\n<div>| where isnotempty(Context) and Context != &#8220;[]&#8221;<\/div>\n<div>| extend avdata = parse_json(Context)<\/div>\n<div>| extend AVProductVersion = tostring(avdata[0][3])<\/div>\n<div>| where isnotempty(AVProductVersion)<\/div>\n<div>| summarize arg_max(Timestamp, *) by DeviceId<\/div>\n<div>| where AVProductVersion == &#8220;4.18.23.0.0&#8221;<\/div>\n<div>| project DeviceName, DeviceId, AVProductVersion, Timestamp<\/div>\n<div>| order by DeviceName asc<\/div>\n<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-a84b70c elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"a84b70c\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-32e5927\" data-id=\"32e5927\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-23b0394 elementor-invisible elementor-widget elementor-widget-text-editor\" data-id=\"23b0394\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;fadeInDown&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\"><strong>Firewall\u00a0<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-5784689 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"5784689\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3efb004\" data-id=\"3efb004\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c177f25 elementor-widget elementor-widget-toggle\" data-id=\"c177f25\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;none&quot;}\" data-widget_type=\"toggle.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2021\" class=\"elementor-tab-title\" data-tab=\"1\" role=\"button\" aria-controls=\"elementor-tab-content-2021\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Check block network connection<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2021\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"1\" role=\"region\" aria-labelledby=\"elementor-tab-title-2021\"><p>DeviceNetworkEvents<br \/>| where ActionType == &#8220;ConnectionBlocked&#8221;<br \/>| project Timestamp, DeviceName, LocalIP, RemoteIP, RemotePort, Protocol, InitiatingProcessFileName<br \/>| sort by Timestamp desc<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2022\" class=\"elementor-tab-title\" data-tab=\"2\" role=\"button\" aria-controls=\"elementor-tab-content-2022\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Check Inbound connections blocks<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2022\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"2\" role=\"region\" aria-labelledby=\"elementor-tab-title-2022\"><p>DeviceNetworkEvents<br \/>| where ActionType == &#8220;InboundConnectionBlocked&#8221;<br \/>| summarize BlockCount = count() by RemoteIP, DeviceName, bin(Timestamp, 1h)<br \/>| sort by BlockCount desc<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2023\" class=\"elementor-tab-title\" data-tab=\"3\" role=\"button\" aria-controls=\"elementor-tab-content-2023\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Check Outbound connection blocks<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2023\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"3\" role=\"region\" aria-labelledby=\"elementor-tab-title-2023\"><p>DeviceNetworkEvents<br \/>| where ActionType == &#8220;ConnectionBlocked&#8221;<br \/>| where InitiatingProcessFileName !in~ (&#8220;chrome.exe&#8221;,&#8221;msedge.exe&#8221;,&#8221;firefox.exe&#8221;)<br \/>| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2024\" class=\"elementor-tab-title\" data-tab=\"4\" role=\"button\" aria-controls=\"elementor-tab-content-2024\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Check Firewall block for all connections<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2024\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"4\" role=\"region\" aria-labelledby=\"elementor-tab-title-2024\"><p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">DeviceEvents<\/p>\n<p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">| where Timestamp &gt; (30d)<\/p>\n<p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">| where ActionType in (&#8220;FirewallOutBoundConnectionBlocked&#8221;, &#8220;FirewallInBoundConnectionBlocked&#8221;,&#8221;FirewallOutBoundConnectionToAppBlocked&#8221;)<\/p>\n<p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">| project DeviceName, Timestamp, InitiatingProcessFileName, InitiatingProcessParentFileName, RemoteIP, RemotePort, LocalIP, LocalPort,ActionType<\/p>\n<p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">\/\/| where DeviceName contains &#8220;&#8221;<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2025\" class=\"elementor-tab-title\" data-tab=\"5\" role=\"button\" aria-controls=\"elementor-tab-content-2025\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Firewall blocked traffic<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2025\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"5\" role=\"region\" aria-labelledby=\"elementor-tab-title-2025\"><p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">DeviceNetworkEvents<\/p>\n<p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">| where Timestamp &gt; (7d)<\/p>\n<p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">| project Timestamp, DeviceName, ActionType, RemoteIP, RemotePort, RemoteUrl, LocalIP, LocalPort,Protocol, LocalIPType, InitiatingProcessFileName<\/p>\n<p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">\/\/| where ActionType == &#8220;ConnectionFailed&#8221;<\/p>\n<p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">| where RemotePort == &#8220;3389&#8221;<\/p>\n<p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">| where DeviceName contains \u00a0&#8220;desktop-3jtb9c6&#8221;<\/p>\n<p style=\"margin: 0in; font-family: Consolas; font-size: 10.5pt; color: black;\">| order by Timestamp<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2026\" class=\"elementor-tab-title\" data-tab=\"6\" role=\"button\" aria-controls=\"elementor-tab-content-2026\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Check who modified firewall rules<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2026\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"6\" role=\"region\" aria-labelledby=\"elementor-tab-title-2026\"><p>DeviceEvents<br \/>| where ActionType in (&#8220;FirewallRuleAdded&#8221;, &#8220;FirewallRuleModified&#8221;, &#8220;FirewallRuleDeleted&#8221;)<br \/>| project Timestamp, DeviceName, ActionType, InitiatingProcessAccountName<br \/>| sort by Timestamp desc<\/p><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2027\" class=\"elementor-tab-title\" data-tab=\"7\" role=\"button\" aria-controls=\"elementor-tab-content-2027\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Top Port Blocks<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2027\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"7\" role=\"region\" aria-labelledby=\"elementor-tab-title-2027\"><div class=\"scriptor-paragraph\">DeviceNetworkEvents<\/div>\n<div class=\"scriptor-paragraph\">| where ActionType == &#8220;ConnectionBlocked&#8221;<\/div>\n<div class=\"scriptor-paragraph\">| summarize Count = count() by RemotePort<\/div>\n<div class=\"scriptor-paragraph\">| sort by Count desc<!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2028\" class=\"elementor-tab-title\" data-tab=\"8\" role=\"button\" aria-controls=\"elementor-tab-content-2028\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">High volume blocked activity<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2028\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"8\" role=\"region\" aria-labelledby=\"elementor-tab-title-2028\"><div class=\"scriptor-paragraph\">DeviceNetworkEvents<\/div>\n<div class=\"scriptor-paragraph\">| where ActionType == &#8220;ConnectionBlocked&#8221;<\/div>\n<div class=\"scriptor-paragraph\">| summarize BlockCount = count() by DeviceName, bin(Timestamp, 5m)<\/div>\n<div class=\"scriptor-paragraph\">| where BlockCount &gt; 200<\/div>\n<div class=\"scriptor-paragraph\">| sort by BlockCount desc<!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2029\" class=\"elementor-tab-title\" data-tab=\"9\" role=\"button\" aria-controls=\"elementor-tab-content-2029\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Advanced: Firewall Health and Risk View<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2029\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"9\" role=\"region\" aria-labelledby=\"elementor-tab-title-2029\"><div class=\"scriptor-paragraph\">DeviceInfo<\/div>\n<div class=\"scriptor-paragraph\">| summarize LastSeen = max(Timestamp) by DeviceName<\/div>\n<div class=\"scriptor-paragraph\">| join kind=leftouter (<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 DeviceEvents<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 | where ActionType in (&#8220;FirewallDisabled&#8221;)<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 | summarize FirewallDisabledCount = count() by DeviceName<\/div>\n<div class=\"scriptor-paragraph\">) on DeviceName<\/div>\n<div class=\"scriptor-paragraph\">| join kind=leftouter (<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 DeviceNetworkEvents<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 | where ActionType == &#8220;ConnectionBlocked&#8221;<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 | summarize BlockedConnections = count() by DeviceName<\/div>\n<div class=\"scriptor-paragraph\">) on DeviceName<\/div>\n<div class=\"scriptor-paragraph\">| extend RiskLevel = case(<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 FirewallDisabledCount &gt; 0, &#8220;High Risk&#8221;,<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 BlockedConnections &gt; 1000, &#8220;Medium Risk&#8221;,<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 &#8220;Normal&#8221;<\/div>\n<div class=\"scriptor-paragraph\">)<\/div>\n<div class=\"scriptor-paragraph\">| project DeviceName, LastSeen, FirewallDisabledCount, BlockedConnections, RiskLevel<!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-b9e59ce elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"b9e59ce\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-822c945\" data-id=\"822c945\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d32979e elementor-invisible elementor-widget elementor-widget-text-editor\" data-id=\"d32979e\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;fadeInDown&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\"><strong>KQL for ASR and EDR\u00a0<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-92c55f7 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"92c55f7\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-670d4e5\" data-id=\"670d4e5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-efcc495 elementor-widget elementor-widget-toggle\" data-id=\"efcc495\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;none&quot;}\" data-widget_type=\"toggle.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2511\" class=\"elementor-tab-title\" data-tab=\"1\" role=\"button\" aria-controls=\"elementor-tab-content-2511\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">ASR Rule blocked<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2511\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"1\" role=\"region\" aria-labelledby=\"elementor-tab-title-2511\"><div class=\"scriptor-paragraph\">DeviceEvents<\/div>\n<div class=\"scriptor-paragraph\">| where ActionType == &#8220;AsrRuleBlocked&#8221;<\/div>\n<div class=\"scriptor-paragraph\">| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ActionType, AdditionalFields<\/div>\n<div class=\"scriptor-paragraph\">| sort by Timestamp desc<!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2512\" class=\"elementor-tab-title\" data-tab=\"2\" role=\"button\" aria-controls=\"elementor-tab-content-2512\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">ASR Rule audit<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2512\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"2\" role=\"region\" aria-labelledby=\"elementor-tab-title-2512\"><div class=\"scriptor-paragraph\">DeviceEvents<\/div>\n<div class=\"scriptor-paragraph\">| where ActionType == &#8220;AsrRuleAudited&#8221;<\/div>\n<div class=\"scriptor-paragraph\">| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ActionType<\/div>\n<div class=\"scriptor-paragraph\">| sort by Timestamp desc<!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2513\" class=\"elementor-tab-title\" data-tab=\"3\" role=\"button\" aria-controls=\"elementor-tab-content-2513\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Blocked by ASR<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2513\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"3\" role=\"region\" aria-labelledby=\"elementor-tab-title-2513\"><div class=\"scriptor-paragraph\">\n<div>\n<div>DeviceEvents<\/div>\n<div>| where ActionType startswith &#8220;ASR&#8221;<\/div>\n<div>| extend Fields=parse_json(AdditionalFields)<\/div>\n<div>| extend IsAudit = tostring(Fields.IsAudit)<\/div>\n<div>| where IsAudit == &#8220;false&#8221;<\/div>\n<div>| project Timestamp, DeviceName, ActionType, IsAudit, ReportId, DeviceId<\/div>\n<\/div>\n<\/div>\n<div class=\"scriptor-paragraph\"><!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2514\" class=\"elementor-tab-title\" data-tab=\"4\" role=\"button\" aria-controls=\"elementor-tab-content-2514\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">ASR Trigger Pivo<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2514\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"4\" role=\"region\" aria-labelledby=\"elementor-tab-title-2514\"><div class=\"scriptor-paragraph\">\n<pre class=\"notranslate\"><code>DeviceEvents\n| where ActionType startswith 'ASR'\n| project DeviceName, ActionType\n| evaluate pivot(ActionType)<\/code><\/pre>\n<\/div>\n<div class=\"scriptor-paragraph\"><!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2515\" class=\"elementor-tab-title\" data-tab=\"5\" role=\"button\" aria-controls=\"elementor-tab-content-2515\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Hight Alerts from devices<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2515\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"5\" role=\"region\" aria-labelledby=\"elementor-tab-title-2515\"><div class=\"scriptor-paragraph\">DeviceEvents<\/div>\n<div class=\"scriptor-paragraph\">| where ActionType == &#8220;AsrRuleBlocked&#8221;<\/div>\n<div class=\"scriptor-paragraph\">| summarize BlockCount = count() by DeviceName<\/div>\n<div class=\"scriptor-paragraph\">| sort by BlockCount desc<!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2516\" class=\"elementor-tab-title\" data-tab=\"6\" role=\"button\" aria-controls=\"elementor-tab-content-2516\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">High Alerts from application<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2516\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"6\" role=\"region\" aria-labelledby=\"elementor-tab-title-2516\"><div class=\"scriptor-paragraph\">DeviceEvents<\/div>\n<div class=\"scriptor-paragraph\">| where ActionType == &#8220;AsrRuleBlocked&#8221;<\/div>\n<div class=\"scriptor-paragraph\">| summarize Count = count() by InitiatingProcessFileName<\/div>\n<div class=\"scriptor-paragraph\">| sort by Count desc<!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2517\" class=\"elementor-tab-title\" data-tab=\"7\" role=\"button\" aria-controls=\"elementor-tab-content-2517\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Suspicious activity from Microsoft Office<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2517\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"7\" role=\"region\" aria-labelledby=\"elementor-tab-title-2517\"><div class=\"scriptor-paragraph\">DeviceEvents<\/div>\n<div class=\"scriptor-paragraph\">| where ActionType == &#8220;AsrRuleBlocked&#8221;<\/div>\n<div class=\"scriptor-paragraph\">| where InitiatingProcessFileName in~ (&#8220;winword.exe&#8221;,&#8221;excel.exe&#8221;,&#8221;powerpnt.exe&#8221;)<\/div>\n<div class=\"scriptor-paragraph\">| project Timestamp, DeviceName, InitiatingProcessFileName, FileName<!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2518\" class=\"elementor-tab-title\" data-tab=\"8\" role=\"button\" aria-controls=\"elementor-tab-content-2518\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">ASR Rule blocked rule per device<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2518\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"8\" role=\"region\" aria-labelledby=\"elementor-tab-title-2518\"><div class=\"scriptor-paragraph\">DeviceEvents<\/div>\n<div class=\"scriptor-paragraph\">| where ActionType == &#8220;AsrRuleBlocked&#8221;<\/div>\n<div class=\"scriptor-paragraph\">| extend RuleId = tostring(parse_json(AdditionalFields).RuleId)<\/div>\n<div class=\"scriptor-paragraph\">| summarize BlockCount = count() by DeviceName, RuleId<\/div>\n<div class=\"scriptor-paragraph\">| sort by BlockCount desc<!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2519\" class=\"elementor-tab-title\" data-tab=\"9\" role=\"button\" aria-controls=\"elementor-tab-content-2519\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Device with No ASR activity<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2519\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"9\" role=\"region\" aria-labelledby=\"elementor-tab-title-2519\"><div class=\"scriptor-paragraph\">DeviceInfo<\/div>\n<div class=\"scriptor-paragraph\">| join kind=leftouter (<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 DeviceEvents<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 | where ActionType in (&#8220;AsrRuleBlocked&#8221;,&#8221;AsrRuleAudited&#8221;)<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 | summarize LastASR = max(Timestamp) by DeviceName<\/div>\n<div class=\"scriptor-paragraph\">) on DeviceName<\/div>\n<div class=\"scriptor-paragraph\">| where isnull(LastASR)<\/div>\n<div class=\"scriptor-paragraph\">| project DeviceName, OSPlatform, SensorHealthState<!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-25110\" class=\"elementor-tab-title\" data-tab=\"10\" role=\"button\" aria-controls=\"elementor-tab-content-25110\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">ASR Ransomware attack details<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-25110\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"10\" role=\"region\" aria-labelledby=\"elementor-tab-title-25110\"><div class=\"scriptor-paragraph\">\n<div class=\"highlight highlight-source-kusto notranslate position-relative overflow-auto\" dir=\"auto\">\n<pre>DeviceEvents\n| <span class=\"pl-k\">where<\/span> <span class=\"pl-c1\">ingestion_time<\/span>() &gt; <span class=\"pl-c1\">ago<\/span>(<span class=\"pl-c1\">30<\/span><span class=\"pl-c1\">d<\/span>)\n| <span class=\"pl-k\">where<\/span> ActionType <span class=\"pl-k\">in<\/span> (<span class=\"pl-s\">'AsrRansomwareBlocked'<\/span>, <span class=\"pl-s\">'AsrRansomwareAudited'<\/span>)\n| <span class=\"pl-k\">summarize<\/span> <span class=\"pl-c1\">arg_max<\/span>(Timestamp, *), TotalEvents = <span class=\"pl-c1\">count<\/span>(), TriggeredFiles = <span class=\"pl-c1\">make_set<\/span>(FileName), FileHashes = <span class=\"pl-c1\">make_set<\/span>(SHA1), IntiatingProcesses = <span class=\"pl-c1\">make_set<\/span>(InitiatingProcessCommandLine) <span class=\"pl-k\">by<\/span> DeviceName, AccountName\n| <span class=\"pl-k\">project<\/span> Timestamp, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcesses<\/pre>\n<\/div>\n<\/div>\n<div class=\"scriptor-paragraph\"><!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-25111\" class=\"elementor-tab-title\" data-tab=\"11\" role=\"button\" aria-controls=\"elementor-tab-content-25111\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">EDR Status<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-25111\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"11\" role=\"region\" aria-labelledby=\"elementor-tab-title-25111\"><div class=\"scriptor-paragraph\">DeviceInfo<\/div>\n<div class=\"scriptor-paragraph\">| summarize LastSeen = max(Timestamp), Health = any(SensorHealthState), Onboard = any(OnboardingStatus) by DeviceName<\/div>\n<div class=\"scriptor-paragraph\">| extend EDRStatus = case(<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 Onboard != &#8220;Onboarded&#8221;, &#8220;Not Onboarded&#8221;,<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 Health != &#8220;Active&#8221;, &#8220;Sensor Issue&#8221;,<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 LastSeen &lt; ago(3d), &#8220;No Recent Check-in&#8221;,<\/div>\n<div class=\"scriptor-paragraph\">\u00a0\u00a0\u00a0 &#8220;Active&#8221;<\/div>\n<div class=\"scriptor-paragraph\">)<\/div>\n<div class=\"scriptor-paragraph\">| project DeviceName, LastSeen, Health, Onboard, EDRStatus<\/div>\n<div class=\"scriptor-paragraph\">| order by EDRStatus asc<!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-44b0db1 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"44b0db1\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5abf1f0\" data-id=\"5abf1f0\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-e80e815 elementor-invisible elementor-widget elementor-widget-text-editor\" data-id=\"e80e815\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;fadeInDown&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\"><strong>KQL Query for USB Device Control Policy<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-8b8fdbd elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"8b8fdbd\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6a70a09\" data-id=\"6a70a09\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c6e70ec elementor-widget elementor-widget-toggle\" data-id=\"c6e70ec\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;none&quot;}\" data-widget_type=\"toggle.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2081\" class=\"elementor-tab-title\" data-tab=\"1\" role=\"button\" aria-controls=\"elementor-tab-content-2081\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Check USB Device Write or Deny status<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2081\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"1\" role=\"region\" aria-labelledby=\"elementor-tab-title-2081\"><div class=\"scriptor-paragraph\">\n<div>\n<div>DeviceEvents<\/div>\n<div>| where ActionType == &#8220;RemovableStoragePolicyTriggered&#8221;<\/div>\n<div>| extend parsed=parse_json(AdditionalFields)<\/div>\n<div>| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)<\/div>\n<div>| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict)<\/div>\n<div>| extend MediaBusType = tostring(parsed.BusType)<\/div>\n<div>| extend MediaClassGuid = tostring(parsed.ClassGuid)<\/div>\n<div>| extend MediaDeviceId = tostring(parsed.DeviceId)<\/div>\n<div>| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)<\/div>\n<div>| extend MediaName = tostring(parsed.MediaName)<\/div>\n<div>| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy)<\/div>\n<div>| project Timestamp, DeviceId, DeviceName, ActionType, RemovableStorageAccess,<\/div>\n<div>RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaDeviceId,<\/div>\n<div>MediaInstanceId, MediaName, RemovableStoragePolicy<\/div>\n<div>| where RemovableStoragePolicyVerdict == &#8220;Deny&#8221;<\/div>\n<div>| where DeviceName contains &#8220;LHT00001&#8221;<\/div>\n<div>| order by Timestamp desc<\/div>\n<\/div>\n<\/div>\n<div class=\"scriptor-paragraph\"><!--ScriptorEndFragment--><\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-2082\" class=\"elementor-tab-title\" data-tab=\"2\" role=\"button\" aria-controls=\"elementor-tab-content-2082\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">USB Device Connectors<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-2082\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"2\" role=\"region\" aria-labelledby=\"elementor-tab-title-2082\"><pre>DeviceEvents\n| <span class=\"pl-k\">where<\/span> ActionType == <span class=\"pl-s\">\"PnpDeviceConnected\"<\/span>\n| <span class=\"pl-k\">extend<\/span> PNPInfo = <span class=\"pl-c1\">parse_json<\/span>(AdditionalFields)\n| <span class=\"pl-k\">extend<\/span> ClassName = <span class=\"pl-c1\">tostring<\/span>(PNPInfo.ClassName), DeviceDescription = <span class=\"pl-c1\">tostring<\/span>(PNPInfo.DeviceDescription), VendorIds = <span class=\"pl-c1\">tostring<\/span>(PNPInfo.VendorIds), DeviceId = <span class=\"pl-c1\">tostring<\/span>(PNPInfo.DeviceId)\n| <span class=\"pl-k\">extend<\/span> PnPType = <span class=\"pl-c1\">tostring<\/span>(<span class=\"pl-c1\">split<\/span>(DeviceId, @<span class=\"pl-s\">\"\\\"<\/span>, <span class=\"pl-c1\">0<\/span>)[<span class=\"pl-c1\">0<\/span>])\n| <span class=\"pl-k\">where<\/span> PnPType == <span class=\"pl-s\">\"USB\"<\/span>\n| <span class=\"pl-k\">project<\/span>-reorder ClassName, PnPType, DeviceDescription, VendorIds, DeviceId\n| <span class=\"pl-k\">summarize<\/span> TotalEvents = <span class=\"pl-c1\">count<\/span>() <span class=\"pl-k\">by<\/span> DeviceDescription\n| <span class=\"pl-k\">sort<\/span> <span class=\"pl-k\">by<\/span> TotalEvents<\/pre><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-66c607f elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"66c607f\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3374ed8\" data-id=\"3374ed8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-bd2f21d elementor-invisible elementor-widget elementor-widget-text-editor\" data-id=\"bd2f21d\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;fadeInDown&quot;}\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\"><strong>General KQL Query\u00a0<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-7795f30 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"7795f30\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-4e184b8\" data-id=\"4e184b8\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-2ce90d5 elementor-widget elementor-widget-toggle\" data-id=\"2ce90d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;none&quot;}\" data-widget_type=\"toggle.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-4701\" class=\"elementor-tab-title\" data-tab=\"1\" role=\"button\" aria-controls=\"elementor-tab-content-4701\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Device Health Status<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-4701\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"1\" role=\"region\" aria-labelledby=\"elementor-tab-title-4701\"><div>\n<div>let avmodetable = DeviceTvmSecureConfigurationAssessment<\/div>\n<div>| where ConfigurationId == &#8220;scid-2010&#8221; and isnotnull(Context)<\/div>\n<div>| extend avdata=parsejson(Context)<\/div>\n<div>| extend AVMode = iif(tostring(avdata[0][0]) == &#8216;0&#8217;, &#8216;Active&#8217; , iif(tostring(avdata[0][0]) == &#8216;1&#8217;, &#8216;Passive&#8217; ,iif(tostring(avdata[0][0]) == &#8216;4&#8217;, &#8216;EDR Blocked&#8217;,iif(tostring(avdata[0][0]) == &#8216;2&#8217;, \u00a0&#8216;SxS Passive&#8217; ,&#8217;Unknown&#8217;))))<\/div>\n<div>| project DeviceId, AVMode;<\/div>\n<div>DeviceTvmSecureConfigurationAssessment<\/div>\n<div>| where ConfigurationId == &#8220;scid-2011&#8221; and isnotnull(Context)<\/div>\n<div>| extend avdata=parsejson(Context)<\/div>\n<div>| extend AVSigVersion = tostring(avdata[0][0])<\/div>\n<div>| extend AVEngineVersion = tostring(avdata[0][1])<\/div>\n<div>| extend AVSigLastUpdateTime = tostring(avdata[0][2])<\/div>\n<div>| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable<\/div>\n<div>| join avmodetable on DeviceId<\/div>\n<div>| project-away DeviceId1<\/div>\n<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-4702\" class=\"elementor-tab-title\" data-tab=\"2\" role=\"button\" aria-controls=\"elementor-tab-content-4702\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Device Scanning Details<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-4702\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"2\" role=\"region\" aria-labelledby=\"elementor-tab-title-4702\"><div>\n<div>DeviceEvents<\/div>\n<div>| where ActionType in (&#8220;AntivirusScanCompleted&#8221;, &#8220;AntivirusScanCancelled&#8221;)<\/div>\n<div>| extend A=parse_json(AdditionalFields) \u00a0<\/div>\n<div>| project Timestamp, DeviceName, ActionType,ScanType = A.ScanTypeIndex, StartedBy= A.User<\/div>\n<div>| sort by Timestamp desc<\/div>\n<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-4703\" class=\"elementor-tab-title\" data-tab=\"3\" role=\"button\" aria-controls=\"elementor-tab-content-4703\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Device are not onboarded in Defender<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-4703\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"3\" role=\"region\" aria-labelledby=\"elementor-tab-title-4703\"><div>\n<div>let CanBeOnboarded = &#8220;Can be onboarded&#8221;;<\/div>\n<div>DeviceInfo<\/div>\n<div>| summarize arg_max(Timestamp, *) by DeviceId<\/div>\n<div>| where OnboardingStatus == CanBeOnboarded<\/div>\n<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-4704\" class=\"elementor-tab-title\" data-tab=\"4\" role=\"button\" aria-controls=\"elementor-tab-content-4704\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Defender Discovery Activities<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-4704\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"4\" role=\"region\" aria-labelledby=\"elementor-tab-title-4704\"><pre><span class=\"pl-k\">let<\/span> <span class=\"pl-e\">ProcessBased <\/span>= DeviceProcessEvents\n| <span class=\"pl-k\">where<\/span> ProcessCommandLine <span class=\"pl-k\">has<\/span> <span class=\"pl-s\">\"Get-MpPreference\"<\/span>\n| <span class=\"pl-k\">extend<\/span> Table = <span class=\"pl-s\">\"DeviceProcessEvents\"<\/span>\n| <span class=\"pl-k\">project<\/span>-reorder Table, Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName;\n<span class=\"pl-k\">let<\/span> <span class=\"pl-e\">EventBased <\/span>= DeviceEvents\n| <span class=\"pl-k\">extend<\/span> Command = <span class=\"pl-c1\">parse_json<\/span>(AdditionalFields).Command\n| <span class=\"pl-k\">where<\/span>  Command == <span class=\"pl-s\">\"Get-MpPreference\"<\/span>\n| <span class=\"pl-k\">extend<\/span> ScriptLocation = <span class=\"pl-c1\">extract<\/span>(@<span class=\"pl-s\">\"literalPath '(.*?)'\"<\/span>, <span class=\"pl-c1\">0<\/span>, InitiatingProcessCommandLine)\n| <span class=\"pl-k\">extend<\/span> Table = <span class=\"pl-s\">\"DeviceEvents\"<\/span>\n| <span class=\"pl-k\">project<\/span>-reorder Table, Timestamp, DeviceName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, ScriptLocation;\n<span class=\"pl-k\">union<\/span> ProcessBased, EventBased<\/pre><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-4705\" class=\"elementor-tab-title\" data-tab=\"5\" role=\"button\" aria-controls=\"elementor-tab-content-4705\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Defender Exclusions Events<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-4705\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"5\" role=\"region\" aria-labelledby=\"elementor-tab-title-4705\"><pre><span class=\"pl-k\">let<\/span> <span class=\"pl-e\">ExclusionOptions <\/span>= <span class=\"pl-k\">dynamic<\/span>([<span class=\"pl-s\">'ExclusionPath'<\/span>, <span class=\"pl-s\">'ExclusionExtension'<\/span>, <span class=\"pl-s\">'ExclusionProcess'<\/span>, <span class=\"pl-s\">'ExclusionIpAddress'<\/span>]);\n<span class=\"pl-k\">let<\/span> <span class=\"pl-e\">Modules <\/span>= <span class=\"pl-k\">dynamic<\/span>([<span class=\"pl-s\">'Add-MpPreference'<\/span>,<span class=\"pl-s\">'Set-MpPreference'<\/span>]);\n<span class=\"pl-k\">let<\/span> <span class=\"pl-e\">CommandLineExecutions <\/span>= DeviceProcessEvents\n    | <span class=\"pl-k\">where<\/span> ProcessCommandLine has_any (Modules) <span class=\"pl-k\">and<\/span> ProcessCommandLine has_any (ExclusionOptions);\n<span class=\"pl-k\">let<\/span> <span class=\"pl-e\">PowerShellExecutions <\/span>= DeviceEvents\n    | <span class=\"pl-k\">where<\/span> ActionType == <span class=\"pl-s\">'PowerShellCommand'<\/span> \n    | <span class=\"pl-k\">where<\/span> AdditionalFields  has_any (Modules) <span class=\"pl-k\">and<\/span> AdditionalFields has_any (ExclusionOptions);\n<span class=\"pl-k\">union<\/span> PowerShellExecutions, CommandLineExecutions<\/pre><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-4706\" class=\"elementor-tab-title\" data-tab=\"6\" role=\"button\" aria-controls=\"elementor-tab-content-4706\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Operating System Counts in Defender<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-4706\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"6\" role=\"region\" aria-labelledby=\"elementor-tab-title-4706\"><div>\n<div>let CanBeOnboarded = &#8220;Can be onboarded&#8221;;<\/div>\n<div>DeviceInfo<\/div>\n<div>| summarize arg_max(Timestamp, *) by DeviceId<\/div>\n<div>| where OnboardingStatus == CanBeOnboarded<\/div>\n<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-4707\" class=\"elementor-tab-title\" data-tab=\"7\" role=\"button\" aria-controls=\"elementor-tab-content-4707\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Last User Logged on details<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-4707\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"7\" role=\"region\" aria-labelledby=\"elementor-tab-title-4707\"><div>\n<div>let LastLogins=DeviceLogonEvents<\/div>\n<div>\u00a0 | where LogonType == &#8220;Interactive&#8221;<\/div>\n<div>\u00a0 | where InitiatingProcessParentFileName == &#8220;wininit.exe&#8221;<\/div>\n<div>\u00a0 | summarize LastLogon=arg_max(Timestamp, *) by AccountName, DeviceName<\/div>\n<div>\u00a0 | project AccountName, DeviceName, LastLogon;<\/div>\n<div>let Logins=DeviceLogonEvents<\/div>\n<div>\u00a0 | where LogonType == &#8220;Interactive&#8221;<\/div>\n<div>\u00a0 | where InitiatingProcessParentFileName == &#8220;wininit.exe&#8221; \u00a0 \u00a0 \u00a0 \u00a0<\/div>\n<div>\u00a0 | summarize Logins=count() by AccountName, DeviceName<\/div>\n<div>\u00a0 | project AccountName, Logins, DeviceName;<\/div>\n<div>let NetworkInfo=DeviceNetworkInfo<\/div>\n<div>\u00a0 | where IPv4Dhcp &lt;&gt; &#8220;&#8221;<\/div>\n<div>\u00a0 | mvexpand parse_json(IPAddresses)<\/div>\n<div>\u00a0 | where IPAddresses.IPAddress !contains &#8220;:&#8221;<\/div>\n<div>\u00a0 | summarize arg_max(Timestamp, *) by DeviceName<\/div>\n<div>\u00a0 | project DeviceName, IPAddress=IPAddresses.IPAddress, Timestamp;<\/div>\n<div>Logins<\/div>\n<div>| join kind=inner ( LastLogins<\/div>\n<div>\u00a0 | project AccountName, DeviceName, LastLogon<\/div>\n<div>) on DeviceName, AccountName<\/div>\n<div>| join kind=leftouter \u00a0( NetworkInfo<\/div>\n<div>\u00a0 | project DeviceName, IPAddress, Timestamp<\/div>\n<div>) on DeviceName<\/div>\n<div>| project AccountName, DeviceName, LastLogon, Logins, IPAddress<\/div>\n<div>| sort by DeviceName<\/div>\n<\/div><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-4708\" class=\"elementor-tab-title\" data-tab=\"8\" role=\"button\" aria-controls=\"elementor-tab-content-4708\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Smart Screen event<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-4708\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"8\" role=\"region\" aria-labelledby=\"elementor-tab-title-4708\"><pre>DeviceEvents\n| <span class=\"pl-k\">where<\/span> Timestamp &gt; <span class=\"pl-c1\">ago<\/span>(<span class=\"pl-c1\">30<\/span><span class=\"pl-c1\">d<\/span>)\n| <span class=\"pl-k\">where<\/span> ActionType <span class=\"pl-k\">startswith<\/span> <span class=\"pl-s\">\"SmartScreen\"<\/span>\n| <span class=\"pl-k\">extend<\/span> SmartScreenTrigger = <span class=\"pl-c1\">iff<\/span>(ActionType == <span class=\"pl-s\">\"SmartScreenUrlWarning\"<\/span>, \nRemoteUrl, FileName)\n| <span class=\"pl-k\">extend<\/span> ReasonForTrigger = <span class=\"pl-c1\">parse_json<\/span>(AdditionalFields).Experience\n| <span class=\"pl-k\">project<\/span>\n     Timestamp,\n     DeviceName,\n     ActionType,\n     SmartScreenTrigger,\n     ReasonForTrigger,\n     InitiatingProcessCommandLine<\/pre><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-4709\" class=\"elementor-tab-title\" data-tab=\"9\" role=\"button\" aria-controls=\"elementor-tab-content-4709\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Detect Know RAT and RMM Process Patterns<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-4709\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"9\" role=\"region\" aria-labelledby=\"elementor-tab-title-4709\"><pre><span class=\"pl-c\">\/\/ Author: Alex Teixeira (alex@opstune.com)<\/span>\nDeviceProcessEvents\n| <span class=\"pl-k\">where<\/span> Timestamp &gt; <span class=\"pl-c1\">ago<\/span>(<span class=\"pl-c1\">60<\/span><span class=\"pl-c1\">d<\/span>)\n<span class=\"pl-c\">\/\/ Speed up the query by filtering most frequent processes<\/span>\n| <span class=\"pl-k\">where<\/span> FolderPath <span class=\"pl-k\">matches<\/span> <span class=\"pl-k\">regex<\/span> @<span class=\"pl-s\">'(?i)^[a-z]:\\\\\\S+\\.exe'<\/span> <span class=\"pl-k\">and<\/span> <span class=\"pl-c1\">not<\/span> ((FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"c:\\\\windows\"<\/span> <span class=\"pl-k\">and<\/span> FolderPath <span class=\"pl-k\">matches<\/span> <span class=\"pl-k\">regex<\/span> @<span class=\"pl-s\">'(?i)microsoft\\.net|softwaredistribution|system32|syswow64|ccm|servicing|winsxs'<\/span>) <span class=\"pl-k\">or<\/span> FolderPath <span class=\"pl-k\">matches<\/span> <span class=\"pl-k\">regex<\/span> @<span class=\"pl-s\">'(?i)^(d:\\\\apps|c:\\\\_datas\\\\)'<\/span>)\n<span class=\"pl-c\">\/\/ Normalize to frequent (known) RATs<\/span>\n| <span class=\"pl-k\">extend<\/span> RAT=<span class=\"pl-c1\">case<\/span>(\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"teamviewer\"<\/span>, <span class=\"pl-s\">\"TeamViewer\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"anydesk\"<\/span>, <span class=\"pl-s\">\"AnyDesk\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"rustdesk\"<\/span>, <span class=\"pl-s\">\"RustDesk\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"vnc\"<\/span>, <span class=\"pl-s\">\"VNC\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"manageengine\"<\/span>, <span class=\"pl-s\">\"ManageEngine\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"fastclient\"<\/span>, <span class=\"pl-s\">\"FastClient\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"logmein\"<\/span>, <span class=\"pl-s\">\"LogMeIn\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"bomgar\"<\/span>, <span class=\"pl-s\">\"Bomgar\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"netviewer\"<\/span>, <span class=\"pl-s\">\"NetViewer\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"ultraviewer\"<\/span>, <span class=\"pl-s\">\"UltraViewer\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"dwrcs\"<\/span>, <span class=\"pl-s\">\"Dameware\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"splashtop\"<\/span>, <span class=\"pl-s\">\"Splashtop\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"zerotier\"<\/span>, <span class=\"pl-s\">\"ZeroTier\"<\/span>,\n  FolderPath <span class=\"pl-k\">contains<\/span> <span class=\"pl-s\">\"supremo\"<\/span>, <span class=\"pl-s\">\"Supremo\"<\/span>,\n  <span class=\"pl-s\">\"Other\"<\/span>\n)\n| <span class=\"pl-k\">summarize<\/span> <span class=\"pl-c1\">count<\/span>(), count_distinct(DeviceName), <span class=\"pl-c1\">make_set<\/span>(DeviceName), <span class=\"pl-c1\">max<\/span>(Timestamp) <span class=\"pl-k\">by<\/span> RAT, FolderPath\n| <span class=\"pl-k\">extend<\/span> r_1=@<span class=\"pl-s\">'(?i)[\\\\]+(NetWire|rport)[\\\\]+|Rsocx|BeAnywhere|DWservice|Fleetdeck|Itarian Endpoint Manager|Splashtop|Level\\.io|ManageEngine|ScreenConnect|TrendMicro BaseCamp|Sorillus|ZeroTier|JollyFastVNC|AB Tutor|Barracuda Workplace|SolarWinds RMM|Naverisk'<\/span>\n| extend r_2=@'(?i)(NetSupport|TeamViewer|Anydesk|UltraViewer|realvnc|TightVNC|LogMeIn|fastclient|ultraVNC|bomgar.+scc|accessserver|aeroadmin|alitask|alpemix|ammyy|ateraagent|basupsrvc|basupsrvcupdate|basuptshelper|beamyourscreen|beanywhere|cagservice|chrome remote desktop|clientmrinit|connectwise|connectwisecontrol|crossloopservice|ctiserv|dameware|datto|domotz|dwrcs|dwservice|eratool|ericomconnnectconfigurationtool|ezhelpclient|fixmeit|fixmeitclient|fleetdeck|goverrmc|guacd|instanthousecall|intelliadmin|iperiusremote|islalwaysonmonitor|isllightservice|itarian|jumpclient|jumpdesktop|jumpservice|kaseya|landeskagentbootstrap|laplink|laplinkeverywhere|ldsensors|llrcservice|lmiignition|ltsvcmon|mgntsvc|mikogo|mionet|myivomanager|nateon|neturo|netviewer|nhostsvc|ntrntservice|orcus|pcaquickconnect|pcstarter|pcvisit|pocketcontroller|ptdskclient|pulseway|rcengmgru|rcmgrsvc|rdpwrap|remobo|remote utilities|remoteconsole|remotepass|remotepc|remotepcservice|remotesupportplayeru|remoteview|rfusclient|romfusclient|romserver|romviewer|rpaccess|rpcgrab|rpcsetup|rpcsuite|rpwhostscr|rustdesk|rutserv|rutview|rxstartsupport|screenconnect|seetrolclient|seetrolremote|serverproxyservice|showmypc|simplehelpcustomer|simpleservice|sorillus|sragent|supremo|supremohelper|syncro|tacticalrmm|take\\s*control|tdp2tcp|tigervnc|trend.+basecamp|turbomeeting|ultraviewer|vncconnect|webex remote|webrdp|weezo|weezohttpd|windows admin centre|wmcsvc|zerotier|zoho assist).*\\.exe$'\n| <span class=\"pl-k\">extend<\/span> r_3=@<span class=\"pl-s\">'(?i)\\\\(baseclient|BASupApp|DWAgent|ITSMAgent|level|Atera|radmin|srserver|rvagent|intouch)\\.exe$'<\/span>\n| <span class=\"pl-k\">where<\/span> (FolderPath <span class=\"pl-k\">matches<\/span> <span class=\"pl-k\">regex<\/span> r_1 <span class=\"pl-k\">or<\/span> FolderPath <span class=\"pl-k\">matches<\/span> <span class=\"pl-k\">regex<\/span> r_2 <span class=\"pl-k\">or<\/span> FolderPath <span class=\"pl-k\">matches<\/span> <span class=\"pl-k\">regex<\/span> r_3)\n| <span class=\"pl-k\">extend<\/span> set_DeviceName=<span class=\"pl-c1\">iff<\/span>(count_distinct_DeviceName&gt;<span class=\"pl-c1\">5<\/span>, <span class=\"pl-c1\">strcat<\/span>(<span class=\"pl-s\">\"Too many (\"<\/span>, count_distinct_DeviceName, <span class=\"pl-s\">\")\"<\/span>), set_DeviceName)\n| <span class=\"pl-k\">summarize<\/span> TotalEvents=<span class=\"pl-c1\">sum<\/span>(count_), DeviceCount=count_distinct(set_DeviceName), Devices=<span class=\"pl-c1\">make_set<\/span>(set_DeviceName), Processes=<span class=\"pl-c1\">make_set<\/span>(FolderPath), LastSeen=<span class=\"pl-c1\">max<\/span>(max_Timestamp) <span class=\"pl-k\">by<\/span> RAT\n| <span class=\"pl-k\">sort<\/span> <span class=\"pl-k\">by<\/span> DeviceCount <span class=\"pl-k\">desc<\/span>, TotalEvents <span class=\"pl-k\">desc<\/span><\/pre><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-47010\" class=\"elementor-tab-title\" data-tab=\"10\" role=\"button\" aria-controls=\"elementor-tab-content-47010\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><i class=\"fas fa-caret-right\"><\/i><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><i class=\"elementor-toggle-icon-opened fas fa-caret-up\"><\/i><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Device with SMB Connections Details<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-47010\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"10\" role=\"region\" aria-labelledby=\"elementor-tab-title-47010\"><pre>DeviceNetworkEvents\n| <span class=\"pl-k\">where<\/span> RemotePort == <span class=\"pl-c1\">445<\/span>\n| <span class=\"pl-k\">where<\/span> ActionType == <span class=\"pl-s\">\"ConnectionSuccess\"<\/span>\n<span class=\"pl-c\">\/\/ Collect the last event that a device has connected via SMB to a unique remote IP<\/span>\n| <span class=\"pl-k\">summarize<\/span> <span class=\"pl-c1\">arg_max<\/span>(Timestamp, *) <span class=\"pl-k\">by<\/span> DeviceId, RemoteIP\n| <span class=\"pl-k\">summarize<\/span> RemoteSMBUrls = make_set_if(RemoteUrl, <span class=\"pl-c1\">isnotempty<\/span>(RemoteUrl)), make_set_if(RemoteIP, <span class=\"pl-c1\">isempty<\/span>(RemoteUrl)), TotalConnections = <span class=\"pl-c1\">dcount<\/span>(RemoteIP) <span class=\"pl-k\">by<\/span> DeviceName\n| <span class=\"pl-k\">sort<\/span> <span class=\"pl-k\">by<\/span> TotalConnections<\/pre><\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Kusto Query Language (KQL) queries for Advanced Hunting (Microsoft Defender for Endpoint)&nbsp; Here is the KQL query list to check the Defender client details with specific areas.\u00a0 Virus Definition status Virus Definition Compliance Status DeviceTvmSecureConfigurationAssessment | where Timestamp &gt; ago(30d) | where \u00a0ConfigurationId == &#8216;scid-2011&#8242; and Context !='[]&#8217; | extend DefUpdate = todatetime(parse_json(Context)[0][2]) | extend [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-29687","page","type-page","status-publish","hentry"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/pages\/29687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/comments?post=29687"}],"version-history":[{"count":49,"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/pages\/29687\/revisions"}],"predecessor-version":[{"id":31087,"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/pages\/29687\/revisions\/31087"}],"wp:attachment":[{"href":"https:\/\/endusersupports.com\/index.php\/wp-json\/wp\/v2\/media?parent=29687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}