Create Endpoint Status Report.csl

mjmelone · web-flow · commit 9844d7b638ab · 2020-08-26T09:06:05.000-04:00
diff --git a/General queries/Endpoint Status Report.csl b/General queries/Endpoint Status Report.csl
@@ -0,0 +1,28 @@
+////////////////////////////////////////////////////////////////////////////////
+// Endpoint Status Report
+//
+// This query will provide a report of many of the best practice configurations
+// for Defender ATP deployment. Special Thanks to Gilad Mittelman for the 
+// initial inspiration and concept.
+// Look for any tests which are reporting "BAD" as a result.
+////////////////////////////////////////////////////////////////////////////////
+DeviceTvmSecureConfigurationAssessment
+| where ConfigurationId in ('scid-91', 'scid-2000', 'scid-2001', 'scid-2002', 'scid-2003', 'scid-2010', 'scid-2011', 'scid-2012', 'scid-2013', 'scid-2014', 'scid-2016')
+| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId
+| extend Test = case(
+    ConfigurationId == "scid-2000", "SensorEnabled",
+    ConfigurationId == "scid-2001", "SensorDataCollection",
+    ConfigurationId == "scid-2002", "ImpairedCommunications",
+    ConfigurationId == "scid-2003", "TamperProtection",
+    ConfigurationId == "scid-2010", "AntivirusEnabled",
+    ConfigurationId == "scid-2011", "AntivirusSignatureVersion",
+    ConfigurationId == "scid-2012", "RealtimeProtection",
+    ConfigurationId == "scid-91", "BehaviorMonitoring",
+    ConfigurationId == "scid-2013", "PUAProtection",
+    ConfigurationId == "scid-2014", "AntivirusReporting",
+    ConfigurationId == "scid-2016", "CloudProteciton",
+    "N/A"),
+    Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
+| extend packed = pack(Test, Result)
+| summarize Tests = make_bag(packed) by DeviceId
+| evaluate bag_unpack(Tests)
