DeviceTvmSecureConfigurationAssessmentKB
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint
The DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema contains information about the various secure configurations checked by Microsoft Defender Vulnerability Management. It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics.
This table doesn't return events or records. We recommend joining this table to the DeviceTvmSecureConfigurationAssessment table using ConfigurationId to view text information about the security configurations in the returned assessments.
For example, when you query the DeviceTvmSecureConfigurationAssessment table you might want to view the ConfigurationDescription for the security configurations that come up in the assessment results. You can see this information by joining this table to DeviceTvmSecureConfigurationAssessment using ConfigurationId and project ConfigurationDescription.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
ConfigurationId |
string |
Unique identifier for a specific configuration |
ConfigurationImpact |
real |
Rated impact of the configuration to the overall configuration score (1-10) |
ConfigurationName |
string |
Display name of the configuration |
ConfigurationDescription |
string |
Description of the configuration |
RiskDescription |
string |
Description of the associated risk |
ConfigurationCategory |
string |
Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
ConfigurationSubcategory |
string |
Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
ConfigurationBenchmarks |
dynamic |
List of industry benchmarks recommending the same or similar configuration |
Tags |
dynamic |
Labels representing various attributes used to identify or categorize a security configuration |
RemediationOptions |
string |
Recommended actions to reduce or address any associated risks |
You can try this example query to return relevant configuration metadata along with information on devices with non-compliant antivirus configurations from the DeviceTvmSecureConfigurationAssessment table:
// Get information on devices with antivirus configurations issues
DeviceTvmSecureConfigurationAssessment
| where ConfigurationSubcategory == 'Antivirus' and IsApplicable == 1 and IsCompliant == 0
| join kind=leftouter (
DeviceTvmSecureConfigurationAssessmentKB
| project ConfigurationId, ConfigurationName, ConfigurationDescription, RiskDescription, Tags, ConfigurationImpact
) on ConfigurationId
| project DeviceName, OSPlatform, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationDescription, RiskDescription, ConfigurationImpact, Tags
Related topics
- Proactively hunt for threats
- Learn the query language
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
- Overview of Microsoft Defender Vulnerability Management
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.