Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
210 questions
KQL Query works in editor but not in Custom Detection Rules (scheduled)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 40%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Christoffer Brydensholt
0
Reputation points
I have the following query to find machines that have their Real Time Protection disabled:
DeviceTvmSecureConfigurationAssessmentKB
| join kind=innerunique DeviceTvmSecureConfigurationAssessment on ConfigurationId
| join DeviceEvents on DeviceId
| where IsApplicable == 1 and IsCompliant != 1
| where ConfigurationId in ("scid-2012")
| project Timestamp, ConfigurationName, ConfigurationDescription, DeviceName, OSPlatform ,ConfigurationId,ConfigurationImpact, ReportId, DeviceId
| summarize arg_min(Timestamp, ConfigurationName, ConfigurationDescription, DeviceName, OSPlatform ,ConfigurationId,ConfigurationImpact, ReportId) by DeviceId
| sort by ConfigurationImpact
When i run this in the query editor, i get the correct results returned to me.
When i do "Create Detection Rule" and set it as a scheduled rule, it says "Failed" with the information "No events match the given event identifiers (a combination of ReportId, AlertId, BehaviorId, or DeviceId and Timestamp). Edit the query's aggregation expressions for these columns and try again."
My question is firstly, how do i fix this?
Secondly:
I made this query too:
DeviceEvents
| join kind=innerunique DeviceTvmSecureConfigurationAssessment on DeviceId
| join kind=innerunique DeviceTvmSecureConfigurationAssessmentKB on ConfigurationId
| where IsApplicable == 1 and IsCompliant != 1
| where ConfigurationId in ("scid-2012")
| project Timestamp, ConfigurationName, ConfigurationDescription, DeviceName, OSPlatform ,ConfigurationId,ConfigurationImpact, ReportId, DeviceId
| sort by ConfigurationImpact
This query can be used as a scheduled detection rule, but it gives me just 1 result, whereas the first one i wrote correctly gives me multiple results.
Can you help me by either telling me how to fix the first option, or the second option?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 76%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
VarunTha 9,110 Reputation points Microsoft Vendor2024-07-23T16:54:43.6733333+00:00 Hi Christoffer Brydensholt,
Thank you for reaching out to us on Microsoft Q&A forum.Can you please specify the Learn Path/Module that you are going through?
-
VarunTha 9,110 Reputation points Microsoft Vendor
2024-07-24T16:26:55.6133333+00:00 Thank you for reaching out to us on Microsoft Q&A forum.
Can you please specify the Learn Path/Module that you are going through?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 86%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
AmaranS 6,845 Reputation points Microsoft Vendor2024-07-26T02:38:51.59+00:00 Thank you for reaching out to us on Microsoft Q&A forum.
Can you please specify the Learn Path/Module that you are going through?
Sign in to comment
Sign in to answer