Plugins/Community Based Plugins/ServerAgentsAssessmentWithMDVM/Plugin-CfS-ServerAgentsAssessmentKQL.yaml (58 lines of code) (raw):

Descriptor: Name: ServerAgentsAssessment DisplayName: Server Agents Assessment KQL Plugin Description: Skills to read from Microsoft Defender Vulnerability Management (in Microsoft Defender XDR) the status and versions of the MDE, AMA and Azure Arc agents on the existing servers SkillGroups: - Format: KQL Skills: - Name: ServerAgentsAssessment DisplayName: Get Server Agents Status and Versions Description: Fetches the status and the versions of the MDE, AMA and Azure Arc agents on all the servers known by Defender Settings: Target: Defender Template: |- let DeviceInfo_latest = DeviceInfo | where DeviceType == "Server" | where OnboardingStatus == "Onboarded" | where isnotempty(OSPlatform) | extend MdeClientVersion = ClientVersion | extend MdeClientType = case(ClientVersion startswith "10.3720", "MMA-Windows", ClientVersion startswith "10.8", "Unified-Windows","Other-OS") | extend MdeOnboardingStatus = OnboardingStatus | extend MdeSensorHealthState = SensorHealthState | extend MdeExposureLevel = ExposureLevel | summarize arg_max(Timestamp,*) by DeviceName; let sw_arc = DeviceTvmSoftwareInventory | extend ArcVersion = SoftwareVersion | where SoftwareName =~ "azcmagent" or SoftwareName =~ "azure_connected_machine_agent"; let sw_mma = DeviceTvmSoftwareInventory | extend MmaVersion = SoftwareVersion | where SoftwareName =~ "monitoring_agent"; let sw_ama = DeviceTvmSoftwareInventory | extend AmaVersion = SoftwareVersion | where SoftwareName =~ "azuremonitoragent"; let sw_mde = DeviceTvmSoftwareInventory | extend MdeBuildNumber = SoftwareVersion | where SoftwareName =~ "microsoft_defender_for_endpoint" or SoftwareName =~ "defender_for_linux"; let sw_legacymde = DeviceTvmSoftwareInventory | extend LegacyMdeBuildNumber = SoftwareVersion | where SoftwareName =~ "defender_for_endpoint"; let sw_oms = DeviceTvmSoftwareInventory | extend OmsVersion = SoftwareVersion | where SoftwareName =~ "omsagent_for_linux"; DeviceInfo_latest | join kind=leftouter sw_arc on DeviceName | join kind=leftouter sw_mma on DeviceName | join kind=leftouter sw_ama on DeviceName | join kind=leftouter sw_legacymde on DeviceName | join kind=leftouter sw_mde on DeviceName | join kind=leftouter sw_oms on DeviceName | project DeviceName, OSDistribution, OSVersionInfo, MdeClientType, MdeClientVersion, MdeBuildNumber=iif((MdeClientType == "Unified-Windows")and((OSDistribution endswith "2016")or(OSDistribution endswith "2012R2")),iif(LegacyMdeBuildNumber != "",LegacyMdeBuildNumber,"-"),iif(MdeBuildNumber != "",MdeBuildNumber,"-")), LegacyMdeBuildNumber=iif((MdeClientType == "MMA-Windows"),iif(LegacyMdeBuildNumber != "",LegacyMdeBuildNumber,"-"),"-"), ArcVersion=iif(ArcVersion != "",ArcVersion,"-"), AmaVersion=iif(OSPlatform =~ "Linux",iif(AmaVersion != "",AmaVersion,"-"),"?"), MmaVersion=iif(OSPlatform =~ "Linux",iif(OmsVersion != "",OmsVersion,"-"),iif(MmaVersion != "",MmaVersion,"-")), PublicIP, DeviceType, MdeOnboardingStatus, MdeSensorHealthState, MdeExposureLevel