Skip to content

Instantly share code, notes, and snippets.

@alexverboon

alexverboon/mde_cmpivot.kql

Created December 20, 2021 11:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alexverboon/f2ba4bbeb23dd228223234c7ae864cd8 to your computer and use it in GitHub Desktop.
Save alexverboon/f2ba4bbeb23dd228223234c7ae864cd8 to your computer and use it in GitHub Desktop.
Download ZIP
CM Pivot for Defender Troubleshooting
Raw
mde_cmpivot.kql
// CM Pivot for Defender Troubleshooting
// Defender Event logs
WinEvent('Microsoft-Windows-Windows Defender/Operational', 1d)
// MDE Eent logs
WinEvent('Microsoft-Windows-SENSE/Operational', 1d)
// MDE Service Status
Service
| where Name == 'Sense'
// MDE Onbaording STatus
Registry('hklm:\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection\\Status')
| where Property == 'OnboardingState' and Value == '0'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment