AzureMonitorCommunity/Azure Services/Lookout/Queries/Diagnostics/Device compliance status.kql at 00fddd86d5ddf72bf6c2a4b4fd7ea4db040487e8 · microsoft/AzureMonitorCommunity · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
// Author: fgravato
// Display name: Device Compliance Status
// Description: Monitors device compliance status, security posture, and MDM integration for mobile devices managed by Lookout.
// Categories: Security
// Resource types: Log Analytics workspaces
// Topic: Diagnostics

LookoutEvents
| where EventType == "DEVICE"
| where DeviceComplianceStatus in ("Non-Compliant", "Partial")
   or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
   or ChangeType == "UPDATE"
| extend
    DeviceRiskScore = case(
        DeviceSecurityStatus == "THREATS_HIGH", 9,
        DeviceSecurityStatus == "THREATS_MEDIUM", 6,
        DeviceSecurityStatus == "THREATS_LOW", 3,
        DeviceComplianceStatus == "Non-Compliant", 7,
        DeviceComplianceStatus == "Partial", 4,
        1
    ),
    ComplianceReason = case(
        DeviceCheckinTime < ago(7d), "No Recent Check-in",
        DeviceActivationStatus != "ACTIVE", "Inactive Device",
        isempty(ClientLookoutSDKVersion), "Missing Security Client",
        "Configuration Issue"
    ),
    PlatformRisk = case(
        DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\.", "Outdated Android",
        DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\.", "Outdated iOS",
        DevicePlatform == "UNKNOWN", "Unknown Platform",
        "Current"
    )
| extend MDMIntegrationStatus = case(
    isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
    isnotempty(MDMConnectorId), "Partial Integration",
    "Not Integrated"
)
| extend SecurityPosture = case(
    DeviceRiskScore >= 8, "Critical",
    DeviceRiskScore >= 6, "High",
    DeviceRiskScore >= 4, "Medium",
    "Low"
)
| project
    TimeGenerated,
    DeviceGuid,
    DevicePlatform,
    DeviceOSVersion,
    DeviceManufacturer,
    DeviceModel,
    DeviceEmailAddress,
    DeviceActivationStatus,
    DeviceSecurityStatus,
    DeviceComplianceStatus,
    DeviceRiskScore,
    SecurityPosture,
    ComplianceReason,
    PlatformRisk,
    DeviceCheckinTime,
    ClientLookoutSDKVersion,
    MDMConnectorId,
    MDMExternalId,
    MDMIntegrationStatus
| order by DeviceRiskScore desc, TimeGenerated desc