Using the KQL query results to find the exact registry setting to remediate security configurations | Quisitive
Solutions
Integration & Consulting
Help you move, operate, innnovate and thrive within the Microsoft clouds.
Application Development
Data & Analytics
Artificial Intelligence (AI)
Business Applications
Security
Digital Workplace
Infrastructure
Product Development
Technology
Explore the full list of technologies that our expert consultants can support.
Azure
Microsoft Teams
Microsoft 365
Power Platform
Dynamics 365
Power BI
Microsoft Copilot
Power Apps
Azure OpenAI
Sharepoint
Microsoft Fabric
Microsoft Sentinel
Azure Synapse
Windows
SQL Server
ERP Technologies
System Center
Microsoft Viva
Azure Virtual Desktop
Business Needs
Departmental solutions to ensure cloud and technology enablement across every area of your business.
Sales & Marketing
Operations
Human Resources
Finance & Accounting
Customer Service
Localization Services
Help you translate software so you can capture new business worldwide.
Language Engineering & NLP
Translations & Localization
Licensing
Experts in Microsoft cloud licensing and optimizing costs for your business.
Products
EmPerform
Provide people managers with flexible employee performance management software.
PowerGov
Engage citizens with a community development app for city maintenance and management.
MazikCare
Embrace patient-centered, collaborative care with our suite of real-time health solutions.
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
AMS
Deliver on your cloud strategy with a team that continuously monitors, improves, and optimizes your Azure environment.
ShopFloor
Empower production managers with cutting-edge manufacturing process management.
Spyglass®
Take a proactive, continuous approach to optimizing your security environment and strategy.
Velocity Insights
Monitor, analyze, and prioritize .NET, JavaScript or Node JS errors – all on one dashboard.
Managed Services
Azure Management Services
Deliver on your cloud strategy with a team that continuously monitors, improves, and optimizes your Azure environment.
Data & Analytics Program
Operational support for running, monitoring and managing services for the Azure Data Platform.
AI Managed Services
Support for your AI technologies & ongoing strategic coaching to take your AI initiatives to the next level.
Dynamics Program
Ensure the health of your Dynamics environments, optimize usage and encourage user adoption.
Security Program
Take a proactive, continuous approach to optimizing your security environment and strategy.
App Dev Program
Ongoing enhancements, app security, DevOps and reporting for apps running in Azure.
Power Platform Program
Get an extension of your team that ensures the health of your Power Platform.
Quisitive Flex
Routine support services and environment management for critical Microsoft systems
Digital Workplace Program
Optimize Microsoft 365 security, usage and user adoption with our digital workplace experts.
Industries
Manufacturing
Education
Public Sector
Financial Services
Healthcare
Energy
Retail
Software
Resources
Blogs
Case Studies
Library
Learning Channels
Events
News
About
Investors
Leadership
Microsoft
Our Approach
Our Partners
Our Story
Awards & Recognition
Careers
Support
Contact us
Solutions
Back
Solutions
Integration & Consulting
Application Development
Data & Analytics
Artificial Intelligence (AI)
Business Applications
Security
Digital Workplace
Infrastructure
Product Development
Technology
Azure OpenAI
Microsoft Copilot
Microsoft Fabric
Azure
Azure Synapse
Azure Virtual Desktop
System Center
SQL Server
Microsoft Sentinel
Microsoft 365
Sharepoint
Microsoft Teams
Microsoft Viva
Windows
Power Platform
Power BI
Power Apps
Dynamics 365
ERP Technologies
Business Needs
Sales & Marketing
Operations
Human Resources
Finance & Accounting
Customer Service
Localization Services
Language Engineering & NLP
Translations & Localization
Licensing
Products
Back
Products
EmPerform
MazikCare
Care Path
Care Provider Link
Care Supply
Payer Matrix
Data Fusion
ShopFloor
Velocity Insights
PowerGov
AMS
Spyglass®
Managed Services
Back
Managed Services
Azure Management Services
AI Managed Services
Security Program
Power Platform Program
Digital Workplace Program
Data & Analytics Program
Dynamics Program
App Dev Program
Quisitive Flex
Industries
Back
Industries
Manufacturing
Healthcare
Education
Energy
Public Sector
Retail
Financial Services
Software
Resources
Back
Resources
Blogs
Events
Case Studies
News
Library
Learning Channels
Investors
Back
Investors
Financial Reports & Results
Investor News
Earning calls
Contact
Contact us
About
Back
About
Our Story
Investors
Microsoft
Leadership
Our Partners
Awards & Recognition
Our Approach
Careers
Support
Search
Back
Terms of use
Privacy policy
Using the KQL query results to find the exact registry setting to remediate security configurations
January 5, 2022
Cameron Fuller
In this blog post, we will focus on one specific set of security items and a process for resolving them more effectively.

If you have worked for a while on your secure score and you have virtual machines in your environment, I’m betting you may have run into this situation. Your secure score probably has a variety of items that need resolution under both “Remediate vulnerabilities” and “Remediate security configurations.” In a previous blog post, I provided my insights on how to raise your security score in general. There is a significant push towards addressing the two items shown below as they represent 11% of the remaining secure score increase in my environment. The secure score in the environment I am working on is currently 88%, so 11% of the 12% remaining (shown below in Figure 1).

In this blog post, I will focus on one specific set of security items and a process for resolving them more effectively. Specifically – how to fix items under “Remediate security configurations” within “Machines should be configured security” that require registry changes to systems (yeah, I know, this one is pretty darn specific). It’s critical to understand what specific registry key, path, and value are required to remediate this issue. A single mistake on any of those can have significant negative results, so those must be 100% correct before making any changes to the registry on a system.

If we expand either of the controls in Figure 1, we see various security items that require resolution. For example, if we expand “Remediate security configurations,” we see the information in Figure 2.

Figure 2: Remediate security configurations

In Figure 3, we see the various failed rules by their severity. In my environment, I have already completed some of the resolutions for these items, so for the three potentially impacted systems, we have a total of 16 failed rules currently.

Figure 3: Details for the security configurations that need to be remediated

For today’s example, we are going to work on resolving AZ-WIN-00155. If we dig into the details for this one, we see what’s required and the actual value. Figure 4 shows that the expected value is 1, but the current value is 0. The challenge here is this screen does not show what registry key it’s looking at for this information. To see this, we open the “View affected machines” link below.

Figure 4: Details for AZ-WIN-00155

This moves us into KQL/Kusto. From here, we can run the original query (Figure 5). That gives us the computer ID and the computer name. That’s helpful, but we also need to know what registry key it is checking.

Figure 5: Kusto query for AZ-WIN-00155

If we instead highlight the first three lines and then add a quick project for the fields we want (Computer, RuleSetting, ExpectedResult), we get a more direct representation of what we need (shown in Figure 6).

Figure 6: Updated query to show the Computer, RuleSetting, and ExpectedResult

From here, I can cut and paste the RuleSetting field. This gives me the actual registry setting that is being assessed. I can now run a script to reach out to the Computer(s) indicated to create the appropriate registry entry in my environment. In my case, I need to translate the RuleSetting also as follows:

Original:

RuleSetting=LocalMachine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers : AuthenticodeEnabled
ExpectedResult=1

New:

KeyPath="HKLM:Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers"
ValueName="AuthenticodeEnabled"
Value="1"

Summary: If you dig into the various items identified under “Remediate security configurations,” you can use the Kusto query generated by the system to determine the appropriate path, key, and value required to remediate the security configuration.

Going beyond this particular example: All this data is currently available in a log analytics workspace to automate this resolution. For instance, we could establish an alert in Azure Monitor that looks for failed conditions for a missing registry value. Then a script or a LogicApp could be run to email for approval for the change (see note #1). If approved, the script can run to set the appropriate registry key. An example Kusto query for this is below.

SecurityBaseline
| where AnalyzeResult == "Failed"
| where BaselineRuleType == "Registry Key"
| project Computer, RuleSetting, ExpectedResult
| distinct Computer, RuleSetting, ExpectedResult

Note #1: I would probably recommend LogicApps for this as there are existing ties to LogicApps within Microsoft Defender for Cloud*

Related posts
|
Read more
Austin Empowering Governments with Azure and AI Apps Event Feature Image
Uncategorized | 3 Oct
Register Now: Empowering State & Local Government with Azure and AI Apps
Read more
Dallas AI Innovation Lab Event Feature Image
Uncategorized | 18 Sep
Register Now: Dallas AI Innovation Lab
Read more
General Quisitive gradient background
Uncategorized | 19 Jul
How to Recover from the Recent CrowdStrike Outage
Read more