Devices with a System Guard Security Level below the established baseline may indicate compromised hardware integrity or misconfigured security settings, as adversaries could exploit vulnerabilities in systems with weakened hardware-based security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential hardware tampering or advanced persistent threats that evade traditional software-based detection mechanisms.
KQL Query
let TargetSecurityLevel = 700;
DeviceEvents
| where Timestamp >= ago(7d)
| where ActionType == "DeviceBootAttestationInfo"
| extend AdditionalFieldData = parse_json(AdditionalFields)
| project DeviceName, ReportTime = todatetime(AdditionalFieldData.ReportValidityStartTime), CurrentSecurityLevel = toint(AdditionalFieldData.SystemGuardSecurityLevel), AdditionalFieldData.ReportValidityStartTime
| where CurrentSecurityLevel < TargetSecurityLevel
| summarize arg_max(ReportTime, CurrentSecurityLevel) by DeviceName
id: 9365b174-d46f-41e9-998a-73e2fe5ae2d9
name: System Guard Security Level Baseline
description: |
Establishes a baseline SystemGuardSecurityLevel and show the devices that are below that baseline.
See https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-insights-from-system-attestation-and-advanced-hunting-can/ba-p/969252 for full details on this query.
And Device Boot Attestation Info and feel free to ping @DepletionMode or @flyingbluemonki on twitter.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
let TargetSecurityLevel = 700;
DeviceEvents
| where Timestamp >= ago(7d)
| where ActionType == "DeviceBootAttestationInfo"
| extend AdditionalFieldData = parse_json(AdditionalFields)
| project DeviceName, ReportTime = todatetime(AdditionalFieldData.ReportValidityStartTime), CurrentSecurityLevel = toint(AdditionalFieldData.SystemGuardSecurityLevel), AdditionalFieldData.ReportValidityStartTime
| where CurrentSecurityLevel < TargetSecurityLevel
| summarize arg_max(ReportTime, CurrentSecurityLevel) by DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Tasks
Description: Automated maintenance tasks (e.g., Windows Update, DISM, or System File Checker) may temporarily lower the System Guard Security Level during execution.
Filter/Exclusion: Exclude processes associated with svchost.exe or taskhost.exe running known maintenance tasks (e.g., wuauclt.exe, sfc.exe, dism.exe).
Scenario: Security Software Updates
Description: Updates to endpoint protection software (e.g., Microsoft Defender, CrowdStrike, or CrowdStrike Falcon) may temporarily affect the System Guard Security Level during installation.
Filter/Exclusion: Exclude processes associated with security software update installers (e.g., CrowdStrikeFalconInstaller.exe, MpCmdRun.exe, or msseces.exe).
Scenario: Admin-Initiated System Reconfiguration
Description: An administrator may manually adjust System Guard settings (e.g., through Group Policy or PowerShell) which could cause a temporary drop in the security level.
Filter/Exclusion: Exclude events where the process is explorer.exe, cmd.exe, or powershell.exe with a command line indicating administrative configuration changes (e.g., Set-ExecutionPolicy, gpedit.msc).
Scenario: Virtualization or Hyper-V Hosts
Description: Virtual machines or Hyper-V hosts may report lower System Guard Security Levels due to virtualization overhead or configuration differences.
Filter/Exclusion: Exclude hosts running Hyper-V or virtual machines by checking the ParentProcessName field for vmms.exe or hypervisor.dll.
Scenario: Legacy Hardware or BIOS Configuration
Description: Older hardware or BIOS configurations may not support full System Guard capabilities, leading to lower security levels even when the system is otherwise secure.