Adversaries may be attempting to lower the SystemGuardSecurityLevel to evade detection or disable security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential tampering with system security settings and detect early signs of compromise.
KQL Query
let SecurityLevels = DeviceEvents
| where Timestamp >= ago(7d)
| where ActionType == "DeviceBootAttestationInfo"
| extend AdditionalFieldData = parse_json(AdditionalFields)
| project DeviceId, Timestamp, SystemGuardSecurityLevel = toint(AdditionalFieldData.SystemGuardSecurityLevel), ReportId
| where isnotnull(SystemGuardSecurityLevel);
// Step 2: Get the *latest* record for *each* machine from the SecurityLevels table
let LatestLevelsPerMachine = SecurityLevels
// This is going to be the most recent event
| summarize arg_max(Timestamp, SystemGuardSecurityLevel) by DeviceId
| project DeviceId, LatestSystemGuardSecurityLevel=SystemGuardSecurityLevel, LatestEventTime=Timestamp;
// Step 3: Join the two tables together where the LatestSystemGuardSecurityLevel is LESS than the SystemGuardSecurityLevel
let MachinesExhibitingSecurityLevelDrop = LatestLevelsPerMachine
| join (
SecurityLevels
) on DeviceId
| project-away DeviceId1
| where LatestSystemGuardSecurityLevel < SystemGuardSecurityLevel
| summarize arg_max(Timestamp, LatestSystemGuardSecurityLevel, SystemGuardSecurityLevel, LatestEventTime, ReportId) by DeviceId;
MachinesExhibitingSecurityLevelDrop
id: 701bee2f-c4d9-4f72-be03-e6bb1314e71c
name: System Guard Security Level Drop
description: |
Goal: Find machines in the last N days where the SystemGuardSecurityLevel value NOW is less than it was BEFORE.
Step 1: Get a list of all security levels in the system where the level is not null.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
query: |
let SecurityLevels = DeviceEvents
| where Timestamp >= ago(7d)
| where ActionType == "DeviceBootAttestationInfo"
| extend AdditionalFieldData = parse_json(AdditionalFields)
| project DeviceId, Timestamp, SystemGuardSecurityLevel = toint(AdditionalFieldData.SystemGuardSecurityLevel), ReportId
| where isnotnull(SystemGuardSecurityLevel);
// Step 2: Get the *latest* record for *each* machine from the SecurityLevels table
let LatestLevelsPerMachine = SecurityLevels
// This is going to be the most recent event
| summarize arg_max(Timestamp, SystemGuardSecurityLevel) by DeviceId
| project DeviceId, LatestSystemGuardSecurityLevel=SystemGuardSecurityLevel, LatestEventTime=Timestamp;
// Step 3: Join the two tables together where the LatestSystemGuardSecurityLevel is LESS than the SystemGuardSecurityLevel
let MachinesExhibitingSecurityLevelDrop = LatestLevelsPerMachine
| join (
SecurityLevels
) on DeviceId
| project-away DeviceId1
| where LatestSystemGuardSecurityLevel < SystemGuardSecurityLevel
| summarize arg_max(Timestamp, LatestSystemGuardSecurityLevel, SystemGuardSecurityLevel, LatestEventTime, ReportId) by DeviceId;
MachinesExhibitingSecurityLevelDrop
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task (e.g., Task Scheduler or PowerShell script) temporarily lowers the SystemGuardSecurityLevel during routine maintenance.
Filter/Exclusion: Exclude events where the task is known to be part of a maintenance window (e.g., TaskName contains “Maintenance” or “SystemUpdate”).
Scenario: Administrative Configuration Change
Description: An admin manually adjusts the SystemGuardSecurityLevel via the System Guard Console or through Group Policy for testing or configuration.
Filter/Exclusion: Exclude events where the source is a known admin account (e.g., User field matches “admin” or “securityadmin”) or where the change is logged in a configuration audit log.
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Windows Defender or CrowdStrike temporarily lowers the security level during a full system scan to allow for file analysis.
Filter/Exclusion: Exclude events where the process is associated with a known security tool (e.g., ProcessName is “MsMpEng.exe” or “CrowdStrikeAgent.exe”).
Scenario: System Reboot or OS Update
Description: After a reboot or OS update, the SystemGuardSecurityLevel may reset to a lower value during initial configuration.
Filter/Exclusion: Exclude events where the system has undergone a reboot within the last 24 hours or where the update log indicates a known OS patch.
Scenario: False Positive from Log Parsing or Data Corruption
Description: A parsing error or data corruption in the SystemGuard logs could cause incorrect values to be recorded, leading to a false positive.
Filter/Exclusion: Exclude events where the log entry has invalid or corrupted data