Blog Post

Core Infrastructure and Security Blog
4 MIN READ

Detecting and Alerting on MDE Sensor Health Transitions Using KQL and Logic Apps

absharan's avatar
absharan
Icon for Microsoft rankMicrosoft
Oct 06, 2025

Maintaining the health of Microsoft Defender for Endpoint (MDE) sensors is essential to ensure continuous visibility across your virtual machines. When a sensor goes from Active to Inactive, it can create blind spots and delay threat detection. This blog shows you how to automate detection and alerting for these sensor health transitions using Kusto Query Language (KQL) and Azure Logic Apps. With this setup, your security team will receive timely alerts when sensors stop reporting, enabling faster response and stronger endpoint coverage with minimal manual effort.

Introduction Maintaining the health of Microsoft Defender for Endpoint (MDE) sensors is essential for ensuring continuous security visibility across your virtual machine (VM) infrastructure. When a...
Published Oct 06, 2025
Version 1.0
AbhishekSharan
logic apps
microsoft defender for endpoint
microsoft defender xdr
Ninos97's avatar
Ninos97
Copper Contributor
Oct 11, 2025

Very nice approach, enjoyed the post!

I noticed the query can sometimes produce false positives in large environments, mainly because prev() is evaluated globally and not per device. That can lead to cross-device contamination when serialized.

Here's the adjustment that fixes it:

| extend PrevState = prev(SensorHealthState)
| extend PrevState_deviceId = prev(DeviceId)
| where DeviceId == PrevState_deviceId


I also added logic to detect never-active devices, those that were onboarded but never reported as Active.
I also replaced == "Inactive" with !="Active" to have visibility over misconfigured devices.

Full improved query and explanation here:
https://github.com/Ninos97/detection-rules/blob/main/src/Improving%20MDE%20Sensor%20Health%20Detection.md

Hope you find it useful :)

  • absharan's avatar
    absharan
    Icon for Microsoft rankMicrosoft
    Oct 13, 2025

    Thank you for sharing this, I will take a look into it and update. Cheers.