KQL query to check tri.sensor for MDI

Question

I was looking for a query to run to check that all the deployed MDI sensor's are running successfully. I have reviewed the 3 Identity tables listed within the Monitor > Logs table schema but unable to find the right query.

Please let me know if any other information is needed.

Cheers,

Serge

martin_schvartzman · Answer

SergioT1228&nbsp;
The Advanced Hunting tables contain security related data from your environment. They don't contain details on your deployment status.
You can use the portal for that, see the sensors page and the health issues page.
Also, we are working on public APIs that you could use to get this information (and much more). But these are several months away from GA.

zlate81 · Answer

Martin_Schvartzman&nbsp;Hi, now it's been a few years and I was wondering what's available today in regard to Defender for identity sensor health and Advance hunting tables?Maybe there has been any added command that can be leveraged to fetch this kind of info like arg() and so on.Thanks!&nbsp;

martin_schvartzman · Answer

zlate81 You can use the sensor and healthIssues Graph APIs to pull and manage the sensors and health issues.&nbsp;See these for more details:
https://learn.microsoft.com/en-us/graph/api/security-identitycontainer-list-sensors?view=graph-rest-1.0&amp;tabs=http&nbsp;
https://learn.microsoft.com/en-us/graph/api/security-identitycontainer-list-healthissues?view=graph-rest-1.0&amp;tabs=http&nbsp;

Forum Discussion

KQL query to check tri.sensor for MDI

3 Replies

Resources