Forum Discussion
- PrincelyCopper Contributor
Arjun_Rajan You can use the following query, which runs fine but there is an error in it per MDE, which wont let me save this as a custom detection rule :
DeviceTvmSecureConfigurationAssessment| where ConfigurationId in ('scid-2000', 'scid-2001')| extend Test = case(ConfigurationId == "scid-2000", "SensorEnabled",ConfigurationId == "scid-2001", "SensorDataCollection","N/A"),Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")| extend packed = pack(Test, Result)| summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId| evaluate bag_unpack(Tests)| where SensorEnabled == "GOOD" and SensorDataCollection == "BAD"| summarize by DeviceName, DeviceId- Arjun_RajanCopper Contributor
Princely Much appreciated your response to my query. Unfortunately, It does not return any result even if I choose the last 30 days. Please let me know if you happen to know how to set the Time range in the query.
However, I do get all inactive devices by running the below query
DeviceTvmSecureConfigurationAssessment| where ConfigurationId in ("scid-91", "scid-2000", "scid-2001")| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId| extend Test = case(ConfigurationId == "scid-2000", "SensorEnabled","N/A"),Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")| extend packed = pack(Test, Result)| summarize Tests = make_bag(packed) by DeviceId| evaluate bag_unpack(Tests)- PrincelyCopper Contributor
Arjun_Rajan
The query you had mentioned seems to be giving the health status of each device.
And the one I had mentioned would specifically return the devices with a sensor enabled but no sensor data returned. Do you not have any hosts in your environment that match this criteria ? I suspect that is the case here.Regards,
Princely Dmello