Forum Discussion
Custom Detection rule to find Inactive Device
Hello, My Org Planning to create incidents whenever the device goes inactive state in Microsoft Defender for Endpoint. It would be much appreciated if I get the query(KQL) to list the Inactive device...
Arjun_Rajan You can use the following query, which runs fine but there is an error in it per MDE, which wont let me save this as a custom detection rule :
DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ('scid-2000', 'scid-2001')
| extend Test = case(
ConfigurationId == "scid-2000", "SensorEnabled",
ConfigurationId == "scid-2001", "SensorDataCollection",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId
| evaluate bag_unpack(Tests)
| where SensorEnabled == "GOOD" and SensorDataCollection == "BAD"
| summarize by DeviceName, DeviceId