Forum Discussion
Custom Detection rule to find Inactive Device
Arjun_Rajan You can use the following query, which runs fine but there is an error in it per MDE, which wont let me save this as a custom detection rule :
Princely Much appreciated your response to my query. Unfortunately, It does not return any result even if I choose the last 30 days. Please let me know if you happen to know how to set the Time range in the query.
However, I do get all inactive devices by running the below query
DeviceTvmSecureConfigurationAssessment| where ConfigurationId in ("scid-91", "scid-2000", "scid-2001")| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId| extend Test = case(ConfigurationId == "scid-2000", "SensorEnabled","N/A"),Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")| extend packed = pack(Test, Result)| summarize Tests = make_bag(packed) by DeviceId| evaluate bag_unpack(Tests)Arjun_Rajan
The query you had mentioned seems to be giving the health status of each device.
And the one I had mentioned would specifically return the devices with a sensor enabled but no sensor data returned. Do you not have any hosts in your environment that match this criteria ? I suspect that is the case here.Regards,
Princely Dmello
hello Brother
i need to know in this condition for detection, how should we test it like should i have to disable the network connection of the machine and then wait for some time? If yes then how much time it requires
Please mention the test how should i test in testing environment?
