Forum Discussion

Arjun_Rajan's avatar
Arjun_Rajan
Copper Contributor
Oct 17, 2021

Custom Detection rule to find Inactive Device

Hello, My Org Planning to create incidents whenever the device goes inactive state in Microsoft Defender for Endpoint. It would be much appreciated if I get the query(KQL) to list the Inactive device...
Arjun_Rajan's avatar
Arjun_Rajan
Copper Contributor
Oct 20, 2021

Princely  Much appreciated your response to my query. Unfortunately, It does not return any result even if I choose the last 30 days. Please let me know if you happen to know how to set the Time range in the query. 

 

However, I do get all inactive devices by running the below query

 

DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-91", "scid-2000", "scid-2001")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId
| extend Test = case(
    ConfigurationId == "scid-2000", "SensorEnabled",
     "N/A"),
    Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed) by DeviceId
| evaluate bag_unpack(Tests)
Princely's avatar
Princely
Copper Contributor
Oct 20, 2021

Arjun_Rajan 
The query you had mentioned seems to be giving the health status of each device.


And the one I had mentioned would specifically return the devices with a sensor enabled but no sensor data returned. Do you not have any hosts in your environment that match this criteria ? I suspect that is the case here.  

 

Regards,

Princely Dmello

  • Akash553's avatar
    Akash553
    Copper Contributor
    Nov 25, 2022

    Princely 

     

    hello Brother

     

    i need to know in this condition for detection, how should we test it like should i have to disable the network connection of the machine and then wait for some time? If yes then how much time it requires

     

    Please mention the test how should i test in testing environment?

     

     

     

     

     

     

    • Princely's avatar
      Princely
      Copper Contributor
      Nov 30, 2022

      Hey Akash553
      Yes you could disconnect a device from the network to trigger the 'no sensor data' status. I am not sure about the time period that it would need to be disconnected for. That needs to be confirmed by Microsoft.

      • Akash553's avatar
        Akash553
        Copper Contributor
        Nov 30, 2022

        Princely 

        Hello Princely,

         

        Thaks for the update i will try the same as well. Is there any other way to see the device inactivity from KQL for eg. Compare the timestamp from old to new or any data from sensor based ??

Resources