Forum Discussion

Arjun_Rajan's avatar
Arjun_Rajan
Copper Contributor
Oct 16, 2021

Custom Detection rule to find Inactive Device

Hello, My Org Planning to create incidents whenever the device goes inactive state in Microsoft Defender for Endpoint. It would be much appreciated if I get the query(KQL) to list the Inactive device...
Akash553's avatar
Akash553
Copper Contributor
Nov 25, 2022

Princely 

 

hello Brother

 

i need to know in this condition for detection, how should we test it like should i have to disable the network connection of the machine and then wait for some time? If yes then how much time it requires

 

Please mention the test how should i test in testing environment?

 

 

 

 

 

 

Princely's avatar
Princely
Copper Contributor
Nov 29, 2022

Hey Akash553
Yes you could disconnect a device from the network to trigger the 'no sensor data' status. I am not sure about the time period that it would need to be disconnected for. That needs to be confirmed by Microsoft.

  • Akash553's avatar
    Akash553
    Copper Contributor
    Nov 29, 2022

    Princely 

    Hello Princely,

     

    Thaks for the update i will try the same as well. Is there any other way to see the device inactivity from KQL for eg. Compare the timestamp from old to new or any data from sensor based ??