Forum Discussion
Mscommunityta21
Sep 01, 2021Microsoft
How to notify if any of the MDE sensor going to "INACTIVE" state
How can get notification if any of the Microsoft Defender Endpoint (MDATP aka MDE) sensors going to "INACTIVE" state. This will be an proactive approaches that will help to avoid assets flagging rela...
mas18
Brass Contributor
Endpoint reporting to MDE will go inactive state if endpoint failed to connect MDE tenant for 7 consecutive days. You can generate device inventory report or use KQL to get the Lastdeviceupdate date and time.
DevRin
Feb 17, 2022Copper Contributor
Would you have any example KQL scripts for this?
- JonhedFeb 20, 2022Steel Contributor
I believe something like this should work if you set it in a custom detection rule that runs on a 24h interval.
It will only show devices that last connected between 00:00 and 23:59 during the date 7 days ago.
let threshold = 7d; DeviceInfo | summarize arg_max(Timestamp,*) by DeviceName | where Timestamp between (startofday(ago(threshold))..endofday(ago(threshold)))