Forum Discussion
Mscommunityta21
Sep 01, 2021Microsoft
How to notify if any of the MDE sensor going to "INACTIVE" state
How can get notification if any of the Microsoft Defender Endpoint (MDATP aka MDE) sensors going to "INACTIVE" state. This will be an proactive approaches that will help to avoid assets flagging rela...
DevRin
Feb 17, 2022Copper Contributor
Would you have any example KQL scripts for this?
Jonhed
Feb 20, 2022Steel Contributor
I believe something like this should work if you set it in a custom detection rule that runs on a 24h interval.
It will only show devices that last connected between 00:00 and 23:59 during the date 7 days ago.
let threshold = 7d;
DeviceInfo
| summarize arg_max(Timestamp,*) by DeviceName
| where Timestamp between (startofday(ago(threshold))..endofday(ago(threshold)))