Forum Discussion
KQL Query Help - Identify all devices without Sysmon running
rahuljindal Thanks for your response and suggestion. Modifying the query as suggested below shows. Any suggestions on which kql commands I can use to make the comparisons against all enrolled devices? I am quite new to KQL so learning as much as I can.
DeviceProcessEvents
| where FileName == "Sysmon.exe" or FileName == "Sysmon64.exe"
| project DeviceName, FileName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
- Does this command give you any results? If yes, then export it and extract the devices names. Then pull the list of all the enrolled devices in Defender. You can do that using kql or just pull it directly from devices under asset management. Now with both the lists exported, you can do a vlookup and filter out the devices that were missing in the first list from the kql. Everything is manual and not really elegant way, but it should atleast get you started until you work out the kql.
rahuljindal Thanks for you response, I should have mentioned earlier that I am trying to set this up so it generates an alert anytime a device without the Sysmon service is observed.
The command gives a result of devices with the Sysmon service. Any suggestions or ideas on how to do the compression with all enrolled devices using KQL is welcome.