Forum Discussion
Microsoft Defender Security Center (ATP) - Alerts
Hi All,
Is there a way for us to get alerted from MS Security Center (ATP) if a device (Server) has not been seen online for more than 24hrs?
I have intentionally onboarded a server to ATP and then took away its ability to communicate outside to the internet. Can see ATP reporting server last seen more than 24 hrs ago if I drill down into the device summary. Health state still showing active.
Wondering how often Defender for Endpoint reassess the devices? Also if above is possible.
Kind regards,
Mo
1 Reply
- The device won't show as Inactive until it has been offline for the last 7 days but it should show as Misconfigured due to No Sensor Data or Impaired Communications.
You can create Custom Detection Rules based on advanced hunting queries to generate alerts.
https://docs.microsoft.com/en-gb/microsoft-365/security/mtp/custom-detections-overview?view=o365-worldwide
The DeviceTvmSecureConfigurationAssessment schema table has a column named ConfigurationId where you can check for ImpairedCommunications and Sensor Enabled amongst other values.
Take a look at this sample query for more info:
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/General%20queries/Endpoint%20Agent%20Health%20Status%20Report.md
