Device management - MEM/AAD/AD/SCCM

MikePalmer75 

This would be a query that you can adapt and test, it assumes you have Heartbeat info and 90days (more of that below).  You would have to setup an Alert rule using this for the different Tables your services are in (or amend to Union the data sources - personally I'd have a rule for each to keep it clean and aid which playbooks run.).  It compares computers seen in the 90-30days period against ones in the past 30days, therefore any not seen are reported.   

//left table
 let olderDevices = Heartbeat
 // look back on older devices
 | where TimeGenerated between ( startofday(ago(90d)) .. endofday(ago(30d)) )
 | summarize count() by Computer, TimeGenerated;
 //right table
 let recentDevices = Heartbeat
 // lookup more recent ones 
 | where TimeGenerated between ( startofday(ago(29d)) .. now() )
 | summarize count() by Computer,  TimeGenerated;
 recentDevices
 // exclude devices 
 | join kind=rightanti olderDevices on Computer
 | summarize arg_min(TimeGenerated,*) by Computer
 | order by TimeGenerated asc

The challenge, is that Analytics Rules only look back 14days, so you will have to adapt this KQL to maybe look back 14days, and 7days - this might increase your false positive rate as a machine might easily be offline legitimately for a week.   

There is a technique to increase the 14days using aggregation, but with some added cost  

Tiander did a great webcast here: https://youtu.be/G6TIzJK8XBA?t=3152 – watch it all 😊, but “14days use case” starts at 42min.

hopefully this is a start....