How to create an analytics role to trigger an alert when the agents stop sending events

The basic query (from the Logs Analytics examples) is this, you'll have to amend as required // Unavailable computers // List all known computers that didn't send a heartbeat in the last 5 hours. Heartbeat | summarize LastHeartbeat=max(TimeGenerated) by Computer | where LastHeartbeat < ago(5h) Note: This monitors the heartbeat of the AMA/MMA (assuming that the agent you are using). It wont differentiate between failure and "not sending". Its also possible for the agent to fail which this will capture but the machine might still be working.