Forum Discussion
Solved
Need a query for OMS agents NOT sending logs in the past 24 hours.
Hi there, I have a watchlist of my oms agents. I'd like to use DeviceProcessEvents to list agents that have NOT reported any processes in the past 24 hours. I don't want to use the Heartbeat table...
SocInABox The main problem is that you won't know if one is missing unless it has sent data in the past. So no matter whether you choose 7, 14, or 90 days, if the device has never sent data you won't know about it.
I would do a comparison with the Heartbeat table and see if the devices that are not sending data show up more in there and if so do a join with that table to get a listing of the server and see if they show up in the DeviceProcessEvents table.
This may also be helpful
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Send-ConnectorHealthStatus
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Send-ConnectorHealthStatus