SOLVED
Home

Last Update

%3CLINGO-SUB%20id%3D%22lingo-sub-187572%22%20slang%3D%22en-US%22%3ELast%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187572%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%20the%20Windows%20Analytics%20modules%2C%20therefore%20do%20not%20have%20any%20agents%20(yet).%20All%20of%20our%20Data%20relies%20on%20Windows%20Telemetry.%20Is%20there%20any%20way%20to%20list%20machines%20that%20have%20not%20uploaded%20telemetry%20data%20in%20a%20certain%20number%20of%20days%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-187572%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESolutions%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-196076%22%20slang%3D%22en-US%22%3ERe%3A%20Last%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-196076%22%20slang%3D%22en-US%22%3E%3CP%3EFound%20this%20in%20the%20OMS%20FAQ%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3EHow%20can%20I%20be%20notified%20when%20data%20collection%20stops%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p2%22%3E%3CSPAN%20class%3D%22s1%22%3EA%3A%20Use%20the%20steps%20described%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flog-analytics%2Flog-analytics-alerts-creating%23create-an-alert-rule%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22s2%22%3Ecreate%20an%20alert%20rule%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3Bto%20be%20notified%20when%20data%20collection%20stops.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p2%22%3E%3CSPAN%20class%3D%22s1%22%3EWhen%20creating%20the%20alert%20for%20when%20data%20collection%20stops%2C%20set%20the%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%20class%3D%22s4%22%3E%3CSTRONG%3EName%3C%2FSTRONG%3E%26nbsp%3Bto%26nbsp%3B%3CI%3EData%20collection%20stopped%3C%2FI%3E%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22s4%22%3E%3CSTRONG%3ESeverity%3C%2FSTRONG%3E%26nbsp%3Bto%26nbsp%3B%3CI%3EWarning%3C%2FI%3E%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22s6%22%3E%3CSTRONG%3ESearch%20query%3C%2FSTRONG%3E%26nbsp%3Bto%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22s7%22%3EHeartbeat%20%7C%20summarize%20LastCall%20%3D%20max(TimeGenerated)%20by%20Computer%20%7C%20where%20LastCall%20%26lt%3B%20ago(15m)%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22s4%22%3E%3CSTRONG%3ETime%20window%3C%2FSTRONG%3E%26nbsp%3Bto%26nbsp%3B%3CI%3E30%20minutes%3C%2FI%3E.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22s4%22%3E%3CSTRONG%3EAlert%20frequency%3C%2FSTRONG%3E%26nbsp%3Bto%20every%26nbsp%3B%3CI%3Eten%3C%2FI%3E%26nbsp%3Bminutes.%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22s4%22%3E%3CSTRONG%3EGenerate%20alert%20based%20on%3C%2FSTRONG%3E%26nbsp%3Bto%20be%26nbsp%3B%3CI%3Enumber%20of%20results%3C%2FI%3E%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3E%3CSPAN%20class%3D%22s4%22%3E%3CSTRONG%3ENumber%20of%20results%3C%2FSTRONG%3E%26nbsp%3Bto%20be%26nbsp%3B%3CI%3EGreater%20than%200%3C%2FI%3E%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%20class%3D%22p2%22%3E%3CSPAN%20class%3D%22s1%22%3EThis%20alert%20will%20fire%20when%20the%20query%20returns%20results%20only%20if%20you%20have%20heartbeat%20missing%20for%20more%20than%2015%20minutes.%20Use%20the%20steps%20described%20in%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Flog-analytics%2Flog-analytics-alerts-actions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20class%3D%22s2%22%3Eadd%20actions%20to%20alert%20rules%3C%2FSPAN%3E%3C%2FA%3E%26nbsp%3Bconfigure%20an%20e-mail%2C%20webhook%2C%20or%20runbook%20action%20for%20the%20alert%20rule.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-195307%22%20slang%3D%22en-US%22%3ERe%3A%20Last%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195307%22%20slang%3D%22en-US%22%3E%3CP%3Elet%20snapShot%20%3D%20toscalar(UAComputer%20%7C%20summarize%20max(TimeGenerated))%3B%3CBR%20%2F%3Esearch%20in%20(UAComputer)%20TimeGenerated%3D%3DsnapShot%20and%20(LastScan%20%26lt%3B%20now()%20-%20time(10))%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190828%22%20slang%3D%22en-US%22%3ERe%3A%20Last%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190828%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129202%22%20target%3D%22_blank%22%3E%40Marc%20Shepard%3C%2FA%3E%26nbsp%3BIs%20there%20any%20way%20to%20refine%20this%20to%20only%20show%20machines%20that%20haven't%20reported%20data%20in%20greater%20than%2010%20days%3F%20If%20possible%20I%20would%20like%20to%20use%20this%20to%20create%20an%20alert.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-190695%22%20slang%3D%22en-US%22%3ERe%3A%20Last%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-190695%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20Upgrade%20Readiness%2C%20you%20can%20use%20UAComputer.LastScan.%20So%2C%20for%20example%2C%20a%20query%20like%20this%20might%20give%20you%20what%20you%20are%20looking%20for%3A%3C%2FP%3E%0A%3CP%3E%3CEM%3EUAComputer%20%7C%20where%20TimeGenerated%3D%3Dtoscalar(UAComputer%20%7C%20summarize%20max%20(TimeGenerated))%20%7C%20summarize%20count()%20by%20LastScan%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20on%20the%20Windows%20Analytics%20schema%20and%20sample%20queries%2C%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Analytics-resources%2FWindows-Analytics-Extensibility%2Fm-p%2F176068%23M2%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FWindows-Analytics-resources%2FWindows-Analytics-Extensibility%2Fm-p%2F176068%23M2%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-187777%22%20slang%3D%22en-US%22%3ERe%3A%20Last%20Update%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-187777%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20the%20same%20logic%20like%20Heartbeat%20query%20for%20not%20reporting%20Computers.%20Of%20course%20some%20things%20needs%20to%20be%20changed.%20For%20example%3A%3C%2FP%3E%0A%3CPRE%3EHeartbeat%20%7C%20where%20TimeGenerated%20%26gt%3B%20ago(7d)%20%20%7C%20summarize%20LastCall%3Dmax(TimeGenerated)%20by%20Computer%20%7C%20where%20LastCall%20%26lt%3B%20ago(15m)%3C%2FPRE%3E%0A%3CP%3EFor%20the%20Heartbeat%20we%20are%20looking%20at%20data%20for%20the%20last%207%20days%20and%20check%20for%20computers%20that%20hasn't%20reported%20in%20the%20last%2015%20minutes%3A%3C%2FP%3E%0A%3CP%3EFor%20Windows%20Analytics%20module%20it%20could%20be%3A%3C%2FP%3E%0A%3CPRE%3EWaaSDeploymentStatus%20%7C%20where%20TimeGenerated%20%26gt%3B%20ago(7d)%20%20%7C%20summarize%20LastCall%3Dmax(TimeGenerated)%20by%20Computer%20%7C%20where%20LastCall%20%26lt%3B%20ago(2d)%3C%2FPRE%3E%0A%3CP%3EIt%20is%20best%20to%20check%20against%20Table%20that%20all%20computers%20report%20on%20certain%20intervals.%20I%20am%20not%20sure%20which%20table%20is%20that%20%3CSPAN%3EWindows%20Analytics%20but%20feel%20free%20to%20suggest%20if%20there%20is%20a%20better%20one.%20Here%20we%20can%20look%20for%20machines%20that%20haven't%20reported%20for%202%20days.%20As%26nbsp%3BWindows%20Analytics%20is%20send%20on%20bigger%20intervals%20than%20Heartbeat%20you%20will%20need%20to%20accommodate%20to%20that.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHope%20this%20helps.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Orion Withrow
Occasional Contributor

We use the Windows Analytics modules, therefore do not have any agents (yet). All of our Data relies on Windows Telemetry. Is there any way to list machines that have not uploaded telemetry data in a certain number of days?

5 Replies
Solution

Hi

You can use the same logic like Heartbeat query for not reporting Computers. Of course some things needs to be changed. For example:

Heartbeat | where TimeGenerated > ago(7d)  | summarize LastCall=max(TimeGenerated) by Computer | where LastCall < ago(15m)

For the Heartbeat we are looking at data for the last 7 days and check for computers that hasn't reported in the last 15 minutes:

For Windows Analytics module it could be:

WaaSDeploymentStatus | where TimeGenerated > ago(7d)  | summarize LastCall=max(TimeGenerated) by Computer | where LastCall < ago(2d)

It is best to check against Table that all computers report on certain intervals. I am not sure which table is that Windows Analytics but feel free to suggest if there is a better one. Here we can look for machines that haven't reported for 2 days. As Windows Analytics is send on bigger intervals than Heartbeat you will need to accommodate to that.

Hope this helps.

For Upgrade Readiness, you can use UAComputer.LastScan. So, for example, a query like this might give you what you are looking for:

UAComputer | where TimeGenerated==toscalar(UAComputer | summarize max (TimeGenerated)) | summarize count() by LastScan

 

For more information on the Windows Analytics schema and sample queries, see https://techcommunity.microsoft.com/t5/Windows-Analytics-resources/Windows-Analytics-Extensibility/m...

 

@Marc Shepard Is there any way to refine this to only show machines that haven't reported data in greater than 10 days? If possible I would like to use this to create an alert.

let snapShot = toscalar(UAComputer | summarize max(TimeGenerated));
search in (UAComputer) TimeGenerated==snapShot and (LastScan < now() - time(10))

Found this in the OMS FAQ:

 

How can I be notified when data collection stops?

A: Use the steps described in create an alert rule to be notified when data collection stops.

When creating the alert for when data collection stops, set the:

  • Name to Data collection stopped
  • Severity to Warning
  • Search query to Heartbeat | summarize LastCall = max(TimeGenerated) by Computer | where LastCall < ago(15m)
  • Time window to 30 minutes.
  • Alert frequency to every ten minutes.
  • Generate alert based on to be number of results
  • Number of results to be Greater than 0

This alert will fire when the query returns results only if you have heartbeat missing for more than 15 minutes. Use the steps described in add actions to alert rules configure an e-mail, webhook, or runbook action for the alert rule.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies