cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom Detection rule to find Inactive Device

Arjun_Rajan
Copper Contributor

‎Oct 16 2021 11:23 PM

‎Oct 16 2021 11:23 PM

Custom Detection rule to find Inactive Device

Hello, My Org Planning to create incidents whenever the device goes inactive state in Microsoft Defender for Endpoint. It would be much appreciated if I get the query(KQL) to list the Inactive device. Thanks in Advance

3,048 Views
1 Like
6 Replies
Reply
6 Replies
Princely

‎Oct 19 2021 07:47 PM

‎Oct 19 2021 07:47 PM

Re: Custom Detection rule to find Inactive Device

@Arjun_Rajan You can use the following query, which runs fine but there is an error in it per MDE, which wont let me save this as a custom detection rule :

DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ('scid-2000', 'scid-2001')
| extend Test = case(
ConfigurationId == "scid-2000", "SensorEnabled",
ConfigurationId == "scid-2001", "SensorDataCollection",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId
| evaluate bag_unpack(Tests)
| where SensorEnabled == "GOOD" and SensorDataCollection == "BAD"
| summarize by DeviceName, DeviceId
0 Likes
Reply
Arjun_Rajan

‎Oct 19 2021 09:50 PM

‎Oct 19 2021 09:50 PM

Re: Custom Detection rule to find Inactive Device

@Princely  Much appreciated your response to my query. Unfortunately, It does not return any result even if I choose the last 30 days. Please let me know if you happen to know how to set the Time range in the query. 

 

However, I do get all inactive devices by running the below query

 

DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ("scid-91", "scid-2000", "scid-2001")
| summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId
| extend Test = case(
    ConfigurationId == "scid-2000", "SensorEnabled",
     "N/A"),
    Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed) by DeviceId
| evaluate bag_unpack(Tests)
0 Likes
Reply
Princely

‎Oct 20 2021 07:54 AM

‎Oct 20 2021 07:54 AM

Re: Custom Detection rule to find Inactive Device

@Arjun_Rajan 
The query you had mentioned seems to be giving the health status of each device.


And the one I had mentioned would specifically return the devices with a sensor enabled but no sensor data returned. Do you not have any hosts in your environment that match this criteria ? I suspect that is the case here.  

 

Regards,

Princely Dmello

0 Likes
Reply
Akash553

‎Nov 25 2022 04:50 AM

‎Nov 25 2022 04:50 AM

Re: Custom Detection rule to find Inactive Device

@Princely 

 

hello Brother

 

i need to know in this condition for detection, how should we test it like should i have to disable the network connection of the machine and then wait for some time? If yes then how much time it requires

 

Please mention the test how should i test in testing environment?

 

 

 

 

 

 

0 Likes
Reply
Princely

‎Nov 29 2022 04:39 PM

‎Nov 29 2022 04:39 PM

Re: Custom Detection rule to find Inactive Device

Hey @Akash553
Yes you could disconnect a device from the network to trigger the 'no sensor data' status. I am not sure about the time period that it would need to be disconnected for. That needs to be confirmed by Microsoft.

0 Likes
Reply
Akash553

‎Nov 29 2022 05:48 PM

‎Nov 29 2022 05:48 PM

Re: Custom Detection rule to find Inactive Device

@Princely 

Hello Princely,

 

Thaks for the update i will try the same as well. Is there any other way to see the device inactivity from KQL for eg. Compare the timestamp from old to new or any data from sensor based ??

0 Likes
Reply