Sep 04 2024 09:01 AM
Hi,
I have an issue with differences which I'm not understanding between Device Inventory dashboard and a kql query. I'm trying to extract some metrics from Defender, like device health status.
So I go to the device inventory and manually filter for Sensor health state as "Misconfigured", which includes "Impaired communications" and "No sensor data", I've got 3 devices on the list, like shown bellow:
Then I try to reproduce this in a KQL query, which I think it's this one:
DeviceInfo | where SensorHealthState contains "No sensor data" or SensorHealthState contains "Misconfigured" | summarize arg_max(Timestamp, *) by DeviceName
But I've got 95 devices as a result. What am I missing here? It's a huge difference.
Thanks
Sep 05 2024 03:17 AM