Difference between Device Inventory Dashboard and KQL query

Iron Contributor

Hi,

I have an issue with differences which I'm not understanding between Device Inventory dashboard and a kql query. I'm trying to extract some metrics from Defender, like device health status.

So I go to the device inventory and manually filter for Sensor health state as "Misconfigured", which includes "Impaired communications" and "No sensor data", I've got 3 devices on the list, like shown bellow:


Screenshot_1.png

 

 Then I try to reproduce this in a KQL query, which I think it's this one:

DeviceInfo
    | where SensorHealthState contains "No sensor data" or SensorHealthState contains "Misconfigured"
    | summarize arg_max(Timestamp, *) by DeviceName

But I've got 95 devices as a result. What am I missing here? It's a huge difference.

Thanks

1 Reply
you have to keep in mind the data range in which you make that search.
also, hide the domain in the image 🙂