Aug 31 2021 11:59 PM
How can get notification if any of the Microsoft Defender Endpoint (MDATP aka MDE) sensors going to "INACTIVE" state. This will be an proactive approaches that will help to avoid assets flagging related to S360 KPI
Sep 09 2021 11:26 PM
Feb 17 2022 12:56 PM
Feb 20 2022 09:02 AM - edited Feb 20 2022 09:04 AM
I believe something like this should work if you set it in a custom detection rule that runs on a 24h interval.
It will only show devices that last connected between 00:00 and 23:59 during the date 7 days ago.
let threshold = 7d;
DeviceInfo
| summarize arg_max(Timestamp,*) by DeviceName
| where Timestamp between (startofday(ago(threshold))..endofday(ago(threshold)))