cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to notify if any of the MDE sensor going to "INACTIVE" state

Mscommunityta21
Microsoft

‎Aug 31 2021 11:59 PM

‎Aug 31 2021 11:59 PM

How to notify if any of the MDE sensor going to "INACTIVE" state

How can get notification if any of the Microsoft Defender Endpoint (MDATP aka MDE) sensors going to "INACTIVE" state. This will be an proactive approaches that will help to avoid assets flagging related to S360 KPI 

2,529 Views
0 Likes
3 Replies
Reply
3 Replies
mas18

‎Sep 09 2021 11:26 PM

‎Sep 09 2021 11:26 PM

Re: How to notify if any of the MDE sensor going to "INACTIVE" state

Endpoint reporting to MDE will go inactive state if endpoint failed to connect MDE tenant for 7 consecutive days. You can generate device inventory report or use KQL to get the Lastdeviceupdate date and time.
0 Likes
Reply
DevRin

‎Feb 17 2022 12:56 PM

‎Feb 17 2022 12:56 PM

Re: How to notify if any of the MDE sensor going to "INACTIVE" state

Would you have any example KQL scripts for this?
0 Likes
Reply
Jonhed

‎Feb 20 2022 09:02 AM - edited ‎Feb 20 2022 09:04 AM

‎Feb 20 2022 09:02 AM - edited ‎Feb 20 2022 09:04 AM

Re: How to notify if any of the MDE sensor going to "INACTIVE" state

@DevRin 

I believe something like this should work if you set it in a custom detection rule that runs on a 24h interval.

 

It will only show devices that last connected between 00:00 and 23:59 during the date 7 days ago.

 

 

let threshold = 7d;
DeviceInfo
| summarize arg_max(Timestamp,*) by DeviceName
| where Timestamp between (startofday(ago(threshold))..endofday(ago(threshold)))

 

 

0 Likes
Reply