cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Defender Security Center (ATP) - Alerts

MoAlom
Copper Contributor

‎Mar 10 2021 05:03 AM - edited ‎Mar 10 2021 07:16 AM

‎Mar 10 2021 05:03 AM - edited ‎Mar 10 2021 07:16 AM

Microsoft Defender Security Center (ATP) - Alerts

Hi All,

 

Is there a way for us to get alerted from MS Security Center (ATP) if a device (Server) has not been seen online for more than 24hrs?

 

I have intentionally onboarded a server to ATP and then took away its ability to communicate outside to the internet. Can see ATP reporting server last seen more than 24 hrs ago if I drill down into the device summary. Health state still showing active.

 

Wondering how often Defender for Endpoint reassess the devices? Also if above is possible.

 

Kind regards,
Mo

1,191 Views
0 Likes
1 Reply
Reply
1 Reply
edinili84

‎Mar 10 2021 04:04 PM

‎Mar 10 2021 04:04 PM

Re: Microsoft Defender Security Center (ATP) - Alerts

The device won't show as Inactive until it has been offline for the last 7 days but it should show as Misconfigured due to No Sensor Data or Impaired Communications.

You can create Custom Detection Rules based on advanced hunting queries to generate alerts.

https://docs.microsoft.com/en-gb/microsoft-365/security/mtp/custom-detections-overview?view=o365-wor...

The DeviceTvmSecureConfigurationAssessment schema table has a column named ConfigurationId where you can check for ImpairedCommunications and Sensor Enabled amongst other values.

Take a look at this sample query for more info:

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/General%20queries/En...
0 Likes
Reply