Microsoft 365 Defender KQL script

Copper Contributor

Hi All,

 

Is there a way to set a KQL script to identify all the devices in Microsoft 365 Defender with the tag "Pending restart" and, at the same time, identify the user who started a session on those devices?

 

I've been triying several approaches and visiting different websites, which seem complex. I would greatly appreciate any assistance, insights, or suggestions the community can provide to help me troubleshoot and resolve this issue.

 

Thanks.

1 Reply
This could be a way forward for you, different unions can be used within this but as a crude example

union DeviceEvents, DeviceInfo
| where DeviceManualTags == "Pending Restart"
| where ActionType == "LogonAttempted"