Forum Discussion
Microsoft 365 Defender KQL script
Hi All,
Is there a way to set a KQL script to identify all the devices in Microsoft 365 Defender with the tag "Pending restart" and, at the same time, identify the user who started a session on those devices?
I've been triying several approaches and visiting different websites, which seem complex. I would greatly appreciate any assistance, insights, or suggestions the community can provide to help me troubleshoot and resolve this issue.
Thanks.
1 Reply
- This could be a way forward for you, different unions can be used within this but as a crude example
union DeviceEvents, DeviceInfo
| where DeviceManualTags == "Pending Restart"
| where ActionType == "LogonAttempted"
