Forum Discussion

Brass Contributor

Apr 30, 2024

KQL query for non-matching entries

Hi, I am trying to write a query to find out the devices that does not have MDE installed by comparing it with those devices found in CommonSecurity Table. The actual no. of devices is approx. 50...

Bronze Contributor

Have you tried to simplify the query? Something based on this?

let mde_devices= 
DeviceInfo
| where TimeGenerated >= ago(7d)
| where OSPlatform has 'server'
| distinct DeviceName
;
Syslog
| where TimeGenerated >= ago(7d)
| where Computer !in (mde_devices)
// Only display devices that are not MDE 
| distinct Computer

abon13

Brass Contributor

May 06, 2024

The leftanti is working now after the query was simplified

Forum Discussion

KQL query for non-matching entries

Share

Resources