User Profile

Arjun_Rajan

Copper Contributor

Joined Jun 25, 2020

7 Posts2 LikesLikes received

View All Badges

User Widgets

Recent Discussions

Re: Custom Detection rule to find Inactive Device
Princely Much appreciated your response to my query. Unfortunately, It does not return any result even if I choose the last 30 days. Please let me know if you happen to know how to set the Time range in the query. However, I do get all inactive devices by running the below query DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ("scid-91", "scid-2000", "scid-2001") | summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceId, ConfigurationId | extend Test = case( ConfigurationId == "scid-2000", "SensorEnabled", "N/A"), Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD") | extend packed = pack(Test, Result) | summarize Tests = make_bag(packed) by DeviceId | evaluate bag_unpack(Tests)
Oct 19, 2021 Place Microsoft Defender for Endpoint
3.9KViews
0likes
4Comments
Custom Detection rule to find Inactive Device
Hello, My Org Planning to create incidents whenever the device goes inactive state in Microsoft Defender for Endpoint. It would be much appreciated if I get the query(KQL) to list the Inactive device. Thanks in Advance
Oct 16, 2021 Place Microsoft Defender for Endpoint
4.2KViews
1like
6Comments

Recent Blog Articles

No content to show