KQL Search

Query Details

HomeAI ToolsDevice Query

D4IOT Connector State

Query

# Detect disconnected Defender for IoT Sensors

## Query Information

### Description

Use the below queries to retrieve the Defender for IoT Connector Status

#### References

- [Tutorial: Set up automatic sensor disconnection notifications with Microsoft Defender for IoT and Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/automate-sensor-disconnection-alerts)

### Author

- **Marian Hristov**
- **Alex Verboon**

## Defender XDR

```kql
arg("").iotsecurityresources  
| where type =='microsoft.iotsecurity/locations/sites/sensors'  
|extend Status=properties.sensorStatus  
|extend LastConnectivityTime=properties.connectivityTime  
|extend Status=iif(LastConnectivityTime<ago(5m),'Disconnected',Status)  
|project SensorName=name, Status, LastConnectivityTime  
//|where Status == 'Disconnected'
```

## Resource Graph

```kql
iotsecurityresources  
| where type =='microsoft.iotsecurity/locations/sites/sensors'  
|extend Status=properties.sensorStatus  
|extend LastConnectivityTime=properties.connectivityTime  
|extend Status=iif(LastConnectivityTime<ago(5m),'Disconnected',Status)  
|project SensorName=name, Status, LastConnectivityTime  
|where Status == 'Disconnected'
```

Explanation

This query is designed to identify and report on the status of Microsoft Defender for IoT sensors, specifically focusing on those that have become disconnected. Here's a simple breakdown of what the query does:

  1. Data Source: The query retrieves data from a resource called iotsecurityresources, which contains information about IoT sensors.

  2. Filter by Type: It filters the data to only include entries that are of the type microsoft.iotsecurity/locations/sites/sensors. This ensures that only IoT sensor data is considered.

  3. Extract Properties: The query extracts two key properties for each sensor:

    • sensorStatus: The current status of the sensor.
    • connectivityTime: The last time the sensor was connected.

  4. Determine Disconnection: It checks if the LastConnectivityTime is older than 5 minutes. If so, it marks the sensor's status as 'Disconnected'.

  5. Select Relevant Data: The query then selects (or projects) the sensor's name, its status, and the last connectivity time for reporting.

  6. Filter Disconnected Sensors: In the second part of the query (Resource Graph), it specifically filters to show only those sensors that are marked as 'Disconnected'.

The purpose of this query is to help administrators quickly identify any IoT sensors that have lost connectivity, allowing them to take appropriate action to restore connections or investigate issues.

Details

Alex Verboon profile picture

Alex Verboon

Released: August 22, 2025

Tables

iotsecurityresources

Keywords

DefenderIotSensorsStatusConnectivityTime

Operators

argwhereextendiifagoproject

Actions