Query Details
Device Find Devices No Longer Sending Events
Query
//Find devices that have stopped sending network events over the last 30 days, retrieve last event time and calculate the days since last event
//Data connector required for this query - M365 Defender - Device* tables
DeviceNetworkEvents
| project TimeGenerated, DeviceName
| where TimeGenerated > ago(365d)
| summarize arg_max(TimeGenerated, DeviceName) by DeviceName
| project DeviceName, ['Days Since Last Event'] = datetime_diff('day', now(), TimeGenerated), ['Last Event Time']=TimeGenerated
| where ['Days Since Last Event'] > 30
| sort by ['Days Since Last Event'] desc Explanation
This query finds devices that have not sent any network events in the last 30 days. It retrieves the last event time for each device and calculates the number of days since the last event. The query uses the DeviceNetworkEvents table from the M365 Defender data connector. The results are sorted by the number of days since the last event in descending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceNetworkEvents
Keywords
Devices,DeviceNetworkEvents,TimeGenerated,DeviceName,['DaysSinceLastEvent'],datetime_diff,now(),['LastEventTime']
Operators
| projectwheresummarizearg_maxdatetime_diffnowsort by