Query Details
Device Stops Reporting
Query
//Inventory your Devices into a Watchlist making sure MacAddress is one of the columns. Then report when that device is no longer delivering data to Sentinel.
let watchlist = _GetWatchlist("Your Watchlist Alias") | project MacAddress;
CommonSecurityLog
| where CreatedTime between (datetime(2022-04-01) .. datetime(2022-04-30))
| where DeviceMacAddress in (watchlist)
| where isempty(DeviceMacAddress)
Explanation
This query is used to create a watchlist of devices, specifically focusing on the MacAddress column. It then checks the CommonSecurityLog for a specific time period (April 2022) and filters the results based on devices in the watchlist. Finally, it identifies devices that are no longer delivering data to Sentinel by checking if the DeviceMacAddress is empty.
Details
Rod Trent
Released: April 13, 2022
Tables
CommonSecurityLog
Keywords
Inventory,Devices,Watchlist,MacAddress,Report,Data,Sentinel,CommonSecurityLog,CreatedTime,DeviceMacAddress,isempty
Operators
letprojectwherebetweendatetime..inisempty