Query Details
Heartbeat No Heartbeatin Timeframe
Query
//Finds computers that haven't sent a heartbeat in the last 30 days
//Data connector required for this query - Heartbeat (created automatically when you onboard machines to Sentinel)
Heartbeat
| where TimeGenerated > ago(365d)
| summarize arg_max(TimeGenerated, *) by Computer
| project
Computer,
['Last Heartbeat']=TimeGenerated,
['Days Since Last Heartbeat']=datetime_diff("day", now(), TimeGenerated)
| where ['Days Since Last Heartbeat'] > 30
| sort by ['Days Since Last Heartbeat'] desc Explanation
This query finds computers that have not sent a heartbeat in the last 30 days. It uses the Heartbeat data connector in Azure Sentinel to retrieve the necessary information. The query filters the data based on the TimeGenerated field, selects the latest heartbeat for each computer, calculates the number of days since the last heartbeat, and finally sorts the results in descending order based on the number of days.
Details
Matt Zorich
Released: June 17, 2022
Tables
Heartbeat
Keywords
Heartbeat,TimeGenerated,Computer,LastHeartbeat,DaysSinceLastHeartbeat
Operators
whereagosummarizearg_maxbyprojectdatetime_diffnowsortdesc