KQL Search

Query Details

Heartbeat Stopped Event Reception Domain Controllers

Query

let query_frequency = 15m;
let query_wait = 1h;
let _DomainControllers = toscalar(
    _GetWatchlist('Service-PrivateCorporateServices')
    | where Service == "DomainController"
    | summarize make_list(HostName)
);
Heartbeat
| where TimeGenerated > ago(query_wait + query_frequency)
| summarize arg_max(TimeGenerated, *) by Category, VMUUID, SourceComputerId
| where Computer has_any (_DomainControllers)
| where TimeGenerated between (ago(query_frequency + query_wait) .. ago(query_wait))
| project TimeGenerated, Computer, OSType, Version, ComputerEnvironment, Type, Solutions

Explanation

The query is looking for heartbeats from domain controllers within a specific time range. It retrieves a list of domain controllers, filters heartbeats based on the time range, and then projects specific fields from the heartbeats.

Details

Jose Sebastián Canós

Released: June 8, 2023

Tables

Heartbeat

Keywords

Devices,Intune,User

Operators

| wheresummarizearg_maxbyhas_anybetweenproject

KQL Search

Heartbeat Stopped Event Reception Domain Controllers

Query

Explanation

Details

Actions