Query Details
Sec Events Find Devices No Longer Sending Logs
Query
//Find computers that have not sent any security events for over an hour
//Data connector required for this query - Windows Security Events via AMA or Security Events via Legacy Agent
SecurityEvent
| where TimeGenerated > ago (1d)
| summarize ['Last Record Received'] = datetime_diff("minute", now(), max(TimeGenerated)) by Computer
| project Computer, ['Last Record Received']
| where ['Last Record Received'] >= 60
| order by ['Last Record Received'] desc Explanation
This query is looking for computers that have not sent any security events for more than an hour. It uses a data connector to access Windows Security Events. It filters the events based on the time they were generated in the last day. Then it calculates the time difference between the current time and the latest event for each computer. It selects the computer name and the time difference as the output. Finally, it filters the results to only include computers with a time difference of 60 minutes or more and orders them based on the time difference in descending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityEvent
Keywords
Computers,SecurityEvents
Operators
whereagosummarizedatetime_diffnowmaxbyprojectorder bydesc