KQL Search

Query Details

HomeAI ToolsDevice Query

Computers Not Reporting

Query

// Computers Not Sending Security Events
// Finds servers/workstations that have not sent any SecurityEvent for over 1 hour.
// Indicates broken agents, offline machines, or disabled audit policies.
// =====================================================================

SecurityEvent
| where TimeGenerated > ago(1d)
| summarize ['Last Record Received'] = datetime_diff("minute", now(), max(TimeGenerated)) by Computer
| project Computer, ['Last Record Received']
| where ['Last Record Received'] >= 60
| extend 
    SilentHours = round(toreal(['Last Record Received']) / 60.0, 1),
    Severity = case(
        ['Last Record Received'] >= 1440, "CRITICAL: >24h silent",
        ['Last Record Received'] >= 480, "HIGH: >8h silent",
        ['Last Record Received'] >= 120, "MEDIUM: >2h silent",
        "LOW: >1h silent"
    )
| project Computer, ['Last Record Received'], SilentHours, Severity
| order by ['Last Record Received'] desc

Explanation

This query is designed to identify computers (servers or workstations) that have not sent any security event logs for over an hour. This could indicate issues such as broken monitoring agents, machines being offline, or audit policies being disabled. Here's a simple breakdown of what the query does:

  1. Filter Recent Events: It starts by looking at security events generated in the last day (24 hours).

  2. Calculate Silence Duration: For each computer, it calculates the time since the last security event was received, in minutes.

  3. Identify Silent Computers: It filters out computers that have been silent (i.e., not sending events) for 60 minutes or more.

  4. Calculate Silent Hours: It converts the silence duration from minutes to hours and rounds it to one decimal place.

  5. Assign Severity Levels: Based on how long a computer has been silent, it assigns a severity level:

    • "CRITICAL" if silent for more than 24 hours.
    • "HIGH" if silent for more than 8 hours.
    • "MEDIUM" if silent for more than 2 hours.
    • "LOW" if silent for more than 1 hour.

  6. Display and Sort Results: Finally, it displays the computer name, silence duration in minutes and hours, and severity level, sorting the results by the silence duration in descending order.

This helps in quickly identifying and prioritizing machines that may need attention due to their lack of security event reporting.

Details

David Alonso profile picture

David Alonso

Released: April 8, 2026

Tables

SecurityEvent

Keywords

SecurityEventComputerTimeGeneratedSilentHoursSeverity

Operators

ago()summarizedatetime_diff()max()projectwhereextendround()toreal()case()order by

Actions