KQL Search

Query Details

Device Last Seen

Query

# Device last seen

## Description

The following query check the "last seen" field and returnd when it was last connected.

### Microsoft 365 Defender & Microsoft Sentinel
```
DeviceInfo
| where DeviceName has "[insert devicename here]"
| extend LastSeen = Timestamp
| where Timestamp >= ago(1h)
| summarize LastSeen = arg_max(Timestamp, *) by DeviceId
| project LastSeen, DeviceId, DeviceName
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 28/02/2022    | Initial publish                        |
| 1.1           | 23/05/2023    | Transformed to template, minor changes |

Explanation

This query checks the "last seen" field of a device and returns the timestamp when it was last connected. It filters the results based on the device name and the timestamp within the last hour. The query then summarizes the results by selecting the latest timestamp for each device and projects the last seen timestamp, device ID, and device name.

Details

Michalis Michalos

Released: August 14, 2023

Tables

DeviceInfo

Keywords

Device,LastSeen,DeviceInfo,DeviceName,Timestamp,ago,summarize,arg_max,DeviceId,project

Operators

whereextendagosummarizearg_maxbyproject

KQL Search

Device Last Seen

Query

Explanation

Details

Actions