Forum Discussion
Microsoft Defender Security Center (ATP) - Alerts
Hi All, Is there a way for us to get alerted from MS Security Center (ATP) if a device (Server) has not been seen online for more than 24hrs? I have intentionally onboarded a server to ATP an...
The device won't show as Inactive until it has been offline for the last 7 days but it should show as Misconfigured due to No Sensor Data or Impaired Communications.
You can create Custom Detection Rules based on advanced hunting queries to generate alerts.
https://docs.microsoft.com/en-gb/microsoft-365/security/mtp/custom-detections-overview?view=o365-worldwide
The DeviceTvmSecureConfigurationAssessment schema table has a column named ConfigurationId where you can check for ImpairedCommunications and Sensor Enabled amongst other values.
Take a look at this sample query for more info:
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/General%20queries/Endpoint%20Agent%20Health%20Status%20Report.md
You can create Custom Detection Rules based on advanced hunting queries to generate alerts.
https://docs.microsoft.com/en-gb/microsoft-365/security/mtp/custom-detections-overview?view=o365-worldwide
The DeviceTvmSecureConfigurationAssessment schema table has a column named ConfigurationId where you can check for ImpairedCommunications and Sensor Enabled amongst other values.
Take a look at this sample query for more info:
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/General%20queries/Endpoint%20Agent%20Health%20Status%20Report.md
