This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 15%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKP%3C/text%3E%3C/svg%3E)
Hi All,
Need your suggestion and support please
We have Defender for endpoint, VIP devices are tagged as HIGH value assets under "Device Value" settings. Now i want to run advanced hunting queries which pulls "High" tagged devices with below parameters and create alerts. Please suggest
DeviceNetworkEvents,
DeviceLogonEvents
DeviceProcessEvents
Managing and enforcing security policies for devices and apps to protect organizational data through Intune
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@karthik palani Thank you for reaching out to us, just check the below query if it helps to achieve your ask.
let HVdev = (DeviceInfo
| where AssetValue == "High" | summarize arg_max(Timestamp,*) by DeviceId);
DeviceNetworkEvents
| join kind=leftsemi HVdev on DeviceId
Let me know if you have any further questions, feel free to post back.
I adapted your query but do not get results what is wrong here?
let Highassets = DeviceInfo | where AssetValue == "High" | summarize arg_max(Timestamp,*) by DeviceId;
DeviceNetworkEvents
| where RemotePort == "3389"
| where ActionType == "ConnectionSuccess"
| where InitiatingProcessFileName != "Microsoft.Tri.Sensor.exe"
| join kind=leftsemi Highassets on DeviceId