Sentinel - KQL for High tags

karthik palani 1,011 Reputation points
2023-08-30T06:30:10.7366667+00:00

Hi All,

Need your suggestion and support please

We have Defender for endpoint, VIP devices are tagged as HIGH value assets under "Device Value" settings. Now i want to run advanced hunting queries which pulls "High" tagged devices with below parameters and create alerts. Please suggest

DeviceNetworkEvents,

DeviceLogonEvents

DeviceProcessEvents

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,489 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
165 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
795 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 19,621 Reputation points Microsoft Employee
    2023-08-31T06:49:56.44+00:00

    @karthik palani Thank you for reaching out to us, just check the below query if it helps to achieve your ask. 

    let HVdev = (DeviceInfo
| where AssetValue == "High" | summarize arg_max(Timestamp,*) by DeviceId);
DeviceNetworkEvents
| join kind=leftsemi HVdev on DeviceId

    Let me know if you have any further questions, feel free to post back.

    0 comments