运行 用于查找超过 24 小时未在 ATP 中报告的服务器的 kusto 查询未提供正确的信息
Running a kusto query to find servers not reporting in ATP for more than 24 hours does not provide with correct information
我正在尝试获取超过 24 小时未在 ATP 和 运行 中报告的服务器,但得到的数据不正确:
DeviceInfo
| where isnotnull(OSBuild)
| summarize last_seen = max(Timestamp) by DeviceId, DeviceName, OSPlatform, OSBuild
| project last_seen, DeviceId, DeviceName, OSPlatform, OSBuild
| where OSPlatform contains "server" //added this line to filter for servers only
| where last_seen > ago(24h)
| sort by last_seen asc
查询结果不仅显示带有昨天时间戳的设备,还显示今天...
运行Defender ATP高级狩猎中的查询
enter image description here
你应该改变:
| where last_seen > ago(24h)
到
| where last_seen < ago(24h)
我正在尝试获取超过 24 小时未在 ATP 和 运行 中报告的服务器,但得到的数据不正确:
DeviceInfo
| where isnotnull(OSBuild)
| summarize last_seen = max(Timestamp) by DeviceId, DeviceName, OSPlatform, OSBuild
| project last_seen, DeviceId, DeviceName, OSPlatform, OSBuild
| where OSPlatform contains "server" //added this line to filter for servers only
| where last_seen > ago(24h)
| sort by last_seen asc
查询结果不仅显示带有昨天时间戳的设备,还显示今天... 运行Defender ATP高级狩猎中的查询
enter image description here
你应该改变:
| where last_seen > ago(24h)
到
| where last_seen < ago(24h)