Queries for the ProtectionStatus table

[アーティクル]
09/17/2024

For information on using these queries in the Azure portal, see Log Analytics tutorial. For the REST API, see Query.

Signatures out of date

Devices with Signatures out of date.

// To create an alert for this query, click '+ New alert rule'
ProtectionStatus
| summarize Rank = max(ProtectionStatusRank) by Computer, _ResourceId
| where Rank == "250"

Protection Status updates

Protection Status updates per day.

// To create an alert for this query, click '+ New alert rule'
ProtectionStatus
| summarize AggregatedValue = count(ScanDate) by bin(TimeGenerated, 1d), Computer, _ResourceId
| sort by TimeGenerated desc

Malware detection

Malware detected grouped by threat.

// To create an alert for this query, click '+ New alert rule'
ProtectionStatus
| where ThreatStatus != "No threats detected" 
| summarize AggregatedValue = count() by Threat, Computer, _ResourceId