Defender for Endpoint Telemetry.csl

microsoft · Oct 13, 2020 · dd9b456 · dd9b456
1 parent fade343
commit dd9b456
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/Network/Defender for Endpoint Telemetry.csl b/Network/Defender for Endpoint Telemetry.csl
@@ -0,0 +1,16 @@
+// View Defender for Endpoint telemetry URLs and their connection status, view trendline over 30 days
+// use to investigate possible telemetry and/or connectivity issues
+// jesse.esquivel@microsoft.com
+let TargetURLs = dynamic(['winatp-gw-cus.microsoft.com', 'winatp-gw-eus.microsoft.com', 'winatp-gw-weu.microsoft.com',
+    'winatp-gw-neu.microsoft.com', 'winatp-gw-uks.microsoft.com', 'winatp-gw-ukw.microsoft.com', 'winatp-gw-usgv.microsoft.com',
+    'winatp-gw-usgt.microsoft.com', 'eu.vortex-win.data.microsoft.com', 'us.vortex-win.data.microsoft.com',
+    'uk.vortex-win.data.microsoft.com', 'events.data.microsoft.com', 'settings-win.data.microsoft.com', 'eu-v20.events.data.microsoft.com',
+    'uk-v20.events.data.microsoft.com', 'us-v20.events.data.microsoft.com', 'us4-v20.events.data.microsoft.com',
+    'us5-v20.events.data.microsoft.com', 'ctldl.windowsupdate.com']);
+DeviceNetworkEvents
+//scope here by MachineGroup, etc.
+| where isnotempty(RemoteUrl)
+| extend Domain = case(RemoteUrl contains "//", parse_url(RemoteUrl).Host, RemoteUrl)
+| where Domain in(TargetURLs)
+| summarize Connections = dcount(DeviceId) by ActionType, bin(Timestamp, 1d)
+| render linechart