Devices that maintain consistent uptime despite periodic DeviceInfo uploads may indicate persistent network activity or hidden malware maintaining system operation. SOC teams should proactively hunt for this behavior to identify potential long-running adversaries evading detection through controlled system activity.
KQL Query
DeviceInfo
| order by DeviceId, Timestamp desc
| extend FinalSignal = (prev(DeviceId,1) != DeviceId) or (prev(LoggedOnUsers,1) != LoggedOnUsers) or (prev(Timestamp,1,now(1d)) - Timestamp > 16m)
| extend StartSignal = (next(DeviceId,1) != DeviceId) or (next(LoggedOnUsers,1) != LoggedOnUsers) or (Timestamp - next(Timestamp,1,0) > 16m)
| where FinalSignal or StartSignal
| extend LastTimestamp=iff(FinalSignal,Timestamp,prev(Timestamp,1))
| where StartSignal
| extend ParsedFields=parse_json(LoggedOnUsers)[0]
| extend DurationAtLeast= format_timespan(LastTimestamp-Timestamp,'dd.hh:mm:ss')
| project Timestamp,LastTimestamp,DurationAtLeast,DeviceName,DomainName=ParsedFields.DomainName,UserName=ParsedFields.UserName
id: 2fe0bb17-2e2e-407f-b82e-baf16161196a
name: Device uptime calculation
description: |
This query calculates device uptime based on periodic DeviceInfo which is recorded every 15 minutes regardless of device's network connectivity and uploaded once device gets online. If its interval is over 16 minutes, we can consider device is turned off.Calculated uptime may include up to 30 minutes gap. Devices may be turned on up to 15 minutes earlier than the "timestamp", and may be turned off up to 15 minutes later than the "LastTimestamp". When the single independent DeviceInfo without any sequential DeviceInfo within 16 minutes before or after is recorded, "DurationAtLeast" will be displayed as "00.00:00:00".
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceInfo
tactics:
- Initial access
- Persistence
- Command and control
query: |
DeviceInfo
| order by DeviceId, Timestamp desc
| extend FinalSignal = (prev(DeviceId,1) != DeviceId) or (prev(LoggedOnUsers,1) != LoggedOnUsers) or (prev(Timestamp,1,now(1d)) - Timestamp > 16m)
| extend StartSignal = (next(DeviceId,1) != DeviceId) or (next(LoggedOnUsers,1) != LoggedOnUsers) or (Timestamp - next(Timestamp,1,0) > 16m)
| where FinalSignal or StartSignal
| extend LastTimestamp=iff(FinalSignal,Timestamp,prev(Timestamp,1))
| where StartSignal
| extend ParsedFields=parse_json(LoggedOnUsers)[0]
| extend DurationAtLeast= format_timespan(LastTimestamp-Timestamp,'dd.hh:mm:ss')
| project Timestamp,LastTimestamp,DurationAtLeast,DeviceName,DomainName=ParsedFields.DomainName,UserName=ParsedFields.UserName
Scenario: Scheduled System Maintenance or Patching
Description: A system administrator performs a scheduled maintenance task (e.g., using task scheduler or Ansible) that temporarily restarts devices, causing a spike in uptime calculation.
Filter/Exclusion: Exclude devices that are part of a known maintenance window using a field like device_group or maintenance_schedule.
Scenario: Automated Backup Jobs
Description: A backup tool like Veeam or Commvault runs a full backup job that causes the device to reboot or reset its uptime counter.
Filter/Exclusion: Exclude devices running backup jobs using a field like backup_job_name or backup_tool.
Scenario: Device Reboot for OS Updates
Description: A device reboots as part of a Windows Update or Linux package update (e.g., using WSUS, yum, or apt), which resets the uptime counter.
Filter/Exclusion: Exclude devices that have a system_update flag set or are part of an update schedule.
Scenario: Network Device Polling by Monitoring Tools
Description: A network monitoring tool like SolarWinds or PRTG polls a device and temporarily resets its uptime counter due to a polling mechanism.
Filter/Exclusion: Exclude devices that are being actively monitored by such tools using a field like monitoring_tool or polling_interval.
Scenario: Virtual Machine Snapshot or Clone
Description: A virtual machine (VM) is cloned or a snapshot is taken using tools like VMware vSphere, Hyper-V, or Vagrant, which can reset the uptime counter.
Filter/Exclusion: Exclude VMs that are part of a cloning or snapshot process using a field like vm_state or `snapshot_flag