With detection, coverage monitoring is crucial. This Microsoft Sentinel Workbook provides visibility into Microsoft Defender for Endpoint (MDE)–managed devices and their telemetry coverage within Sentinel. It helps security and operations teams verify that devices are properly configured for comprehensive monitoring by checking:

Azure Monitor Agent (AMA) installation status - SecurityEvent log ingestion into Sentinel (Windows) - Syslog log ingestion into Sentinel (Linux) - Last heartbeat and log timestamps for freshness - By correlating data from DeviceInfo, Heartbeat, and SecurityEvent/Syslog - tables, the workbook identifies configuration gaps and supports remediation efforts.

Note: This workbook assumes Microsoft Defender XDR data is ingested into Sentinel. Without ingestion, device name normalization and correlation may be inconsistent. To workaround that, copy the KQL query from the Github page and run it in Advanced Hunting in the Defender Portal