Forum Discussion

Kapildev_C's avatar
Kapildev_C
Copper Contributor
Dec 12, 2023

Advanced Hunting Query - Endpoint Security

Hi,
I'm using the below Advanced Hunting query to find the domain details of the machine, unfortunately, I'm not getting any results for Hybrid Azure AD Join machines. Could someone please help? It gives results only for AAD Joined and AAD Registered.


Query:


DeviceInfo

| where DeviceName in ("XXX", "YYY", "ZZZ")

| project DeviceName, JoinType

| summarize make_set(JoinType) by DeviceName


For example:
If the device "XXX" is AAD registered machine, "YYY" is AAD joined, and "ZZZ" is Hybrid Azure AD joined. I'm getting results for XXX and YYY. "ZZZ machine" results are not shown.

  • Hi @Kapildev_C , try filtering only by "ZZZ" or just by the join type as "Hybrid Azure AD joined" and see if you get any output. If you can see the results from this, I think you should try summarizing by 'Join Type' and make sets of device names (suggesting this since I am not sure of your use case). If not, then most probably, the join status is either not replicated to MDE or the machine is indeed not hybrid AD joined.

    • Kapildev_C's avatar
      Kapildev_C
      Copper Contributor

      Hi Yash_Mudaliar 

      Thanks for the response. When I run the query only for the machine "ZZZ" I'm getting results and showing 'Join Type' as 'Hybrid Azure AD Join'.

      But when I use "in" instead of "contains" to get results for multiple devices it's not even showing the name of Hybrid Azure AD Joined machines. Screenshot attached fyr.

      Query used to ZZZ machine:(Single machine)

      DeviceInfo
      | where DeviceName contains "ZZZ"

       

Resources