Forum Discussion
Kapildev_C
Dec 12, 2023Copper Contributor
Advanced Hunting Query - Endpoint Security
Hi,
I'm using the below Advanced Hunting query to find the domain details of the machine, unfortunately, I'm not getting any results for Hybrid Azure AD Join machines. Could someone please help? It gives results only for AAD Joined and AAD Registered.
Query:
DeviceInfo
| where DeviceName in ("XXX", "YYY", "ZZZ")
| project DeviceName, JoinType
| summarize make_set(JoinType) by DeviceName
For example:
If the device "XXX" is AAD registered machine, "YYY" is AAD joined, and "ZZZ" is Hybrid Azure AD joined. I'm getting results for XXX and YYY. "ZZZ machine" results are not shown.
- Yash_MudaliarIron Contributor
Hi @Kapildev_C , try filtering only by "ZZZ" or just by the join type as "Hybrid Azure AD joined" and see if you get any output. If you can see the results from this, I think you should try summarizing by 'Join Type' and make sets of device names (suggesting this since I am not sure of your use case). If not, then most probably, the join status is either not replicated to MDE or the machine is indeed not hybrid AD joined.
- Kapildev_CCopper Contributor
Thanks for the response. When I run the query only for the machine "ZZZ" I'm getting results and showing 'Join Type' as 'Hybrid Azure AD Join'.
But when I use "in" instead of "contains" to get results for multiple devices it's not even showing the name of Hybrid Azure AD Joined machines. Screenshot attached fyr.
Query used to ZZZ machine:(Single machine)
DeviceInfo| where DeviceName contains "ZZZ"