Forum Discussion

Kapildev_C's avatar
Kapildev_C
Copper Contributor
Dec 12, 2023

Advanced Hunting Query - Endpoint Security

Hi, I'm using the below Advanced Hunting query to find the domain details of the machine, unfortunately, I'm not getting any results for Hybrid Azure AD Join machines. Could someone please help? It ...
endpoint security
microsoft 365 defender
Yash_Mudaliar's avatar
Yash_Mudaliar
MCT
Dec 13, 2023

Hi @Kapildev_C , try filtering only by "ZZZ" or just by the join type as "Hybrid Azure AD joined" and see if you get any output. If you can see the results from this, I think you should try summarizing by 'Join Type' and make sets of device names (suggesting this since I am not sure of your use case). If not, then most probably, the join status is either not replicated to MDE or the machine is indeed not hybrid AD joined.

Kapildev_C's avatar
Kapildev_C
Copper Contributor
Dec 13, 2023

Hi Yash_Mudaliar 

Thanks for the response. When I run the query only for the machine "ZZZ" I'm getting results and showing 'Join Type' as 'Hybrid Azure AD Join'.

But when I use "in" instead of "contains" to get results for multiple devices it's not even showing the name of Hybrid Azure AD Joined machines. Screenshot attached fyr.

Query used to ZZZ machine:(Single machine)

DeviceInfo
| where DeviceName contains "ZZZ"