Forum Discussion
Same device with Onboarded and Not Onboarded status
Hi, I'm creating a detection rule to search for servers which are not onboarded to Defender. What's strange about this query is that I get the same device (same devicename but different deviceid) wi...
This is getting outside my experience with Kusto, we typically pull the raw data using the API then manipulate the data locally via powershell. What you suggest may be possible since Kusto breaks values up into substrings automatically, that is part of what makes it such a great query tool for large data sets. Take a look here (https://learn.microsoft.com/en-us/kusto/query/datatypes-string-operators?view=azure-data-explorer&preserve-view=true) and see if you can get something like "Left.Devicename contains Right.DeviceName" to work.
jbmartin6 Thanks for the tip. I also do the same many times, extract the data with Powershell and then work it out. But as the goal here is to create a Detection Rule, it needs to be a query with Defender.
I'll take a look at those references.