Forum Discussion
dmarquesgn
Aug 28, 2024Iron Contributor
Same device with Onboarded and Not Onboarded status
Hi,
I'm creating a detection rule to search for servers which are not onboarded to Defender. What's strange about this query is that I get the same device (same devicename but different deviceid) with both Onboarding status, which is "Onboarded" and "Can be onboarded".
Anyone knows why? This way I get uncorrect results on my detection rule.
Thanks
- jbmartin6Iron ContributorFrom the 'can be onboarded' phrase my guess is the Device Discovery feature in MDE generated one of the entries, from traffic sniffing on another machine. Then when the server was onboarded a separate entry was created. I don't know if MDE has some way of matching Device Discovery entries to endpoints onboarded later. It might be useful to check if you see the same sort of results for other machines. I suggest you consider turning off Device Discovery unless you really want it, it uses up a lot of CPU and clutters your device data. If you wait 30 days or so the 'can be onboarded' entry will probably disappear.
- dmarquesgnIron Contributor
jbmartin6 I do have more machines in this state, about 5 or 6 servers. I wouldn't like to turn off device discovery, as we're using it actively to detect some stuff.
- dmarquesgnIron Contributor
dmarquesgn What I was thinking now is that inside the query, I could do a check and if the query returned 2 devices with the same name, and one is "Onboarded", then it would not list the other one. But not sure how to do this on kql.
- GI472Brass ContributorI get duplicate devices in the Device Inventory when a device has been reimaged, but I also note that it is picking up a different OSPlatform as well. Are both DeviceIds in your Device Inventory?
- dmarquesgnIron Contributor
Hi. On the Device Inventory panel I only see the onboarded device, I don't the see the other one.
- GI472Brass Contributor
dmarquesgn What query did you use to return that result?