Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Aug 28, 2024

Same device with Onboarded and Not Onboarded status

Hi,

I'm creating a detection rule to search for servers which are not onboarded to Defender. What's strange about this query is that I get the same device (same devicename but different deviceid) with both Onboarding status, which is "Onboarded" and "Can be onboarded".

Anyone knows why? This way I get uncorrect results on my detection rule.

Thanks

 

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    From the 'can be onboarded' phrase my guess is the Device Discovery feature in MDE generated one of the entries, from traffic sniffing on another machine. Then when the server was onboarded a separate entry was created. I don't know if MDE has some way of matching Device Discovery entries to endpoints onboarded later. It might be useful to check if you see the same sort of results for other machines. I suggest you consider turning off Device Discovery unless you really want it, it uses up a lot of CPU and clutters your device data. If you wait 30 days or so the 'can be onboarded' entry will probably disappear.
    • dmarquesgn's avatar
      dmarquesgn
      Iron Contributor

      jbmartin6 I do have more machines in this state, about 5 or 6 servers. I wouldn't like to turn off device discovery, as we're using it actively to detect some stuff.

      • dmarquesgn's avatar
        dmarquesgn
        Iron Contributor

        dmarquesgn What I was thinking now is that inside the query, I could do a check and if the query returned 2 devices with the same name, and one is "Onboarded", then it would not list the other one. But not sure how to do this on kql.

  • GI472's avatar
    GI472
    Brass Contributor
    I get duplicate devices in the Device Inventory when a device has been reimaged, but I also note that it is picking up a different OSPlatform as well. Are both DeviceIds in your Device Inventory?
    • dmarquesgn's avatar
      dmarquesgn
      Iron Contributor

      GI472 

      Hi. On the Device Inventory panel I only see the onboarded device, I don't the see the other one.

Resources