Forum Discussion
Same device with Onboarded and Not Onboarded status
Hi, I'm creating a detection rule to search for servers which are not onboarded to Defender. What's strange about this query is that I get the same device (same devicename but different deviceid) wi...
From the 'can be onboarded' phrase my guess is the Device Discovery feature in MDE generated one of the entries, from traffic sniffing on another machine. Then when the server was onboarded a separate entry was created. I don't know if MDE has some way of matching Device Discovery entries to endpoints onboarded later. It might be useful to check if you see the same sort of results for other machines. I suggest you consider turning off Device Discovery unless you really want it, it uses up a lot of CPU and clutters your device data. If you wait 30 days or so the 'can be onboarded' entry will probably disappear.
jbmartin6 I do have more machines in this state, about 5 or 6 servers. I wouldn't like to turn off device discovery, as we're using it actively to detect some stuff.
dmarquesgn What I was thinking now is that inside the query, I could do a check and if the query returned 2 devices with the same name, and one is "Onboarded", then it would not list the other one. But not sure how to do this on kql.
- You can't just ignore the 'can be onboarded' entries? I guess you want to know if there is a 'can be onboarded' that is actually not onboarded
