Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Aug 28, 2024

Same device with Onboarded and Not Onboarded status

Hi, I'm creating a detection rule to search for servers which are not onboarded to Defender. What's strange about this query is that I get the same device (same devicename but different deviceid) wi...
jbmartin6's avatar
jbmartin6
Iron Contributor
Aug 29, 2024
From the 'can be onboarded' phrase my guess is the Device Discovery feature in MDE generated one of the entries, from traffic sniffing on another machine. Then when the server was onboarded a separate entry was created. I don't know if MDE has some way of matching Device Discovery entries to endpoints onboarded later. It might be useful to check if you see the same sort of results for other machines. I suggest you consider turning off Device Discovery unless you really want it, it uses up a lot of CPU and clutters your device data. If you wait 30 days or so the 'can be onboarded' entry will probably disappear.
dmarquesgn's avatar
dmarquesgn
Iron Contributor
Aug 29, 2024

jbmartin6 I do have more machines in this state, about 5 or 6 servers. I wouldn't like to turn off device discovery, as we're using it actively to detect some stuff.

  • dmarquesgn's avatar
    dmarquesgn
    Iron Contributor
    Aug 29, 2024

    dmarquesgn What I was thinking now is that inside the query, I could do a check and if the query returned 2 devices with the same name, and one is "Onboarded", then it would not list the other one. But not sure how to do this on kql.

    • jbmartin6's avatar
      jbmartin6
      Iron Contributor
      Aug 29, 2024
      You can't just ignore the 'can be onboarded' entries? I guess you want to know if there is a 'can be onboarded' that is actually not onboarded
      • dmarquesgn's avatar
        dmarquesgn
        Iron Contributor
        Aug 30, 2024

        jbmartin6 Yes, the goal is to find which Windows Servers exists without being onboarded. So I can ignore the ones which are not well classified.

        But there's one big issue, I have a detection rule based on this query, generating alerts, so this means I will generate a lot of false positives, and the SOC analysts will have to treat each alert, so it's kind of bad having false positives, providing them unnecessary work regularly.

Resources