Forum Discussion
Same device with Onboarded and Not Onboarded status
jbmartin6 I do have more machines in this state, about 5 or 6 servers. I wouldn't like to turn off device discovery, as we're using it actively to detect some stuff.
dmarquesgn What I was thinking now is that inside the query, I could do a check and if the query returned 2 devices with the same name, and one is "Onboarded", then it would not list the other one. But not sure how to do this on kql.
- You can't just ignore the 'can be onboarded' entries? I guess you want to know if there is a 'can be onboarded' that is actually not onboarded
jbmartin6 Yes, the goal is to find which Windows Servers exists without being onboarded. So I can ignore the ones which are not well classified.
But there's one big issue, I have a detection rule based on this query, generating alerts, so this means I will generate a lot of false positives, and the SOC analysts will have to treat each alert, so it's kind of bad having false positives, providing them unnecessary work regularly.
- I think a negative join is what you need here, get a table of all the 'can be onboarded' and all the 'onboarded' and use a negative join to get the entries in the first table that are not in the second table
