Forum Discussion
Same device with Onboarded and Not Onboarded status
Hi, I'm creating a detection rule to search for servers which are not onboarded to Defender. What's strange about this query is that I get the same device (same devicename but different deviceid) wi...
You can't just ignore the 'can be onboarded' entries? I guess you want to know if there is a 'can be onboarded' that is actually not onboarded
jbmartin6 Yes, the goal is to find which Windows Servers exists without being onboarded. So I can ignore the ones which are not well classified.
But there's one big issue, I have a detection rule based on this query, generating alerts, so this means I will generate a lot of false positives, and the SOC analysts will have to treat each alert, so it's kind of bad having false positives, providing them unnecessary work regularly.
- I think a negative join is what you need here, get a table of all the 'can be onboarded' and all the 'onboarded' and use a negative join to get the entries in the first table that are not in the second table
jbmartin6 I got the idea. I don't have enough experience with KQL to build something like that. Do you have any idea how to build that kind of query? Or any place where I find some examples to build on that?
Thanks
Something like this might do it. The correct term is anti join.
let TableOnboarded = DeviceInfo | where OnboardingStatus == "Onboarded"; let TableCouldBeOnboarded = DeviceInfo | where OnboardingStatus != "Onboarded"; TableCouldBeOnboarded | join kind=anti TableOnboarded on DeviceId