Forum Discussion
Same device with Onboarded and Not Onboarded status
Hi, I'm creating a detection rule to search for servers which are not onboarded to Defender. What's strange about this query is that I get the same device (same devicename but different deviceid) wi...
I think a negative join is what you need here, get a table of all the 'can be onboarded' and all the 'onboarded' and use a negative join to get the entries in the first table that are not in the second table
jbmartin6 I got the idea. I don't have enough experience with KQL to build something like that. Do you have any idea how to build that kind of query? Or any place where I find some examples to build on that?
Thanks