cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

M365 Defender - Recently seen by?

GI472
Brass Contributor

‎Oct 04 2022 01:26 PM

‎Oct 04 2022 01:26 PM

M365 Defender - Recently seen by?

Does anyone know what "Recently seen by" under network activity actually means?

 

We have a number of unusual device names keep popping up in our Defender inventory list, which are showing as running Windows 10. We usually get this when we reimage machines, but this is different.

 

Firstly, all newly imaged machines present a variation of the same name, whereas these are all completely different and not in keeping with the expected naming convention.

 

Also, when you click the Defender device page, under network activity the 'Recently seen by' section keeps showing different, genuine Windows 10 machines in our environment. The IP and MAC address however stay constant.

 

Does anyone know what this might be? I'm thinking perhaps an issue with SCCM, or our task sequence when reimaging laptops, but don't know much for sure.

6,513 Views
0 Likes
6 Replies
Reply
6 Replies
Jonhed

‎Oct 04 2022 05:01 PM

‎Oct 04 2022 05:01 PM

Re: M365 Defender - Recently seen by?

My guess is this might be the Device Discovery, showing devices that have been detected on the network. What is the onboarding status shown for these devices?
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o36...
0 Likes
Reply
GI472

‎Oct 04 2022 05:27 PM

‎Oct 04 2022 05:27 PM

Re: M365 Defender - Recently seen by?

They're all showing as 'Can be onboarded'. I have since done some further digging and I am now pretty sure that they are new laptops that have failed the task sequence during imaging. My main query now is what 'Recently seen by' means. It is changing each time I look at the device page, and it showing real, current devices in our domain.
0 Likes
Reply
Jonhed

‎Oct 04 2022 05:33 PM

‎Oct 04 2022 05:33 PM

Re: M365 Defender - Recently seen by?

In that case, I would assume this list shows the onboarded devices that recently detected the device in question, through the use of Device Discovery.
0 Likes
Reply
GI472

‎Oct 04 2022 07:04 PM

‎Oct 04 2022 07:04 PM

Re: M365 Defender - Recently seen by?

Hi Jonhed, firstly, thank you for taking the time to reply to me.

I think you are right on this. Do you know what the 'Recently seen by' is though? I wonder why a newly discovered device that failed during the imaging process is 'Recently seen by' genuine devices on the domain.
0 Likes
Reply
Jonhed

‎Oct 04 2022 08:42 PM - edited ‎Oct 04 2022 08:43 PM

‎Oct 04 2022 08:42 PM - edited ‎Oct 04 2022 08:43 PM

Re: M365 Defender - Recently seen by?

Device Discovery checks network traffic passively, or runs active network scans to find devices not onboarded to MDE inside your network, and this process is run inside your genuine onboarded devices (Win10 and Win11 only I think)

If the devices that failed during the imaging process, but are still present on the network, they can be discovered by Device Discovery, and the "Recently seen by" should be a list of the devices that noticed said device on the network either passively or actively in the Device Discovery process.

I have not seen mention of this "Recently seen by" in the docs, so if you want a definitive answer you should probably raise a SR with Microsoft.

0 Likes
Reply
GI472

‎Dec 06 2022 02:11 PM

‎Dec 06 2022 02:11 PM

Re: M365 Defender - Recently seen by?

Thank you!
0 Likes
Reply