Aug 28 2024 03:01 AM
Hi,
I'm creating a detection rule to search for servers which are not onboarded to Defender. What's strange about this query is that I get the same device (same devicename but different deviceid) with both Onboarding status, which is "Onboarded" and "Can be onboarded".
Anyone knows why? This way I get uncorrect results on my detection rule.
Thanks
Aug 28 2024 05:46 PM
Aug 29 2024 01:37 AM
Hi. On the Device Inventory panel I only see the onboarded device, I don't the see the other one.
Aug 29 2024 02:33 AM
@dmarquesgn What query did you use to return that result?
Aug 29 2024 02:50 AM
@GI472 Here you have it:
Aug 29 2024 05:16 AM
Aug 29 2024 09:07 AM
@jbmartin6 I do have more machines in this state, about 5 or 6 servers. I wouldn't like to turn off device discovery, as we're using it actively to detect some stuff.
Aug 29 2024 09:09 AM
@dmarquesgn What I was thinking now is that inside the query, I could do a check and if the query returned 2 devices with the same name, and one is "Onboarded", then it would not list the other one. But not sure how to do this on kql.
Aug 29 2024 11:13 AM
Aug 30 2024 01:00 AM
@jbmartin6 Yes, the goal is to find which Windows Servers exists without being onboarded. So I can ignore the ones which are not well classified.
But there's one big issue, I have a detection rule based on this query, generating alerts, so this means I will generate a lot of false positives, and the SOC analysts will have to treat each alert, so it's kind of bad having false positives, providing them unnecessary work regularly.
Aug 30 2024 04:27 AM
Aug 30 2024 05:01 AM
@jbmartin6 I got the idea. I don't have enough experience with KQL to build something like that. Do you have any idea how to build that kind of query? Or any place where I find some examples to build on that?
Thanks
Aug 30 2024 11:32 AM
Something like this might do it. The correct term is anti join.
let TableOnboarded = DeviceInfo
| where OnboardingStatus == "Onboarded";
let TableCouldBeOnboarded = DeviceInfo | where OnboardingStatus != "Onboarded";
TableCouldBeOnboarded
| join kind=anti TableOnboarded on DeviceId
Sep 02 2024 12:27 AM
@jbmartin6 That really helped. I just changed the DeviceId to DeviceName, as the DeviceId is in fact different, what's equal is the devicename. So now the query is like this:
let TableOnboarded = DeviceInfo
| where OnboardingStatus == "Onboarded";
let TableCouldBeOnboarded = DeviceInfo | where OnboardingStatus != "Onboarded" and MachineGroup contains "Windows Server";
TableCouldBeOnboarded
| join kind=anti TableOnboarded on DeviceName
| distinct DeviceName
Now there's only one last issue. There's one device which on the "Onboarded" state, the DeviceName has the domain, like "srv-server.domain.local", and the "Not Onboarded" DeviceName is just the server name, without the domain.
Is there any chance to parse out the domain name and compare just the server name?
Thanks
Sep 03 2024 06:43 AM
Sep 04 2024 03:38 AM
@jbmartin6 Thanks for the tip. I also do the same many times, extract the data with Powershell and then work it out. But as the goal here is to create a Detection Rule, it needs to be a query with Defender.
I'll take a look at those references.