Sep 06 2023 06:21 AM
DeviceInfo | project DeviceId, DeviceName, ClientVersion, OSPlatform, JoinType, AadDeviceId, OnboardingStatus, DeviceCategory, DeviceType, DeviceSubtype, Model, Vendor, OSDistribution, OSVersionInfo, SensorHealthState
Sep 06 2023 07:42 PM
Check the time/days in the KQL editor @dmarquesgn
The asset inventory is last 30 days, whereas you may have your KQL query set to last 7 days or something.
If it's not that, then pass.
Sep 07 2023 02:14 AM
Thanks for the tip. The issue is certainly because of the 30 days of data which is returned by the Hunting Query, while on the exported list of devices from the "Devices" view in the portal, I got devices which the last device update was 6 months ago.
So now I'm using this query:
DeviceInfo
| distinct DeviceId, DeviceName, ClientVersion, OSPlatform, JoinType, AadDeviceId, OnboardingStatus, DeviceCategory, DeviceType, DeviceSubtype, Model, Vendor, OSDistribution, OSVersionInfo, SensorHealthState
Now I've got another odd issue. Running the hunting query on the defender portal, I've got 4079 results. Running the hunting query over powershell returns 8105 results, and most of the devices are duplicated, which is kind of odd and didn't yet understood why.