Oct 04 2022 01:26 PM
Does anyone know what "Recently seen by" under network activity actually means?
We have a number of unusual device names keep popping up in our Defender inventory list, which are showing as running Windows 10. We usually get this when we reimage machines, but this is different.
Firstly, all newly imaged machines present a variation of the same name, whereas these are all completely different and not in keeping with the expected naming convention.
Also, when you click the Defender device page, under network activity the 'Recently seen by' section keeps showing different, genuine Windows 10 machines in our environment. The IP and MAC address however stay constant.
Does anyone know what this might be? I'm thinking perhaps an issue with SCCM, or our task sequence when reimaging laptops, but don't know much for sure.
Oct 04 2022 05:01 PM
Oct 04 2022 05:27 PM
Oct 04 2022 05:33 PM
Oct 04 2022 07:04 PM
Oct 04 2022 08:42 PM - edited Oct 04 2022 08:43 PM
Device Discovery checks network traffic passively, or runs active network scans to find devices not onboarded to MDE inside your network, and this process is run inside your genuine onboarded devices (Win10 and Win11 only I think)
If the devices that failed during the imaging process, but are still present on the network, they can be discovered by Device Discovery, and the "Recently seen by" should be a list of the devices that noticed said device on the network either passively or actively in the Device Discovery process.
I have not seen mention of this "Recently seen by" in the docs, so if you want a definitive answer you should probably raise a SR with Microsoft.