M365 Defender - Recently seen by?

Brass Contributor

Does anyone know what "Recently seen by" under network activity actually means?

 

We have a number of unusual device names keep popping up in our Defender inventory list, which are showing as running Windows 10. We usually get this when we reimage machines, but this is different.

 

Firstly, all newly imaged machines present a variation of the same name, whereas these are all completely different and not in keeping with the expected naming convention.

 

Also, when you click the Defender device page, under network activity the 'Recently seen by' section keeps showing different, genuine Windows 10 machines in our environment. The IP and MAC address however stay constant.

 

Does anyone know what this might be? I'm thinking perhaps an issue with SCCM, or our task sequence when reimaging laptops, but don't know much for sure.

6 Replies
My guess is this might be the Device Discovery, showing devices that have been detected on the network. What is the onboarding status shown for these devices?
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o36...
They're all showing as 'Can be onboarded'. I have since done some further digging and I am now pretty sure that they are new laptops that have failed the task sequence during imaging. My main query now is what 'Recently seen by' means. It is changing each time I look at the device page, and it showing real, current devices in our domain.
In that case, I would assume this list shows the onboarded devices that recently detected the device in question, through the use of Device Discovery.
Hi Jonhed, firstly, thank you for taking the time to reply to me.

I think you are right on this. Do you know what the 'Recently seen by' is though? I wonder why a newly discovered device that failed during the imaging process is 'Recently seen by' genuine devices on the domain.

Device Discovery checks network traffic passively, or runs active network scans to find devices not onboarded to MDE inside your network, and this process is run inside your genuine onboarded devices (Win10 and Win11 only I think)

If the devices that failed during the imaging process, but are still present on the network, they can be discovered by Device Discovery, and the "Recently seen by" should be a list of the devices that noticed said device on the network either passively or actively in the Device Discovery process.

I have not seen mention of this "Recently seen by" in the docs, so if you want a definitive answer you should probably raise a SR with Microsoft.

Thank you!