Query Details
Device Find Devices To Onboard
Query
//Find the information of any devices found by Defender network device discovery that are able to onboarded to Defender //Data connector required for this query - Advanced Hunting license //This query only works in Advanced Hunting DeviceInfo | summarize arg_max(Timestamp, *) by DeviceId | where OnboardingStatus == "Can be onboarded" | where isempty(MergedToDeviceId) | project ['Time last seen']=Timestamp, DeviceName, DeviceId, OSDistribution, OSVersion, DeviceCategory, IsAzureADJoined, JoinType
Explanation
This query finds information about devices that have been discovered by Defender network device discovery and can be onboarded to Defender. It requires an Advanced Hunting license and can only be run in Advanced Hunting. The query retrieves the latest information for each device, filters for devices that can be onboarded, and excludes devices that have been merged with another device. The resulting information includes the timestamp of the last seen activity, device name, device ID, operating system distribution and version, device category, whether it is joined to Azure AD, and the type of join.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceInfo
Keywords
Devices,Defender,networkdevicediscovery,onboarding,AdvancedHunting,Dataconnector,license,DeviceInfo,Timestamp,DeviceId,OnboardingStatus,MergedToDeviceId,OSDistribution,OSVersion,DeviceCategory,IsAzureADJoined,JoinType
Operators
summarizearg_maxbywhereisemptyproject