Query Details
Device Find New Devices
Query
//Find new devices onboarded to Defender in the last month
//Data connector required for this query - M365 Defender - Device* tables
let knowndevices=
DeviceNetworkInfo
| where TimeGenerated > ago (180d) and TimeGenerated < ago(30d)
| distinct DeviceName;
DeviceNetworkInfo
| where TimeGenerated > ago (30d)
| summarize arg_min(TimeGenerated, *) by DeviceName
| where DeviceName !in (knowndevices)
| project TimeGenerated, DeviceName
| extend ['Days Since First Seen']=datetime_diff("day", now(), TimeGenerated)
| project ['Time First Seen']=TimeGenerated, ['Days Since First Seen'], DeviceName
| sort by ['Days Since First Seen'] desc Explanation
This query finds new devices that have been onboarded to Defender in the last month. It uses the M365 Defender - Device* tables as the data connector. The query first identifies known devices based on their network information in the past 180 days but within the last 30 days. Then, it retrieves the latest network information for each device in the last 30 days and filters out the known devices. The result includes the time the device was first seen, the number of days since it was first seen, and the device name, sorted by the number of days since first seen in descending order.
Details
Matt Zorich
Released: June 17, 2022
Tables
DeviceNetworkInfo
Keywords
Devices,Defender
Operators
whereagodistinctsummarizearg_mininprojectextenddatetime_diffnowsort by