Query Details
Devices Can Be Onboarded
Query
# List recently found devices that can be onboarded ## Query Information ### Description This query lists devices that can be onboarded to Defender For Endpoint and have recently been detected. You can determine what recently is by using the *RecentDetection* parameter. #### Risk Devices that are not onboarded can be misused without detection. #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-machines-onboarding?view=o365-worldwide ## Defender For Endpoint ```KQL let RecentDetection = 10d; DeviceInfo | where OnboardingStatus == "Can be onboarded" | summarize arg_max(Timestamp, *) by DeviceId | where Timestamp > ago(RecentDetection) | summarize TotalDevices = dcount(DeviceId), DeviceNames = make_set(DeviceName) by OSPlatform, DeviceType ``` ## Sentinel ```KQL let RecentDetection = 10d; DeviceInfo | where OnboardingStatus == "Can be onboarded" | summarize arg_max(TimeGenerated, *) by DeviceId | where Timestamp > ago(RecentDetection) | summarize TotalDevices = dcount(DeviceId), DeviceNames = make_set(DeviceName) by OSPlatform, DeviceType ```
Explanation
This query lists recently found devices that can be onboarded to Defender For Endpoint. It helps identify devices that have been detected recently and are not yet onboarded, which could pose a risk as they can be misused without detection. The query uses the "RecentDetection" parameter to determine what is considered recent. It provides information such as the total number of devices and their names, categorized by the operating system platform and device type.
Details
Bert-Jan Pals
Released: December 23, 2023
Tables
DeviceInfo
Keywords
Devices,Intune,User
Operators
wheresummarizearg_maxbyagodcountmake_set