Query Details

Microsoft Defender for Endpoint - Streamlined Connectivity

MDE Connectivity Type

Query

DeviceInfo
| where Timestamp > ago(30d)
| where OnboardingStatus == 'Onboarded'
| where DeviceCategory == 'Endpoint'
| summarize arg_max(Timestamp,*) by DeviceId
| where isempty( HostDeviceId) // exclude WSL, as they will create duplicate and adopt the connectivity type of the host
| extend ConnectivityType = iff(isempty( ConnectivityType),"Not-Streamlined",ConnectivityType)
| project DeviceName, OSPlatform, ConnectivityType, DeviceId 
| summarize Total = count() by ConnectivityType

About this query

Explanation

This query is designed to provide an overview of devices using the new streamlined connectivity feature in Microsoft Defender for Endpoint. Here's a simplified breakdown:

  1. Purpose: The query aims to show how many devices are connected through different connectivity methods within the Microsoft Defender for Endpoint environment.

  2. Data Source: It uses the DeviceInfo table to gather information about devices that have been onboarded in the last 30 days and are categorized as endpoints.

  3. Filtering:

    • It filters out devices that are not onboarded.
    • It excludes devices running Windows Subsystem for Linux (WSL) to avoid duplicates, as these devices adopt the connectivity type of their host.
  4. Connectivity Type:

    • It checks if the ConnectivityType is empty and labels such devices as "Not-Streamlined."
    • It then projects relevant information like DeviceName, OSPlatform, ConnectivityType, and DeviceId.
  5. Summarization: The query summarizes the total number of devices by each connectivity type.

  6. Limitations in Microsoft Sentinel:

    • The ConnectivityType attribute is not currently synchronized with Microsoft Sentinel, so the query cannot be executed there.
    • As a workaround, two additional queries are provided to identify devices interacting with the endpoint security URL and checking specific registry keys related to onboarding.

Overall, this query helps administrators understand how devices are connecting to Microsoft Defender for Endpoint and identify any that are not using the streamlined connectivity method.

Details

Alex Verboon profile picture

Alex Verboon

Released: September 5, 2024

Tables

DeviceInfoDeviceNetworkEventsDeviceRegistryEvents

Keywords

DevicesEndpointDeviceIdDeviceNameOSPlatformConnectivityTypeDeviceNetworkEventsRemoteUrlRemoteIPActionTypeInitiatingProcessParentFileNameRegistryKeyRegistryValueNameRegistryValueData

Operators

whereagosummarizearg_maxisemptyextendiffprojectcounthascontains

Actions

GitHub