Query Details
MDE Device Discovery Seen By
Query
# MDE Device Discovery ## Query Information ### Description Use the below queries to retreieve details about Device Discovery #### References - [Device Deiscovery overview](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide) - [SeenBy function](https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-seenby-function?view=o365-worldwide) ### Microsoft 365 Defender ```kql // Device Discovery - what onboarded device discovered the not onboarded Endpoint Device let AllOnboardedDevices = DeviceInfo | where Timestamp > ago (30d) | where OnboardingStatus == 'Onboarded' | where isnotempty( OSDistribution) | extend DiscoveryDeviceId = DeviceId | extend DiscoveryDeviceName = DeviceName | extend DiscoveryOSDistribution = OSDistribution | summarize arg_max(Timestamp,DiscoveryDeviceId, DiscoveryDeviceName, DiscoveryOSDistribution) by DiscoveryDeviceId | project-away Timestamp, DiscoveryDeviceId1; DeviceInfo | where Timestamp > ago (30d) | where OnboardingStatus <> 'Onboarded' | where DeviceCategory == @"Endpoint" | where isempty(MergedToDeviceId) | summarize arg_max(Timestamp,*) by DeviceId | invoke SeenBy() | mv-expand parse_json(SeenBy) | extend SeenDeviceId = tostring(parse_json(SeenBy.DeviceId)) | extend LastEncountered = todatetime(tostring(parse_json(SeenBy.LastEncountered))) | project Timestamp, DeviceId, DeviceName, DeviceCategory, DeviceType, DeviceSubtype, Model, Vendor, OSDistribution, SeenDeviceId, LastEncountered, SeenBy | summarize arg_max(LastEncountered,*) by DeviceId | join kind=leftouter AllOnboardedDevices on $left.SeenDeviceId == $right.DiscoveryDeviceId | project-away SeenDeviceId ``` ```kql // Device Discovery - what onboarded device discovered the IoT and Network devices let AllOnboardedDevices = DeviceInfo | where Timestamp > ago (30d) | where OnboardingStatus == 'Onboarded' | where isnotempty( OSDistribution) | extend DiscoveryDeviceId = DeviceId | extend DiscoveryDeviceName = DeviceName | extend DiscoveryOSDistribution = OSDistribution | summarize arg_max(Timestamp,DiscoveryDeviceId, DiscoveryDeviceName, DiscoveryOSDistribution) by DiscoveryDeviceId | project-away Timestamp, DiscoveryDeviceId1; DeviceInfo | where Timestamp > ago (30d) | where DeviceCategory == @"IoT" or DeviceCategory contains @"NetworkDevice" | where isempty(MergedToDeviceId) | summarize arg_max(Timestamp,*) by DeviceId | invoke SeenBy() | mv-expand parse_json(SeenBy) | extend SeenDeviceId = tostring(parse_json(SeenBy.DeviceId)) | extend LastEncountered = todatetime(tostring(parse_json(SeenBy.LastEncountered))) | project Timestamp, DeviceId, DeviceName, DeviceCategory, DeviceType, DeviceSubtype, Model, Vendor, OSDistribution, SeenDeviceId, LastEncountered | summarize arg_max(LastEncountered,*) by DeviceId | join kind=leftouter AllOnboardedDevices on $left.SeenDeviceId == $right.DiscoveryDeviceId | project-away SeenDeviceId ```
Explanation
The first query retrieves details about device discovery for devices that have been onboarded. It identifies the onboarded device that discovered an endpoint device that has not been onboarded. The query also includes information about the discovery device, such as its ID, name, and operating system distribution.
The second query is similar to the first one but focuses on devices in the IoT and NetworkDevice categories. It identifies the onboarded device that discovered these types of devices and includes information about the discovery device and the discovered device.
Details
Alex Verboon
Released: June 4, 2023
Tables
DeviceInfo
Keywords
Devices,Intune,User,MDE,DeviceInfo,Timestamp,OnboardingStatus,OSDistribution,DeviceId,DeviceName,DeviceCategory,Endpoint,MergedToDeviceId,SeenBy,LastEncountered,DeviceType,DeviceSubtype,Model,Vendor,IoT,NetworkDevice
Operators
whereagoisnotemptyextendsummarizearg_maxbyproject-awaywhereisnotemptyextendsummarizearg_maxbyextendextendextendsummarizearg_maxbywherewherewherewhereisemptysummarizearg_maxbyinvokeSeenBymv-expandparse_jsonextendextendextendprojectsummarizearg_maxbyjoinkind=leftouteronproject-awaywhereagoisnotemptyextendextendextendsummarizearg_maxbyproject-awaywherewherewherewhereisemptysummarizearg_maxbyinvokeSeenBymv-expandparse_jsonextendextendextendprojectsummarizearg_maxbyjoinkind=leftouteronproject-away