KQL Search

Query Details

HomeAI ToolsDevice Query

Rogue Device Detection

Query

//This query looks for rogue network devices using Microsoft for Endpoint device discovery
//Helps find unmanaged devices connected to your corporate network without extra appliances
//Shows which onboarded device detected each rogue device to help determine network location
DeviceInfo
| where OnboardingStatus != "Onboarded"
| where DeviceType == "NetworkDevice"
// The following line will allow you to exclude known vendors
//| where Vendor !in ("Enter Vendor", "Enter Vendor", "Enter Vendor")
| summarize arg_max(Timestamp, *) by DeviceId
| where isempty(MergedToDeviceId) 
| invoke SeenBy()
| project Timestamp, DeviceId, DeviceName, DeviceType, Vendor, SeenBy
| join DeviceNetworkInfo on DeviceId 
| extend IPAddresses_0_IPAddress = parse_json(IPAddresses)[0].IPAddress
| project Timestamp, DeviceId, DeviceName, DeviceType, Vendor, IPAddresses_0_IPAddress, MacAddress

Explanation

This query is designed to identify unauthorized or unmanaged network devices within a corporate network using Microsoft Defender for Endpoint's device discovery feature. Here's a simplified breakdown of what the query does:

  1. Filter Unmanaged Devices: It starts by selecting devices that are not onboarded (i.e., not managed by the corporate network's security system) and are classified as network devices.

  2. Exclude Known Vendors: There is an option to exclude devices from specific known vendors, which can be customized by uncommenting and editing the relevant line.

  3. Identify Latest Records: It summarizes the data to keep only the most recent record for each device, based on the timestamp.

  4. Check for Merging: It filters out devices that have been merged into another device record, ensuring only unique devices are considered.

  5. Determine Detection Source: The query uses the SeenBy() function to identify which onboarded device detected each rogue device, helping to pinpoint the network location.

  6. Project Relevant Information: Finally, it selects and displays key information about each rogue device, including the timestamp of detection, device ID, name, type, vendor, IP address, and MAC address.

Overall, this query helps network administrators identify and assess potentially unauthorized devices on their network, providing insights into where these devices were detected and their basic details.

Details

Austin Herbert profile picture

Austin Herbert

Released: November 10, 2024

Tables

DeviceInfoDeviceNetworkInfo

Keywords

DeviceInfoDeviceIdDeviceNameDeviceTypeVendorTimestampMacAddressIPAddressesDeviceNetworkInfoNetworkDevice

Operators

wheresummarizearg_maxbyisemptyinvokeSeenByprojectjoinonextendparse_json

Actions