Query Details
Endpoints Associated With Multiple Deviceids
Query
# Identify endpoints associated with multiple DeviceIds ## Description There are cases where devices might be formatted and get the same hostname as before, MDE will keep both devices in Security Center, however the depreciated machine's logs will be kept for 6 months. This query will help identify endpoint hostnames associated with multiple DeviceIds. ## References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-business/mdb-offboard-devices?view=o365-worldwide&tabs=Windows1011 ### Microsoft 365 Defender ``` DeviceInfo // Definde timeframe below | where Timestamp > ago(90d) | where isnotempty(DeviceId) | summarize DeviceCount = dcount(DeviceId) by DeviceName | where DeviceCount > 1 | project DeviceName, DeviceCount ``` ``` DeviceInfo // Definde timeframe below | where TimeGenerated > ago(90d) | where isnotempty(DeviceId) | summarize DeviceCount = dcount(DeviceId) by DeviceName | where DeviceCount > 1 | project DeviceName, DeviceCount ``` ### Versioning | Version | Date | Comments | | ------------- |---------------| ---------------------------------------| | 1.0 | 25/05/2023 | Initial publish | | 1.1 | 14/09/2023 | Changes based on @Marshyp comments |
Explanation
The query helps identify endpoint hostnames that are associated with multiple DeviceIds. It looks for devices that have been formatted and given the same hostname as before, and keeps both devices in Security Center. The query checks the DeviceInfo table within a specified timeframe, filters out empty DeviceIds, counts the number of unique DeviceIds for each DeviceName, and selects the DeviceName and DeviceCount for devices with more than one DeviceId.
Details
Michalis Michalos
Released: September 14, 2023
Tables
DeviceInfo
Keywords
Devices,Intune,User
Operators
whereisnotemptysummarizebyproject