Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

List Recently Found Devices That Can Be On-boarded

Wayne Andes 4 min read

Description

This KQL query lists devices that can be on-boarded to Defender For Endpoint and have recently been detected. You can determine what recently is by using the RecentDetection parameter.

Risk

Devices that are not on-boarded can be misused without detection.\

Query

Microsoft Defender For Endpoint
Kusto
let RecentDetection = 10d;
DeviceInfo
| where Timestamp > ago(RecentDetection)
| summarize arg_max(Timestamp, *) by DeviceId
| where OnboardingStatus == "Can be onboarded"
| summarize TotalDevices = dcount(DeviceId), DeviceNames = make_set(DeviceName) by OSPlatform, DeviceType

Microsoft Sentinel
Kusto
let RecentDetection = 10d;
DeviceInfo
| where TimeGenerated > ago(RecentDetection)
| summarize arg_max(TimeGenerated, *) by DeviceId
| where OnboardingStatus == "Can be onboarded"
| summarize TotalDevices = dcount(DeviceId), DeviceNames = make_set(DeviceName) by OSPlatform, DeviceType

References

You May Also Like

List Analytics Rules Failures

Wayne Andes

List Total Successful Sign-Ins By Operating System

Wayne Andes

Detect Runas Commands With Saved Credentials

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *