Threat Hunting With MDE Device Discovery And Seen By Enrichment Function
Query
// Threat Hunting with MDE Device Discovery and SeenBy() Enrichment Function
// Devices discovered but not onboarded and secured by Defender for Endpoint are listed in the device inventory. You can use KQL to query these non-onboarded endpoints and leverage the SeenBy() enrichment function to identify which MDE endpoints have detected these devices in the private network. The IP addresses of non-onboarded devices are then cross-referenced against the AlertEvidence and BehaviourEntities schemas’ LocalIP fields to check for any associated security alerts. If a detection rule is triggered, SecOps should promptly locate and remove the device from the network.
let SuspiciousDeviceIPs =
DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| where isempty(MergedToDeviceId)
| where OnboardingStatus != "Onboarded"
| where DeviceCategory == "Endpoint" and DeviceType == "Workstation" and DeviceName == ""
| join DeviceNetworkInfo on DeviceId
| extend UnidentifiedDeviceIP = tostring(parse_json(IPAddresses)[0].IPAddress)
| invoke SeenBy()
| mv-expand parse_json(SeenBy)
| extend SeenByDeviceID = SeenBy.DeviceId
| project DeviceId, OSPlatform, OSBuild, OSVersion, MacAddress, UnidentifiedDeviceIP, SeenByDeviceID
| distinct UnidentifiedDeviceIP;
search in (AlertEvidence, BehaviorEntities)
Timestamp between (ago(7d) .. now())
and (
LocalIP has_any(SuspiciousDeviceIPs)
)
// MITRE ATT&CK Mapping
// Initial Access:
// T1078.004: Valid Accounts - The query checks for devices that are not onboarded, which could indicate unauthorized access.
// Discovery:
// T1082: System Information Discovery - Gathering information about the device’s OS, build, version, and MAC address.
// T1016: System Network Configuration Discovery - Extracting network information and IP addresses.
// Lateral Movement:
// T1021: Remote Services - The SeenBy() function indicates devices that have seen the suspicious device, which could be used for lateral movement detection.
// Defense Evasion:
// T1070: Indicator Removal on Host - Devices with no name and not onboarded might be trying to evade detection.
//Command and Control:
// T1071: Application Layer Protocol - The query looks for network activity involving suspicious IPs, which could be used for command and control.Explanation
This query is designed for threat hunting using Microsoft Defender for Endpoint (MDE). It identifies devices in your network that have been discovered but are not yet onboarded and secured by MDE. Here's a simplified breakdown:
-
Identify Non-Onboarded Devices:
- The query looks for devices that are not onboarded to MDE, specifically focusing on endpoints and workstations with no device name.
-
Enrich with SeenBy() Function:
- It uses the
SeenBy()function to find which onboarded MDE devices have detected these non-onboarded devices within the network.
- It uses the
-
Extract IP Addresses:
- The IP addresses of these non-onboarded devices are extracted.
-
Cross-Reference with Security Alerts:
- These IP addresses are then checked against the
AlertEvidenceandBehaviorEntitiesschemas to see if there are any associated security alerts within the last 7 days.
- These IP addresses are then checked against the
-
Actionable Insights for SecOps:
- If any alerts are found, it indicates potential security issues, and the Security Operations (SecOps) team should take immediate action to locate and remove these devices from the network.
MITRE ATT&CK Mapping:
- Initial Access: Identifies unauthorized access by checking for non-onboarded devices.
- Discovery: Gathers system and network information about the devices.
- Lateral Movement: Uses the
SeenBy()function to detect potential lateral movement. - Defense Evasion: Detects devices trying to evade detection by not having a name and not being onboarded.
- Command and Control: Monitors network activity involving suspicious IPs for potential command and control activities.
In summary, this query helps in identifying potentially unauthorized and suspicious devices in your network, cross-references them with security alerts, and provides actionable insights for the security team to mitigate any threats.
Details

Steven Lim
Released: August 26, 2024
Tables
DeviceInfoDeviceNetworkInfoAlertEvidenceBehaviorEntities
Keywords
DevicesIntuneUserNetworkSecurityAlertsEndpointOSMacAddressIPAddressTimestampMITREATT&CK
Operators
letsummarizearg_maxbywhereisemptyjoinextendtostringparse_jsoninvokemv-expandprojectdistinctsearchinbetweenagonowandhas_any