Can Be Onboarded Devices

Hunt Hypothesis

Devices that have been detected by Microsoft Defender for Endpoint but are not yet onboarded may indicate potential unmanaged or compromised endpoints that could be used as entry points. SOC teams should proactively hunt for these devices to identify and secure potential attack vectors before they are exploited.

KQL Query

// Can Be Onboarded devices
let CanBeOnboarded = "Can be onboarded";
DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| where OnboardingStatus == CanBeOnboarded

Analytic Rule Definition

id: 90f30a21-5de6-4c5e-85cf-d81347361aec
name: Can Be Onboarded Devices
description: |
  This query surfaces devices that were discovered by Microsoft Defender for Endpoint and can be onboarded
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceInfo
tactics:
- Resource Development
- Initial Access
relevantTechniques: []
query: |
  // Can Be Onboarded devices
  let CanBeOnboarded = "Can be onboarded";
  DeviceInfo
  | summarize arg_max(Timestamp, *) by DeviceId
  | where OnboardingStatus == CanBeOnboarded

MITRE ATT&CK Context

• Tactic: Resource Development
• Tactic: Initial Access

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Device Inventory/Can Be Onboarded Devices.yaml)

False Positive Guidance

• Scenario: Scheduled Onboarding Job for New Devices
  Description: A scheduled task runs to onboard new devices into Microsoft Defender for Endpoint.
  Filter/Exclusion: DeviceOnboardingStatus = "Completed" or EventSource = "OnboardingJob"

• Scenario: Admin Manually Adding Devices via the Portal
  Description: An administrator manually adds devices through the Microsoft Defender for Endpoint portal.
  Filter/Exclusion: EventSource = "Portal" or Action = "ManualOnboarding"

• Scenario: Device Discovery via Microsoft Intune Integration
  Description: Microsoft Defender for Endpoint discovers devices through integration with Microsoft Intune.
  Filter/Exclusion: IntegrationSource = "Intune" or DeviceType = "IntuneManaged"

• Scenario: Device Discovery from Azure Active Directory (AAD) Sync
  Description: Devices are discovered through Azure AD synchronization and are being onboarded.
  Filter/Exclusion: DiscoverySource = "AADSync" or AADSyncStatus = "Success"

• Scenario: Device Discovery via Microsoft Defender for Cloud
  Description: Devices are discovered by Microsoft Defender for Cloud and are being onboarded into Defender for Endpoint.
  Filter/Exclusion: DiscoverySource = "DefenderForCloud" or CloudIntegration = "Enabled"