NotOnboarded Devices by DeviceName Prefix

Hunt Hypothesis

Devices with a specific name prefix that are not onboarded may indicate the presence of rogue or unmanaged endpoints that could be used as entry points for adversaries. Proactively hunting for such devices in Azure Sentinel helps identify potential security gaps and reduces the risk of unauthorized access to the network.

KQL Query

//
let Onboarded = "Onboarded";
let DeviceNamePrefix = "minint";
DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| where OnboardingStatus != "Onboarded"
| where DeviceName startswith DeviceNamePrefix

Analytic Rule Definition

id: 6ed94608-316e-4a2d-85dd-91fc9294749e
name: NotOnboarded Devices by DeviceName Prefix
description: |
  This query searches for not onboarded devices with a specific prefix
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceInfo
tactics: []
relevantTechniques: []
query: |
  //
  let Onboarded = "Onboarded";
  let DeviceNamePrefix = "minint";
  DeviceInfo
  | summarize arg_max(Timestamp, *) by DeviceId
  | where OnboardingStatus != "Onboarded"
  | where DeviceName startswith DeviceNamePrefix

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Device Inventory/NotOnboarded Devices by DeviceName Prefix.yaml)

False Positive Guidance

• Scenario: A scheduled backup job runs on a server named BackupServer-01 and temporarily connects to the network.
  Filter/Exclusion: Exclude devices with the BackupServer prefix using a regex pattern or a custom field in the SIEM.

• Scenario: An administrator uses a remote desktop tool like Microsoft Remote Desktop to connect to a device named Admin-PC-01 for maintenance.
  Filter/Exclusion: Exclude devices with the Admin-PC prefix by adding it to a whitelist in the detection rule.

• Scenario: A legitimate device named Printer-HP-123 is used in the office and occasionally appears in network logs due to print spooler activity.
  Filter/Exclusion: Exclude devices with the Printer- prefix using a device category or a custom tag in the SIEM.

• Scenario: A virtual machine (VM) named Dev-VM-01 is spun up in a development environment and briefly connects to the network during provisioning.
  Filter/Exclusion: Exclude devices with the Dev-VM prefix by checking against a VM inventory system or using a VM-specific tag.

• Scenario: A third-party service like Microsoft Intune or Microsoft Endpoint Manager uses a device named Intune-Device-01 to manage endpoints.
  Filter/Exclusion: Exclude devices with the Intune- or Endpoint- prefix by leveraging device classification or integration with the MDM system.