NotOnboarded Devices by DeviceName Suffix

Hunt Hypothesis

Devices with a specific name suffix that are not onboarded may indicate unauthorized or rogue devices attempting to access the network, as adversaries often use such devices to establish persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data exfiltration risks.

KQL Query

//
let Onboarded = "Onboarded";
let DeviceNameSuffix = "-pc";
DeviceInfo
| summarize arg_max(Timestamp, *) by DeviceId
| where OnboardingStatus != "Onboarded"
| where DeviceName endswith DeviceNameSuffix

Analytic Rule Definition

id: bfb4c0e1-aa4b-45c4-9035-75c9ae63ce21
name: NotOnboarded Devices by DeviceName Suffix
description: |
  This query searches for not onboarded devices with a specific Suffix
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceInfo
tactics: []
relevantTechniques: []
query: |
  //
  let Onboarded = "Onboarded";
  let DeviceNameSuffix = "-pc";
  DeviceInfo
  | summarize arg_max(Timestamp, *) by DeviceId
  | where OnboardingStatus != "Onboarded"
  | where DeviceName endswith DeviceNameSuffix

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Device Inventory/NotOnboarded Devices by DeviceName Suffix.yaml)

False Positive Guidance

• Scenario: Scheduled System Backup Job
  Description: A scheduled backup job runs on a server with a device name suffix matching the rule (e.g., backup-server-01).
  Filter/Exclusion: Exclude devices where the device_type is backup_server or use a filter like device_type NOT IN ('backup_server', 'scheduler').

• Scenario: Temporary Development VM
  Description: A temporary virtual machine used for development purposes is not onboarded and has a device name suffix matching the rule (e.g., dev-vm-01).
  Filter/Exclusion: Exclude devices with a device_role of development or use a filter like device_role NOT IN ('development', 'test').

• Scenario: Printer or Network Device with Suffix
  Description: A network printer or switch with a device name suffix matching the rule (e.g., printer-01) is not onboarded.
  Filter/Exclusion: Exclude devices where the device_category is printer or network_device using a filter like device_category NOT IN ('printer', 'network_device').

• Scenario: Admin Task Execution on a Server
  Description: An admin task (e.g., using Ansible or Puppet) is executed on a server with a device name suffix matching the rule (e.g., admin-01).
  Filter/Exclusion: Exclude devices where the user field is an admin account (e.g., user IN ('admin', 'root')) or use a filter like user NOT IN ('admin', 'root').

• Scenario: Legacy Device Not in Active Use
  Description: An old, decommissioned device with a device name suffix matching the rule (e.g., legacy-01) is still present in the environment.