Issue
An endpoint shows on the Endpoints page in Red Canary with an "unknown" status in Last Activity Time and shows on the Microsoft Defender for Endpoint console with the status "Can Be Onboarded".
Environment
Red Canary + Microsoft Defender for Endpoint
Resolution
The endpoint in question has been discovered but does not currently have the Microsoft Defender for Endpoint sensor installed. See Onboard devices and configure Microsoft Defender for Endpoint capabilities for additional information based on the OS of the endpoint.
One the sensor has been installed and Red Canary starts processing data, the Last Activity Time for the endpoint will update accordingly.
Should you see an endpoint in Red Canary that you do not want to be onboarded, the recommendation is to decommission the endpoint. See Decommissioning endpoints for additional information.
Cause
Microsoft Defender for Endpoint uses a device discovery process to capture unmanaged devices across your corporate network. Endpoints discovered using this process that meet the minimum requirements for Defender for Endpoint will show in the console with a status of "Can be onboarded". This helps to provide visibility for any endpoints that you may want to monitor through Defender for Endpoint. See Device discovery overview for additional information.