Why does the Last logged in field on an Sentinel (endpoint) in SentinelOne show as "defaultuser1" or "N/A"?
There are two main reasons for this:
- If the endpoint in question is a server, then typically the field will show "N/A" when multiple concurrent users are logged in. See Endpoint Groups and Filters for additional information.
- If the endpoint is a workstation, confirm if the endpoint is Azure AD joined. The issue is related to how the agent receives the AD information locally with a wmi query that does not function for Azure AD joined machines. SentinelOne is planning on addressing this in a future Windows agent release but no ETA has been announced yet.