Skip to main content
Red Canary help

Last Logged in field for a Sentinel (endpoint)

  • Updated .

Issue

Why does the Last logged in field on an Sentinel (endpoint) in SentinelOne show as "defaultuser1" or "N/A"?

mceclip0.png

Environment

SentinelOne

Resolution

There are two main reasons for this:

  • If the endpoint in question is a server, then typically the field will show "N/A" when multiple concurrent users are logged in. See Endpoint Groups and Filters for additional information.
  • If the endpoint is a workstation, confirm if the endpoint is Azure AD joined. The issue is related to how the agent receives the AD information locally with a wmi query that does not function for Azure AD joined machines. SentinelOne is planning on addressing this in a future Windows agent release but no ETA has been announced yet.