title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
DeviceInfo table in the advanced hunting schema |
Learn about OS, computer name, and other machine information in the DeviceInfo table of the advanced hunting schema |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
reference |
12/04/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint
The DeviceInfo
table in the advanced hunting schema contains information about devices in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from this table.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Column name | Data type | Description |
---|---|---|
Timestamp |
datetime |
Last date and time recorded for the device |
DeviceId |
string |
Unique identifier for the device in the service |
DeviceName |
string |
Fully qualified domain name (FQDN) of the device |
ClientVersion |
string |
Version of the endpoint agent or sensor running on the device |
PublicIP |
string |
Public IP address used by the onboarded device to connect to the Microsoft Defender for Endpoint service. This could be the IP address of the device itself, a NAT device, or a proxy. |
OSArchitecture |
string |
Architecture of the operating system running on the device |
OSPlatform |
string |
Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. |
OSBuild |
long |
Build version of the operating system running on the device |
IsAzureADJoined |
boolean |
Boolean indicator of whether device is joined to the Microsoft Entra ID |
JoinType |
string |
The device's Microsoft Entra ID join type |
AadDeviceId |
string |
Unique identifier for the device in Microsoft Entra ID |
LoggedOnUsers |
string |
List of all users that are logged on the device at the time of the event in JSON array format |
RegistryDeviceTag |
string |
Device tag added through the registry |
OSVersion |
string |
Version of the operating system running on the device |
MachineGroup |
string |
Machine group of the device. This group is used by role-based access control to determine access to the device. |
ReportId |
long |
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
OnboardingStatus |
string |
Indicates whether the device is currently onboarded or not to Microsoft Defender For Endpoint or if the device is not supported |
AdditionalFields |
string |
Additional information about the event in JSON array format |
DeviceCategory |
string |
Broader classification that groups certain device types under the following categories: Endpoint, Network device, IoT, Unknown |
DeviceType |
string |
Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer |
DeviceSubtype |
string |
Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone; only available if device discovery finds enough information about this attribute |
Model |
string |
Model name or number of the product from the vendor or manufacturer, only available if device discovery finds enough information about this attribute |
Vendor |
string |
Name of the product vendor or manufacturer, only available if device discovery finds enough information about this attribute |
OSDistribution |
string |
Distribution of the OS platform, such as Ubuntu or RedHat for Linux platforms |
OSVersionInfo |
string |
Additional information about the OS version, such as the popular name, code name, or version number |
MergedDeviceIds |
string |
Previous device IDs that have been assigned to the same device |
MergedToDeviceId |
string |
The most recent device ID assigned to a device |
IsInternetFacing |
boolean |
Indicates whether the device is internet-facing |
SensorHealthState |
string |
Indicates health of the device's EDR sensor, if onboarded to Microsoft Defender For Endpoint |
IsExcluded |
bool |
Determines if the device is currently excluded from Microsoft Defender for Vulnerability Management experiences |
ExclusionReason |
string |
Indicates the reason for device exclusion |
ExposureLevel |
string |
The device's level of vulnerability to exploitation based on its exposure score; can be: Low, Medium, High |
AssetValue |
string |
Priority or value assigned to the device in relation to its importance in computing the organization's exposure score; can be: Low, Normal (Default), High |
DeviceManualTags |
string |
Device tags created manually using the portal UI or public API |
DeviceDynamicTags |
string |
Device tags added and removed dynamically based on dynamic rules |
ConnectivityType |
string |
Type of connectivity from the device to the cloud |
HostDeviceId |
string |
Device ID of the device running Windows Subsystem for Linux |
AzureResourceId |
string |
Unique identifier of the Azure resource associated with the device |
AwsResourceName |
string |
Unique identifier specific to Amazon Web Services devices, containing the Amazon resource name |
GcpFullResourceName |
string |
Unique identifier specific to Google Cloud Platform devices, containing a combination of zone and ID for GCP |
The DeviceInfo
table provides device information based on periodic reports or signals (heartbeats) from a device. Complete reports are sent every hour and every time a change happens to a previous heartbeat.
You can use the following sample query to get the latest state of a device:
// Get latest information on user/device
DeviceInfo
| extend IngestionTime = ingestion_time()
| where DeviceName == "example" and isnotempty(OSPlatform)
| summarize arg_max(IngestionTime, *) by DeviceId