Skip to content

Latest commit

 

History

History
88 lines (69 loc) · 3.67 KB

advanced-hunting-devicetvminfogatheringkb-table.md

File metadata and controls

88 lines (69 loc) · 3.67 KB
title description search.appverid ms.service ms.subservice f1.keywords ms.author author ms.localizationpriority manager audience ms.collection ms.custom ms.topic ms.date
DeviceTvmInfoGatheringKB table in the advanced hunting schema
Learn about the metadata for assessment events in the DeviceTvmInfoGathering table of the advanced hunting schema.
met150
defender-xdr
adv-hunting
NOCSH
maccruz
schmurky
medium
dansimp
ITPro
m365-security
tier3
cx-ti
cx-ah
reference
01/16/2024

DeviceTvmInfoGatheringKB

[!INCLUDE Microsoft Defender XDR rebranding]

Applies to:

  • Microsoft Defender XDR
  • Microsoft Defender for Endpoint

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The DeviceTvmInfoGatheringKB table in the advanced hunting schema contains metadata for Microsoft Defender Vulnerability Management assessment events data collected in the DeviceTvmInfoGathering table. The DeviceTvmInfoGatheringKB table contains the list of various configuration and attack surface area assessments used by Defender Vulnerability Management information gathering to assess devices. Use this reference to construct queries that return information from the table.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
IgId string Unique identifier for the piece of information gathered
FieldName string Name of the field where this information appears in the AdditionalFields column of the DeviceTvmInfoGathering table
Description string Description of the information gathered
Categories dynamic List of categories that the information belongs to, in JSON array format
DataStructure string The data structure of the information gathered

You can use this table to explore the kinds of information available in DeviceTvmInfoGathering so you can later fine-tune your hunting query.

For instance, to see the list of information being collected, you can try the following query:

// Check out what is being collected 
DeviceTvmInfoGatheringKB  

From the results, say you become interested in the available categories, you can use the following query:

// Return all available categories 
DeviceTvmInfoGatheringKB 
| mv-expand Categories to typeof(string) 
| distinct Categories 

Then, let's say you want to see the assessment categories involving the TLS protocol:

// Return all findings for a specified category 
DeviceTvmInfoGatheringKB 
| where Categories contains "tls" 

Using the resulting fields, you can then use the DeviceTvmInfoGathering table to get a list of devices using TLS client version 1.0.

// Return all devices on which the TLS version 1.0 is enabled 
DeviceTvmInfoGathering 
| where AdditionalFields.TlsClient10 == "Enabled" or AdditionalFields.TlsServer10 == "Enabled" 

Related topics