title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
DeviceTvmInfoGatheringKB table in the advanced hunting schema |
Learn about the metadata for assessment events in the DeviceTvmInfoGathering table of the advanced hunting schema. |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
reference |
01/16/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceTvmInfoGatheringKB
table in the advanced hunting schema contains metadata for Microsoft Defender Vulnerability Management assessment events data collected in the DeviceTvmInfoGathering
table. The DeviceTvmInfoGatheringKB
table contains the list of various configuration and attack surface area assessments used by Defender Vulnerability Management information gathering to assess devices. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Column name | Data type | Description |
---|---|---|
IgId |
string |
Unique identifier for the piece of information gathered |
FieldName |
string |
Name of the field where this information appears in the AdditionalFields column of the DeviceTvmInfoGathering table |
Description |
string |
Description of the information gathered |
Categories |
dynamic |
List of categories that the information belongs to, in JSON array format |
DataStructure |
string |
The data structure of the information gathered |
You can use this table to explore the kinds of information available in DeviceTvmInfoGathering
so you can later fine-tune your hunting query.
For instance, to see the list of information being collected, you can try the following query:
// Check out what is being collected
DeviceTvmInfoGatheringKB
From the results, say you become interested in the available categories, you can use the following query:
// Return all available categories
DeviceTvmInfoGatheringKB
| mv-expand Categories to typeof(string)
| distinct Categories
Then, let's say you want to see the assessment categories involving the TLS protocol:
// Return all findings for a specified category
DeviceTvmInfoGatheringKB
| where Categories contains "tls"
Using the resulting fields, you can then use the DeviceTvmInfoGathering
table to get a list of devices using TLS client version 1.0.
// Return all devices on which the TLS version 1.0 is enabled
DeviceTvmInfoGathering
| where AdditionalFields.TlsClient10 == "Enabled" or AdditionalFields.TlsServer10 == "Enabled"