0
(0)

 Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.

Applies to:

  • Microsoft 365 Defender
  • Microsoft Defender for Endpoint

The DeviceInfo table in the advanced hunting schema contains information about devices in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from this table.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

TABLE 1
Column name Data type Description
Timestamp datetime Date and time when the event was recorded
DeviceId string Unique identifier for the machine in the service
DeviceName string Fully qualified domain name (FQDN) of the machine
ClientVersion string Version of the endpoint agent or sensor running on the machine
PublicIP string Public IP address used by the onboarded machine to connect to the Microsoft Defender for Endpoint service. This could be the IP address of the machine itself, a NAT device, or a proxy
OSArchitecture string Architecture of the operating system running on the machine
OSPlatform string Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7.
OSBuild string Build version of the operating system running on the machine
IsAzureADJoined boolean Boolean indicator of whether machine is joined to the Azure Active Directory
AadObjectId string Unique identifier for the device in Azure AD
LoggedOnUsers string List of all users that are logged on the machine at the time of the event in JSON array format
RegistryDeviceTag string Machine tag added through the registry
OSVersion string Version of the operating system running on the machine
MachineGroup string Machine group of the machine. This group is used by role-based access control to determine access to the machine
ReportId long Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns
OnboardingStatus string Indicates whether the device is currently onboarded or not to Microsoft Defender for Endpoint or if the device is not supported
AdditionalFields string Additional information about the event in JSON array format
DeviceCategory string Broader classification that groups certain device types under the following categories: Endpoint, Network device, IoT, Unknown
DeviceType string Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer
DeviceSubType string Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone; only available if device discovery finds enough information about this attribute
Model string Model name or number of the product from the vendor or manufacturer, only available if device discovery finds enough information about this attribute
Vendor string Name of the product vendor or manufacturer, only available if device discovery finds enough information about this attribute
OSDistribution string Distribution of the OS platform, such as Ubuntu or RedHat for Linux platforms
OSVersionInfo string Additional information about the OS version, such as the popular name, code name, or version number
MergedDeviceIds string Previous device IDs that have been assigned to the same device
MergedToDeviceId string The most recent device ID assigned to a device

The DeviceInfo table provides device information based on heartbeats, which are periodic reports or signals from a device. Every fifteen minutes, the device sends a partial heartbeat that contains frequently changing attributes like LoggedOnUsers. Once a day, a full heartbeat containing the device’s attributes is sent.

You can use the following sample query to get the latest state of a device:

Kusto

// Get latest information on user/device
DeviceInfo
| where DeviceName == "example" and isnotempty(OSPlatform)
| summarize arg_max(Timestamp, *) by DeviceId 

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.