Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Machine information, including OS information
| Attribute | Value |
|---|---|
| Category | MDE |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| AadDeviceId | string | Unique identifier for the device in Azure Active Directory. |
| AdditionalFields | dynamic | Additional information about the entity or event. |
| AssetValue | string | Indicates the value of a device as assigned by the user. |
| AwsResourceName | string | Unique identifier of the AWS resource associated with the device. |
| AzureResourceId | string | Unique identifier of the Azure resource associated with the device. |
| AzureVmId | string | Unique identifier assigned to the device in Azure. |
| AzureVmSubscriptionId | string | Unique identifier of the Azure subscription associated with the device. |
| ClientVersion | string | Version of the endpoint agent or sensor running on the machine. |
| CloudPlatforms | string | Thse cloud platforms that the device belongs to-can be Azure, Amazon Web Services, Google Cloud Platform and Azure Arc. |
| DeviceCategory | string | Broader classification that groups certain device types under the following categories: Endpoint, Network device, IoT, Unknown. |
| DeviceDynamicTags | string | Device tags added and removed dynamically based on dynamic rules. |
| DeviceId | string | Unique identifier for the device in the service. |
| DeviceManualTags | string | Device tags created manually using the portal UI or public API. |
| DeviceName | string | Fully qualified domain name (FQDN) of the device. |
| DeviceObjectId | string | Unique identifier for the device in Azure AD. |
| DeviceSubtype | string | Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone; only available if device discovery finds enough information about this attribute. |
| DeviceType | string | Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer. |
| ExclusionReason | string | Indicates the reason for device exclusion. |
| ExposureLevel | string | Indicates the exposure level of a device. |
| GcpFullResourceName | string | Unique identifier of the AWS resource associated with the device. |
| HardwareUuid | string | Universally Unique Identifier (UUID) of the device's hardware. |
| HostDeviceId | string | Device ID of the device running Windows Subsystem for Linux. |
| IsAzureADJoined | bool | Boolean indicator of whether machine is joined to the Azure Active Directory. |
| IsExcluded | bool | Determines if the device is currently excluded from Microsoft Defender for Vulnerability Management experiences. |
| IsInternetFacing | bool | Indicates whether the device is internet-facing. |
| IsTransient | bool | Indicates whether this device is classified as short-lived or transient based on the frequency of appearance of the device on the network. |
| JoinType | string | The device's Azure Active Directory join type. |
| LoggedOnUsers | dynamic | List of all users that are logged on the machine at the time of the event in JSON array format. |
| MachineGroup | string | Machine group used to determine access to the machine and apply group-specific settings. |
| MergedDeviceIds | string | Previous device IDs that have been assigned to the same device. |
| MergedToDeviceId | string | The most recent device ID assigned to a device. |
| MitigationStatus | string | Indicates the mitigation action applied to a device. |
| Model | string | Model name or number of the product from the vendor or manufacturer, only available if device discovery finds enough information about this attribute. |
| OnboardingStatus | string | Indicates whether the device is currently onboarded or not to Microsoft Defender for Endpoint or if the device is not supported. |
| OSArchitecture | string | Architecture of the operating system running on the machine. |
| OSBuild | long | Build version of the operating system running on the machine. |
| OsBuildRevision | string | Build revision number of the operating system running on the machine. |
| OSDistribution | string | Distribution of the OS platform, such as Ubuntu or RedHat for Linux platforms. |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| OSVersion | string | Version of the operating system running on the machine. |
| OSVersionInfo | string | Additional information about the OS version, such as the popular name, code name, or version number. |
| PublicIP | string | Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. |
| RegistryDeviceTag | string | Device tag added through the registry. |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.. |
| RestrictedDeviceSecurityOperations | string | The response categories that have been turned off on a device if its security operations settings is set to restricted. If the device's security operations settings is set to full operations, the value is null. |
| SensorHealthState | string | Indicates health of the device's EDR sensor, if onboarded to Microsoft Defender For Endpoint. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time the event was recorded by the MDE agent on the endpoint. |
| Type | string | The name of the table |
| Vendor | string | Name of the product vendor or manufacturer, only available if device discovery finds enough information about this attribute. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Dataverse - Terminated employee exfiltration to USB drive |
In solution Microsoft Defender XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| AV detections related to SpringShell Vulnerability | |
| AV detections related to Tarrask malware |
In solution Microsoft Entra ID:
| Analytic Rule | Selection Criteria |
|---|---|
| [Deprecated] Explicit MFA Deny |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| AV detections related to Zinc actors |
Standalone Content:
In solution Microsoft Business Applications:
| Hunting Query | Selection Criteria |
|---|---|
| Dataverse - Dataverse export copied to USB devices |
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| MDE_Find_Out_of_date_clients | |
| MDE_FindstatuschangefromExposurelevel | |
| MDE_ListAllNotOnboardedEnpoints |
GitHub Only:
In solution HIPAA Compliance:
| Workbook | Selection Criteria |
|---|---|
| HIPAACompliance |
In solution Microsoft Defender XDR: ActionType in "FileCreated,UsbDriveMounted"
| Workbook |
|---|
| MicrosoftDefenderForEndPoint |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| DoDZeroTrustWorkbook | ActionType == "AntivirusScanCompleted" |
| ExchangeCompromiseHunting | ActionType == "FileCreated" |
| MicrosoftDefenderForEndPoint | ActionType in "FileCreated,UsbDriveMounted" |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| SentinelWorkspaceReconTools | |
| ZeroTrustStrategyWorkbook | ActionType == "AntivirusScanCompleted" |
References by type: 0 connectors, 1 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType in "FileCreated,UsbDriveMounted" |
- | 1 | - | - | 1 |
| Total | 0 | 1 | 0 | 0 | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
FileCreated |
- | 1 | - | - | 1 |
UsbDriveMounted |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊