Which table in Sentinel shows information about Devices at risk?

Question

Which table in Sentinel shows information about Devices at risk?

Georgi Palazov 286

Hello,

I'm looking to query the devices at risk which are being reported from Microsoft Endpoint, but I want to query them in Sentinel.

I've looked at different Device* tables, but none give some kind of risk score or a way to identify if the current device is at risk.

Am I missing something?

1 answer

Your answer

Answer 1

Andrew Blumhardt 10,056 Microsoft Employee

If you look at the DeviceInfo in the MDE advanced hunting there is an Exposure Score in the table. It does not appear that the same column is included in Sentinel. I know there are some other examples of inconsistency with the data connector. I am not sure if this is a bug or if there was a technical reason/blocker.

You might look into the Sentinel Triage Assistant. It has a module for enriching incidents with MDE data including risk score. https://github.com/briandelmsft/SentinelAutomationModules

Georgi Palazov 286 Reputation points

2023-06-20T06:01:29.2733333+00:00

Where can I raise this question to Microsoft(if not raised already) whether they will consider including the Exposure Score in the Sentinel table as well?
Andrew Blumhardt 10,056 Reputation points Microsoft Employee

2023-06-22T01:16:37.31+00:00

This is a start. I know questions have been raised internally about missing columns. If you have Microsoft support contacts, share your feedback with them. The product team is open to feedback but getting their attention is not always easy.

Share via

Which table in Sentinel shows information about Devices at risk?

1 answer

Your answer