Share via

How to read Machine/Device Dynamic Tags from Graph Security API

Lucas Krupinski 10 Reputation points
2024-12-30T20:04:36.0466667+00:00

I have spent a bit of time creating dynamic tagging rules in Defender, in hopes of using those tags to facilitate reporting and am running into an issue plus an inconsistency.

First, the inconsistency: In Defender endpoints are referred to as Devices, tags are Device Tags. In Security Centers Graph API, endpoints are referred to as Machines and the Tags are MachineTags. It's a small difference, but I feel like it's making it harder to find an answer.

The issue: When I retreive Machine data from https://api.security.microsoft.com/api/machines, it only provides Manually applied tags rather than Dynamic tags. The only way I can so far figure out to retrieve these machine tags is through Threat Hunting queries against DeviceInfo table, where booth sets of tags are present as DeviceManualTag and DeviceDynamicTag.

Has anyone else figured out how to coax the machine API endpoint into returning Dynamic tags? Or is using the threat hunting endpoint the only solution at the moment?

And to Microsoft: any timeframe for adding DynamicTags to the data returned from the machine api?

Microsoft Security Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pauline Mbabu 840 Reputation points Microsoft Employee
    2025-01-23T08:19:29.5133333+00:00

    Hello @Lucas Krupinski ,
    The Microsoft Graph Security API currently does not support fetching dynamic tags directly. The dynamic tags are not exposed in the Machine entity of the Security API. It only provides the manually applied tags and system-added tags (Registry).

    Unfortunately, I couldn't find any way to have the endpoint return the dynamic Tags. As a workaround, you could continue using the Threat Hunting queries against the DeviceInfo table as you're currently doing, as it does provide both manual and dynamic tags.
    If would like to have this added as a Feature request, kindly do so by opening a support ticket by following this guidance https://learn.microsoft.com/en-us/services-hub/unified/support/open-support-requests?tabs=existing-support-request-process.

    If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.