deviceEvidence resource type
Namespace: microsoft.graph.security
A device that is reported in the alert.
Inherits from alertEvidence.
Properties
| Property | Type | Description |
|---|---|---|
| azureAdDeviceId | String | A unique identifier assigned to a device by Microsoft Entra ID when device is Microsoft Entra joined. |
| defenderAvStatus | microsoft.graph.security.defenderAvStatus | State of the Defender AntiMalware engine. The possible values are: notReporting, disabled, notUpdated, updated, unknown, notSupported, unknownFutureValue. |
| deviceDnsName | String | The fully qualified domain name (FQDN) for the device. |
| dnsDomain | String | The DNS domain that this computer belongs to. A sequence of labels separated by dots. |
| firstSeenDateTime | DateTimeOffset | The date and time when the device was first seen. |
| healthStatus | microsoft.graph.security.deviceHealthStatus | The health state of the device. The possible values are: active, inactive, impairedCommunication, noSensorData, noSensorDataImpairedCommunication, unknown, unknownFutureValue. |
| hostName | String | The hostname without the domain suffix. |
| ipInterfaces | String collection | Ip interfaces of the device during the time of the alert. |
| loggedOnUsers | microsoft.graph.security.loggedOnUser collection | Users that were logged on the machine during the time of the alert. |
| mdeDeviceId | String | A unique identifier assigned to a device by Microsoft Defender for Endpoint. |
| ntDomain | String | A logical grouping of computers within a Microsoft Windows network. |
| onboardingStatus | microsoft.graph.security.onboardingStatus | The status of the machine onboarding to Microsoft Defender for Endpoint. The possible values are: insufficientInfo, onboarded, canBeOnboarded, unsupported, unknownFutureValue. |
| osBuild | Int64 | The build version for the operating system the device is running. |
| osPlatform | String | The operating system platform the device is running. |
| rbacGroupId | Int32 | The ID of the role-based access control (RBAC) device group. |
| rbacGroupName | String | The name of the RBAC device group. |
| riskScore | microsoft.graph.security.deviceRiskScore | Risk score as evaluated by Microsoft Defender for Endpoint. The possible values are: none, informational, low, medium, high, unknownFutureValue. |
| version | String | The version of the operating system platform. |
| vmMetadata | microsoft.graph.security.vmMetadata | Metadata of the virtual machine (VM) on which Microsoft Defender for Endpoint is running. |
defenderAvStatus values
| Member | Description |
|---|---|
| notReporting | Defender AntiMalware engine isn't reporting. |
| disabled | Defender AntiMalware engine has been disabled. |
| notUpdated | Defender AntiMalware engine isn't up to date. |
| updated | Defender AntiMalware engine is up to date. |
| unknown | State of Defender AntiMalware engine is unknown. |
| notSupported | Defender AntiMalware engine isn't supported on this platform. |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
deviceHealthStatus values
| Member | Description |
|---|---|
| active | Device is active and reporting to all channels. |
| inactive | Device isn't reporting to any channel. |
| impairedCommunication | Device isn't connected to the CnC. |
| noSensorData | Device isn't sending telemetry. |
| noSensorDataImpairedCommunication | Device isn't connected to the CnC and not sending telemetry. |
| unknown | Device state is unknown |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
deviceRiskScore values
| Member | Description |
|---|---|
| none | There are no alerts related to this device. |
| informational | Device only has 'informational' level alerts. |
| low | Device only has 'low' or 'informational' alerts. |
| medium | Device has 'medium' or lower severity alerts. |
| high | Device has 'high' severity alerts and is at risk. |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
onboardingStatus values
| Member | Description |
|---|---|
| unknown | Unknown onboarding status |
| insufficientInfo | Onboarding status can't be determined. |
| onboarded | Device is onboarded to service. |
| canBeOnboarded | Device is eligible to be onboarded to service. |
| unsupported | Device isn't supported by service. |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.security.deviceEvidence",
"azureAdDeviceId": "String",
"createdDateTime": "String (timestamp)",
"defenderAvStatus": "String",
"detailedRoles": ["String"],
"deviceDnsName": "String",
"dnsDomain": "String",
"firstSeenDateTime": "String (timestamp)",
"healthStatus": "String",
"hostName": "String",
"ipInterfaces": ["String"],
"loggedOnUsers": [{"@odata.type": "microsoft.graph.security.loggedOnUser"}],
"mdeDeviceId": "String",
"ntDomain": "String",
"onboardingStatus": "String",
"osBuild": "Int64",
"osPlatform": "String",
"rbacGroupId": "Int32",
"rbacGroupName": "String",
"remediationStatus": "String",
"remediationStatusDetails": "String",
"riskScore": "String",
"roles": ["String"],
"tags": ["String"],
"verdict": "String",
"version": "String",
"vmMetadata": {"@odata.type": "microsoft.graph.security.vmMetadata"}
}