deviceEvidence resource type
Namespace: microsoft.graph.security
A device that is reported in the alert.
Inherits from alertEvidence.
Properties
Property | Type | Description |
---|---|---|
azureAdDeviceId | String | A unique identifier assigned to a device by Azure Active Directory (Azure AD) when device is Azure AD-joined. |
defenderAvStatus | microsoft.graph.security.defenderAvStatus | State of the Defender AntiMalware engine. The possible values are: notReporting , disabled , notUpdated , updated , unknown , notSupported , unknownFutureValue . |
deviceDnsName | String | The fully qualified domain name (FQDN) for the device. |
firstSeenDateTime | DateTimeOffset | The date and time when the device was first seen. |
healthStatus | microsoft.graph.security.deviceHealthStatus | The health state of the device. The possible values are: active , inactive , impairedCommunication , noSensorData , noSensorDataImpairedCommunication , unknown , unknownFutureValue . |
ipInterfaces | String collection | Ip interfaces of the device during the time of the alert. |
loggedOnUsers | microsoft.graph.security.loggedOnUser collection | Users that were logged on the machine during the time of the alert. |
mdeDeviceId | String | A unique identifier assigned to a device by Microsoft Defender for Endpoint. |
onboardingStatus | microsoft.graph.security.onboardingStatus | The status of the machine onboarding to Microsoft Defender for Endpoint. The possible values are: insufficientInfo , onboarded , canBeOnboarded , unsupported , unknownFutureValue . |
osBuild | Int64 | The build version for the operating system the device is running. |
osPlatform | String | The operating system platform the device is running. |
rbacGroupId | Int32 | The ID of the role-based access control (RBAC) device group. |
rbacGroupName | String | The name of the RBAC device group. |
riskScore | microsoft.graph.security.deviceRiskScore | Risk score as evaluated by Microsoft Defender for Endpoint. The possible values are: none , informational , low , medium , high , unknownFutureValue . |
version | String | The version of the operating system platform. |
vmMetadata | microsoft.graph.security.vmMetadata | Metadata of the virtual machine (VM) on which Microsoft Defender for Endpoint is running. |
defenderAvStatus values
Member | Description |
---|---|
notReporting | Defender AntiMalware engine isn't reporting. |
disabled | Defender AntiMalware engine has been disabled. |
notUpdated | Defender AntiMalware engine isn't up to date. |
updated | Defender AntiMalware engine is up to date. |
unknown | State of Defender AntiMalware engine is unknown. |
notSupported | Defender AntiMalware engine isn't supported on this platform. |
unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
deviceHealthStatus values
Member | Description |
---|---|
active | Device is active and reporting to all channels. |
inactive | Device isn't reporting to any channel. |
impairedCommunication | Device isn't connected to the CnC. |
noSensorData | Device isn't sending telemetry. |
noSensorDataImpairedCommunication | Device isn't connected to the CnC and not sending telemetry. |
unknown | Device state is unknown |
unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
deviceRiskScore values
Member | Description |
---|---|
none | There are no alerts related to this device. |
informational | Device only has 'informational' level alerts. |
low | Device only has 'low' or 'informational' alerts. |
medium | Device has 'medium' or lower severity alerts. |
high | Device has 'high' severity alerts and is at risk. |
unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
onboardingStatus values
Member | Description |
---|---|
unknown | Unknown onboarding status |
insufficientInfo | Onboarding status can't be determined. |
onboarded | Device is onboarded to service. |
canBeOnboarded | Device is eligible to be onboarded to service. |
unsupported | Device isn't supported by service. |
unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
Relationships
None.
JSON representation
Here's a JSON representation of the resource.
{
"@odata.type": "#microsoft.graph.security.deviceEvidence",
"createdDateTime": "String (timestamp)",
"verdict": "String",
"remediationStatus": "String",
"remediationStatusDetails": "String",
"roles": [
"String"
],
"detailedRoles": [
"String"
],
"tags": [
"String"
],
"firstSeenDateTime": "String (timestamp)",
"mdeDeviceId": "String",
"azureAdDeviceId": "String",
"deviceDnsName": "String",
"osPlatform": "String",
"osBuild": "Integer",
"version": "String",
"rbacGroupId": "Integer",
"rbacGroupName": "String",
"healthStatus": "String",
"riskScore": "String",
"onboardingStatus": "String",
"defenderAvStatus": "String",
"vmMetadata": {
"@odata.type": "microsoft.graph.security.vmMetadata"
},
"ipInterfaces": [
"String"
],
"loggedOnUsers": [
{
"@odata.type": "microsoft.graph.security.loggedOnUser"
}
]
}
Feedback
Submit and view feedback for