deviceEvidence resource type
Namespace: microsoft.graph.security
A device that is reported in the alert.
Inherits from alertEvidence.
Properties
| Property | Type | Description |
|---|---|---|
| azureAdDeviceId | String | A unique identifier assigned to a device by Azure Active Directory (Azure AD) when device is Azure AD-joined. |
| defenderAvStatus | microsoft.graph.security.defenderAvStatus | State of the Defender AntiMalware engine. The possible values are: notReporting, disabled, notUpdated, updated, unknown, notSupported, unknownFutureValue. |
| deviceDnsName | String | The fully qualified domain name (FQDN) for the device. |
| firstSeenDateTime | DateTimeOffset | The date and time when the device was first seen. |
| healthStatus | microsoft.graph.security.deviceHealthStatus | The health state of the device. The possible values are: active, inactive, impairedCommunication, noSensorData, noSensorDataImpairedCommunication, unknown, unknownFutureValue. |
| ipInterfaces | String collection | Ip interfaces of the device during the time of the alert. |
| loggedOnUsers | microsoft.graph.security.loggedOnUser collection | Users that were logged on the machine during the time of the alert. |
| mdeDeviceId | String | A unique identifier assigned to a device by Microsoft Defender for Endpoint. |
| onboardingStatus | microsoft.graph.security.onboardingStatus | The status of the machine onboarding to Microsoft Defender for Endpoint. The possible values are: insufficientInfo, onboarded, canBeOnboarded, unsupported, unknownFutureValue. |
| osBuild | Int64 | The build version for the operating system the device is running. |
| osPlatform | String | The operating system platform the device is running. |
| rbacGroupId | Int32 | The ID of the role-based access control (RBAC) device group. |
| rbacGroupName | String | The name of the RBAC device group. |
| riskScore | microsoft.graph.security.deviceRiskScore | Risk score as evaluated by Microsoft Defender for Endpoint. The possible values are: none, informational, low, medium, high, unknownFutureValue. |
| version | String | The version of the operating system platform. |
| vmMetadata | microsoft.graph.security.vmMetadata | Metadata of the virtual machine (VM) on which Microsoft Defender for Endpoint is running. |
defenderAvStatus values
| Member | Description |
|---|---|
| notReporting | Defender AntiMalware engine isn't reporting. |
| disabled | Defender AntiMalware engine has been disabled. |
| notUpdated | Defender AntiMalware engine isn't up to date. |
| updated | Defender AntiMalware engine is up to date. |
| unknown | State of Defender AntiMalware engine is unknown. |
| notSupported | Defender AntiMalware engine isn't supported on this platform. |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
deviceHealthStatus values
| Member | Description |
|---|---|
| active | Device is active and reporting to all channels. |
| inactive | Device isn't reporting to any channel. |
| impairedCommunication | Device isn't connected to the CnC. |
| noSensorData | Device isn't sending telemetry. |
| noSensorDataImpairedCommunication | Device isn't connected to the CnC and not sending telemetry. |
| unknown | Device state is unknown |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
deviceRiskScore values
| Member | Description |
|---|---|
| none | There are no alerts related to this device. |
| informational | Device only has 'informational' level alerts. |
| low | Device only has 'low' or 'informational' alerts. |
| medium | Device has 'medium' or lower severity alerts. |
| high | Device has 'high' severity alerts and is at risk. |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
onboardingStatus values
| Member | Description |
|---|---|
| unknown | Unknown onboarding status |
| insufficientInfo | Onboarding status can't be determined. |
| onboarded | Device is onboarded to service. |
| canBeOnboarded | Device is eligible to be onboarded to service. |
| unsupported | Device isn't supported by service. |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
Relationships
None.
JSON representation
Here's a JSON representation of the resource.
{
"@odata.type": "#microsoft.graph.security.deviceEvidence",
"createdDateTime": "String (timestamp)",
"verdict": "String",
"remediationStatus": "String",
"remediationStatusDetails": "String",
"roles": [
"String"
],
"detailedRoles": [
"String"
],
"tags": [
"String"
],
"firstSeenDateTime": "String (timestamp)",
"mdeDeviceId": "String",
"azureAdDeviceId": "String",
"deviceDnsName": "String",
"osPlatform": "String",
"osBuild": "Integer",
"version": "String",
"rbacGroupId": "Integer",
"rbacGroupName": "String",
"healthStatus": "String",
"riskScore": "String",
"onboardingStatus": "String",
"defenderAvStatus": "String",
"vmMetadata": {
"@odata.type": "microsoft.graph.security.vmMetadata"
},
"ipInterfaces": [
"String"
],
"loggedOnUsers": [
{
"@odata.type": "microsoft.graph.security.loggedOnUser"
}
]
}
Feedback
Submit and view feedback for