deviceEvidence resource type

Namespace: microsoft.graph.security

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

A device that is reported in the alert.

Inherits from alertEvidence.

Properties

Property Type Description
azureAdDeviceId String A unique identifier assigned to a device by Microsoft Entra ID when device is Microsoft Entra joined.
defenderAvStatus microsoft.graph.security.defenderAvStatus State of the Defender AntiMalware engine. The possible values are: notReporting, disabled, notUpdated, updated, unknown, notSupported, unknownFutureValue.
deviceDnsName String The fully qualified domain name (FQDN) for the device.
dnsDomain String The DNS domain that this computer belongs to. A sequence of labels separated by dots.
firstSeenDateTime DateTimeOffset The date and time when the device was first seen.
healthStatus microsoft.graph.security.deviceHealthStatus The health state of the device. The possible values are: active, inactive, impairedCommunication, noSensorData, noSensorDataImpairedCommunication, unknown, unknownFutureValue.
hostName String The hostname without the domain suffix.
ipInterfaces String collection Ip interfaces of the device during the time of the alert.
loggedOnUsers microsoft.graph.security.loggedOnUser collection Users that were logged on the machine during the time of the alert.
mdeDeviceId String A unique identifier assigned to a device by Microsoft Defender for Endpoint.
ntDomain String A logical grouping of computers within a Microsoft Windows network.
onboardingStatus microsoft.graph.security.onboardingStatus The status of the machine onboarding to Microsoft Defender for Endpoint. The possible values are: insufficientInfo, onboarded, canBeOnboarded, unsupported, unknownFutureValue.
osBuild Int64 The build version for the operating system the device is running.
osPlatform String The operating system platform the device is running.
rbacGroupId Int32 The ID of the role-based access control device group.
rbacGroupName String The name of the role-based access control device group.
riskScore microsoft.graph.security.deviceRiskScore Risk score as evaluated by Microsoft Defender for Endpoint. The possible values are: none, informational, low, medium, high, unknownFutureValue.
version String The version of the operating system platform.
vmMetadata microsoft.graph.security.vmMetadata Metadata of the virtual machine (VM) on which Microsoft Defender for Endpoint is running.

defenderAvStatus values

Member Description
notReporting Defender AntiMalware engine isn't reporting.
disabled Defender AntiMalware engine has been disabled.
notUpdated Defender AntiMalware engine isn't up to date.
updated Defender AntiMalware engine is up to date.
unknown State of Defender AntiMalware engine is unknown.
notSupported Defender AntiMalware engine isn't supported on this platform.
unknownFutureValue unknownFutureValue for evolvable enums pattern.

deviceHealthStatus values

Member Description
active Device is active and reporting to all channels.
inactive Device isn't reporting to any channel.
impairedCommunication Device isn't connected to the CnC.
noSensorData Device isn't sending telemetry.
noSensorDataImpairedCommunication Device isn't connected to the CnC and not sending telemetry.
unknown Device state is unknown
unknownFutureValue unknownFutureValue for evolvable enums pattern.

deviceRiskScore values

Member Description
none There are no alerts related to this device.
informational Device only has 'informational' level alerts.
low Device only has 'low' or 'informational' alerts.
medium Device has 'medium' or lower severity alerts.
high Device has 'high' severity alerts and is at risk.
unknownFutureValue unknownFutureValue for evolvable enums pattern.

onboardingStatus values

Member Description
unknown Unknown onboarding status
insufficientInfo Onboarding status can't be determined.
onboarded Device is onboarded to service.
canBeOnboarded Device is eligible to be onboarded to service.
unsupported Device isn't supported by service.
unknownFutureValue unknownFutureValue for evolvable enums pattern.

Relationships

None.

JSON representation

The following JSON representation shows the resource type.

{
  "@odata.type": "#microsoft.graph.security.deviceEvidence",
  "azureAdDeviceId": "String",
  "createdDateTime": "String (timestamp)",
  "defenderAvStatus": "String",
  "detailedRoles": ["String"],
  "deviceDnsName": "String",
  "dnsDomain": "String",
  "firstSeenDateTime": "String (timestamp)",
  "healthStatus": "String",
  "hostName": "String",
  "ipInterfaces": ["String"],
  "loggedOnUsers": [{"@odata.type": "microsoft.graph.security.loggedOnUser"}],
  "mdeDeviceId": "String",
  "ntDomain": "String",
  "onboardingStatus": "String",
  "osBuild": "Integer",
  "osPlatform": "String",
  "rbacGroupId": "Integer",
  "rbacGroupName": "String",
  "remediationStatus": "String",
  "remediationStatusDetails": "String",
  "riskScore": "String",
  "roles": ["String"],
  "tags": ["String"],
  "verdict": "String",
  "version": "String",
  "vmMetadata": {"@odata.type": "microsoft.graph.security.vmMetadata"}
}