Machine resource type
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.
For better performance, you can use server closer to your geo location:
Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
|List machines||machine collection||List set of machine entities in the org.|
|Get machine||machine||Get a machine by its identity.|
|Get logged on users||user collection||Get the set of User that logged on to the machine.|
|Get related alerts||alert collection||Get the set of alert entities that were raised on the machine.|
|Get installed software||software collection||Retrieves a collection of installed software related to a given machine ID.|
|Get discovered vulnerabilities||vulnerability collection||Retrieves a collection of discovered vulnerabilities related to a given machine ID.|
|Get security recommendations||recommendation collection||Retrieves a collection of security recommendations related to a given machine ID.|
|Add or Remove machine tags||machine||Add or Remove tag to a specific machine.|
|Find machines by IP||machine collection||Find machines seen with IP.|
|Find machines by tag||machine collection||Find machines by Tag.|
|Get missing KBs||KB collection||Get a list of missing KBs associated with the machine ID|
|Set device value||machine collection||Set the value of a device.|
|Update machine||machine collection||Get the update status of a machine.|
|computerDnsName||String||machine fully qualified name.|
|firstSeen||DateTimeOffset||First date and time where the machine was observed by Microsoft Defender for Endpoint.|
|lastSeen||DateTimeOffset||Time and date of the last received full device report. A device typically sends a full report every 24 hours.
NOTE: This property doesn't correspond to the last seen value in the UI. It pertains to the last device update.
|osPlatform||String||Operating system platform.|
|onboardingstatus||String||Status of machine onboarding. Possible values are: "onboarded", "CanBeOnboarded", "Unsupported", and "InsufficientInfo".|
|osProcessor||String||Operating system processor. Use osArchitecture property instead.|
|version||String||Operating system Version.|
|osBuild||Nullable long||Operating system build number.|
|lastIpAddress||String||Last IP on local NIC on the machine.|
|lastExternalIpAddress||String||Last IP through which the machine accessed the internet.|
|healthStatus||Enum||machine health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown".|
|rbacGroupName||String||Machine group Name.|
|rbacGroupId||String||Machine group ID.|
|riskScore||Nullable Enum||Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'.|
|aadDeviceId||Nullable representation Guid||Microsoft Entra Device ID (when machine is Microsoft Entra joined).|
|machineTags||String collection||Set of machine tags.|
|exposureLevel||Nullable Enum||Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.|
|deviceValue||Nullable Enum||The value of the device. Possible values are: 'Normal', 'Low' and 'High'.|
|ipAddresses||IpAddress collection||Set of IpAddress objects. See Get machines API.|
|osArchitecture||String||Operating system architecture. Possible values are: "32-bit", "64-bit". Use this property instead of osProcessor.|
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.