DeviceInfo
Note
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint
The DeviceInfo table in the advanced hunting schema contains information about devices in the organization, including OS version, active users, and computer name. Use this reference to construct queries that return information from this table.
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
DeviceId |
string |
Unique identifier for the machine in the service |
DeviceName |
string |
Fully qualified domain name (FQDN) of the machine |
ClientVersion |
string |
Version of the endpoint agent or sensor running on the machine |
PublicIP |
string |
Public IP address used by the onboarded machine to connect to the Microsoft Defender for Endpoint service. This could be the IP address of the machine itself, a NAT device, or a proxy |
OSArchitecture |
string |
Architecture of the operating system running on the machine |
OSPlatform |
string |
Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. |
OSBuild |
long |
Build version of the operating system running on the machine |
IsAzureADJoined |
boolean |
Boolean indicator of whether machine is joined to the Microsoft Entra ID |
AadDeviceId |
string |
Unique identifier for the device in Microsoft Entra ID |
LoggedOnUsers |
string |
List of all users that are logged on the machine at the time of the event in JSON array format |
RegistryDeviceTag |
string |
Machine tag added through the registry |
OSVersion |
string |
Version of the operating system running on the machine |
MachineGroup |
string |
Machine group of the machine. This group is used by role-based access control to determine access to the machine |
ReportId |
long |
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
OnboardingStatus |
string |
Indicates whether the device is currently onboarded or not to Microsoft Defender for Endpoint or if the device is not supported |
AdditionalFields |
string |
Additional information about the event in JSON array format |
DeviceCategory |
string |
Broader classification that groups certain device types under the following categories: Endpoint, Network device, IoT, Unknown |
DeviceType |
string |
Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer |
DeviceSubtype |
string |
Additional modifier for certain types of devices, for example, a mobile device can be a tablet or a smartphone; only available if device discovery finds enough information about this attribute |
Model |
string |
Model name or number of the product from the vendor or manufacturer, only available if device discovery finds enough information about this attribute |
Vendor |
string |
Name of the product vendor or manufacturer, only available if device discovery finds enough information about this attribute |
OSDistribution |
string |
Distribution of the OS platform, such as Ubuntu or RedHat for Linux platforms |
OSVersionInfo |
string |
Additional information about the OS version, such as the popular name, code name, or version number |
MergedDeviceIds |
string |
Previous device IDs that have been assigned to the same device |
MergedToDeviceId |
string |
The most recent device ID assigned to a device |
SensorHealthState |
string |
Indicates health of the device's EDR sensor, if onboarded to Microsoft Defender For Endpoint |
IsExcluded |
bool |
Determines if the device is currently excluded from Microsoft Defender for Vulnerability Management experiences |
ExclusionReason |
string |
Indicates the reason for device exclusion |
AssetValue |
string |
Indicates the value of a device as assigned by the user |
ExposureLevel |
string |
Indicates the exposure level of a device |
IsInternetFacing |
boolean |
Indicates whether the device is internet-facing |
DeviceManualTags |
string |
Device tags created manually using the portal UI or public API |
DeviceDynamicTags |
string |
Device tags assigned automatically using dynamic tagging rules |
The DeviceInfo table provides device information based on periodic reports or signals (heartbeats) from a device. Complete reports are sent every hour and every time a change happens to a previous heartbeat.
You can use the following sample query to get the latest state of a device:
// Get latest information on user/device
DeviceInfo
| where DeviceName == "example" and isnotempty(OSPlatform)
| summarize arg_max(Timestamp, *) by DeviceId
Related topics
- Advanced hunting overview
- Learn the query language
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Submit and view feedback for