Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
- Microsoft Defender XDR
- Microsoft Defender for Endpoint
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
DeviceTvmInfoGatheringKB table in the advanced hunting schema contains metadata for Microsoft Defender Vulnerability Management assessment events data collected in the
DeviceTvmInfoGathering table. The
DeviceTvmInfoGatheringKB table contains the list of various configuration and attack surface area assessments used by Defender Vulnerability Management information gathering to assess devices. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
|Column name||Data type||Description|
||Unique identifier for the piece of information gathered|
||Name of the field where this information appears in the AdditionalFields column of the DeviceTvmInfoGathering table|
||Description of the information gathered|
||List of categories that the information belongs to, in JSON array format|
||The data structure of the information gathered|
You can use this table to explore the kinds of information available in
DeviceTvmInfoGathering so you can later fine-tune your hunting query.
For instance, to see the list of information being collected, you can try the following query:
// Check out what is being collected DeviceTvmInfoGatheringKB
From the results, say you become interested in the available categories, you can use the following query:
// Return all available categories DeviceTvmInfoGatheringKB | mv-expand Categories to typeof(string) | distinct Categories
Then, let's say you want to see the assessment categories involving the TLS protocol:
// Return all findings for a specified category DeviceTvmInfoGatheringKB | where Categories contains "tls"
Using the resulting fields, you can then use the
DeviceTvmInfoGathering table to get a list of devices using TLS client version 1.0.
// Return all devices on which the TLS version 1.0 is enabled DeviceTvmInfoGathering | where AdditionalFields.TlsClient10 == "Enabled" or AdditionalFields.TlsServer10 == "Enabled"
- Understand the schema
- Apply query best practices
- Overview Defender Vulnerability Management
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.