Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

Applies to:

  • Microsoft 365 Defender
  • Microsoft Defender for Endpoint


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The DeviceTvmInfoGatheringKB table in the advanced hunting schema contains metadata for Microsoft Defender Vulnerability Management assessment events data collected in the DeviceTvmInfoGathering table. The DeviceTvmInfoGatheringKB table contains the list of various configuration and attack surface area assessments used by Defender Vulnerability Management information gathering to assess devices. Use this reference to construct queries that return information from the table.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
IgId string Unique identifier for the piece of information gathered
FieldName string Name of the field where this information appears in the AdditionalFields column of the DeviceTvmInfoGathering table
Description string Description of the information gathered
Categories string List of categories that the information belongs to, in JSON array format
DataStructure string The data structure of the information gathered

You can use this table to explore the kinds of information available in DeviceTvmInfoGathering so you can later fine-tune your hunting query.

For instance, to see the list of information being collected, you can try the following query:

// Check out what is being collected 

From the results, say you become interested in the available categories, you can use the following query:

// Return all available categories 
| mv-expand Categories to typeof(string) 
| distinct Categories 

Then, let's say you want to see the assessment categories involving the TLS protocol:

// Return all findings for a specified category 
| where Categories contains "tls" 

Using the resulting fields, you can then use the DeviceTvmInfoGathering table to get a list of devices using TLS client version 1.0.

// Return all devices on which the TLS version 1.0 is enabled 
| where AdditionalFields.TlsClient10 == "Enabled" or AdditionalFields.TlsServer10 == "Enabled"