DeviceTvmInfoGathering
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceTvmInfoGathering table in the advanced hunting schema contains Microsoft Defender Vulnerability Management assessment events including the status of various configurations and attack surface area states of devices. You can use this table to hunt for assessment events related to mitigation for zero-days, posture assessment for emerging threats supporting threat analytics mitigation status reports, enabled TLS protocol versions on servers, and more. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the record was generated |
LastSeenTime |
datetime |
Date and time when the service last saw the device |
DeviceId |
string |
Unique identifier for the device in the service |
DeviceName |
string |
Fully qualified domain name (FQDN) of the device |
OSPlatform |
string |
Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
AdditionalFields |
dynamic |
Additional information about the entity or event |
For example, to view devices affected by the Log4Shell vulnerability where the workaround mitigation hasn't been applied yet, or has been applied and is pending reboot, you can use the following query.
DeviceTvmInfoGathering
| where AdditionalFields.Log4JEnvironmentVariableMitigation in ("RebootRequired", "false")
| join kind=inner (
DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2021-44228"
) on DeviceId
| summarize any(DeviceName), any(AdditionalFields.Log4JEnvironmentVariableMitigation) by DeviceId
Related topics
- DeviceTvmInfoGatheringKB
- Understand the schema
- Apply query best practices
- Overview of Defender Vulnerability Management
- Learn how to manage the Log4Shell vulnerability in Microsoft Defender for Endpoint
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.