deviceEvidence resource type
Namespace: microsoft.graph.security
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
A device that is reported in the alert.
Inherits from alertEvidence.
Properties
| Property | Type | Description |
|---|---|---|
| azureAdDeviceId | String | A unique identifier assigned to a device by Microsoft Entra ID when device is Microsoft Entra joined. |
| defenderAvStatus | microsoft.graph.security.defenderAvStatus | State of the Defender AntiMalware engine. The possible values are: notReporting, disabled, notUpdated, updated, unknown, notSupported, unknownFutureValue. |
| deviceDnsName | String | The fully qualified domain name (FQDN) for the device. |
| dnsDomain | String | The DNS domain that this computer belongs to. A sequence of labels separated by dots. |
| firstSeenDateTime | DateTimeOffset | The date and time when the device was first seen. |
| healthStatus | microsoft.graph.security.deviceHealthStatus | The health state of the device. The possible values are: active, inactive, impairedCommunication, noSensorData, noSensorDataImpairedCommunication, unknown, unknownFutureValue. |
| hostName | String | The hostname without the domain suffix. |
| ipInterfaces | String collection | Ip interfaces of the device during the time of the alert. |
| loggedOnUsers | microsoft.graph.security.loggedOnUser collection | Users that were logged on the machine during the time of the alert. |
| mdeDeviceId | String | A unique identifier assigned to a device by Microsoft Defender for Endpoint. |
| ntDomain | String | A logical grouping of computers within a Microsoft Windows network. |
| onboardingStatus | microsoft.graph.security.onboardingStatus | The status of the machine onboarding to Microsoft Defender for Endpoint. The possible values are: insufficientInfo, onboarded, canBeOnboarded, unsupported, unknownFutureValue. |
| osBuild | Int64 | The build version for the operating system the device is running. |
| osPlatform | String | The operating system platform the device is running. |
| rbacGroupId | Int32 | The ID of the role-based access control device group. |
| rbacGroupName | String | The name of the role-based access control device group. |
| riskScore | microsoft.graph.security.deviceRiskScore | Risk score as evaluated by Microsoft Defender for Endpoint. The possible values are: none, informational, low, medium, high, unknownFutureValue. |
| version | String | The version of the operating system platform. |
| vmMetadata | microsoft.graph.security.vmMetadata | Metadata of the virtual machine (VM) on which Microsoft Defender for Endpoint is running. |
defenderAvStatus values
| Member | Description |
|---|---|
| notReporting | Defender AntiMalware engine isn't reporting. |
| disabled | Defender AntiMalware engine has been disabled. |
| notUpdated | Defender AntiMalware engine isn't up to date. |
| updated | Defender AntiMalware engine is up to date. |
| unknown | State of Defender AntiMalware engine is unknown. |
| notSupported | Defender AntiMalware engine isn't supported on this platform. |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
deviceHealthStatus values
| Member | Description |
|---|---|
| active | Device is active and reporting to all channels. |
| inactive | Device isn't reporting to any channel. |
| impairedCommunication | Device isn't connected to the CnC. |
| noSensorData | Device isn't sending telemetry. |
| noSensorDataImpairedCommunication | Device isn't connected to the CnC and not sending telemetry. |
| unknown | Device state is unknown |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
deviceRiskScore values
| Member | Description |
|---|---|
| none | There are no alerts related to this device. |
| informational | Device only has 'informational' level alerts. |
| low | Device only has 'low' or 'informational' alerts. |
| medium | Device has 'medium' or lower severity alerts. |
| high | Device has 'high' severity alerts and is at risk. |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
onboardingStatus values
| Member | Description |
|---|---|
| unknown | Unknown onboarding status |
| insufficientInfo | Onboarding status can't be determined. |
| onboarded | Device is onboarded to service. |
| canBeOnboarded | Device is eligible to be onboarded to service. |
| unsupported | Device isn't supported by service. |
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.security.deviceEvidence",
"azureAdDeviceId": "String",
"createdDateTime": "String (timestamp)",
"defenderAvStatus": "String",
"detailedRoles": ["String"],
"deviceDnsName": "String",
"dnsDomain": "String",
"firstSeenDateTime": "String (timestamp)",
"healthStatus": "String",
"hostName": "String",
"ipInterfaces": ["String"],
"loggedOnUsers": [{"@odata.type": "microsoft.graph.security.loggedOnUser"}],
"mdeDeviceId": "String",
"ntDomain": "String",
"onboardingStatus": "String",
"osBuild": "Integer",
"osPlatform": "String",
"rbacGroupId": "Integer",
"rbacGroupName": "String",
"remediationStatus": "String",
"remediationStatusDetails": "String",
"riskScore": "String",
"roles": ["String"],
"tags": ["String"],
"verdict": "String",
"version": "String",
"vmMetadata": {"@odata.type": "microsoft.graph.security.vmMetadata"}
}