| AadDeviceId |
Unique identifier for the device in Microsoft Entra ID |
String |
| AdditionalFields |
Additional information about the entity or event |
String |
| AssetValue |
Priority or value assigned to the device in relation to its importance in computing the organization’s exposure score; can be: Low, Normal (Default), High |
String |
| AwsResourceName |
Unique identifier specific to Amazon Web Services devices, containing the Amazon Resource Name |
String |
| AzureResourceId |
|
String |
| AzureVmId |
Unique identifier assigned to the device in Azure |
String |
| AzureVmSubscriptionId |
Unique identifier of the Azure subscription associated with the device |
String |
| ClientVersion |
Version of the endpoint agent or sensor running on the machine |
String |
| CloudPlatforms |
The cloud platforms that the device belongs to—can be Azure, Amazon Web Services, Google Cloud Platform and Azure Arc |
String |
| ConnectivityType |
Type of connectivity from the device to the cloud |
String |
| DeviceCategory |
Broader classification that groups certain device types under the following categories: Endpoint, Network device, IoT, Unknown |
String |
| DeviceDynamicTags |
Device tags added and removed dynamically based on dynamic rules |
String |
| DeviceId |
Unique identifier for the device in the service |
String |
| DeviceManualTags |
Device tags created manually using the portal UI or public API |
String |
| DeviceName |
Fully qualified domain name (FQDN) of the device |
String |
| DeviceSubtype |
Additional modifier for certain types of devices; for example, a mobile device can be a tablet or a smartphone; only available if device discovery finds enough information about this attribute |
String |
| DeviceType |
Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer |
String |
| ExclusionReason |
The reason for the device being excluded |
String |
| ExposureLevel |
The device’s level of vulnerability to exploitation based on its exposure score; can be: Low, Medium, High |
String |
| GcpFullResourceName |
Unique identifier specific to Google Cloud Platform devices, containing a combination of zone and ID |
String |
| HardwareUuid |
Universally Unique Identifier (UUID) of the device’s hardware |
String |
| HostDeviceId |
Device ID of the device running Windows Subsystem for Linux |
String |
| IsAzureADJoined |
Boolean indicator of whether machine is joined to the Microsoft Entra ID |
Boolean |
| IsExcluded |
Determines if the device is excluded from different views and reports in the portal |
Boolean |
| IsInternetFacing |
Indicates whether the device is internet-facing |
Boolean |
| JoinType |
The device’s Microsoft Entra ID join type |
String |
| LoggedOnUsers |
List of all users that are logged on the machine at the time of the event in JSON array format |
String |
| MachineGroup |
Machine group of the machine. This group is used by role-based access control to determine access to the machine |
String |
| MergedDeviceIds |
Previous device IDs that have been assigned to the same device. |
String |
| MergedToDeviceId |
The most recent device ID assigned to a device |
String |
| MitigationStatus |
Indicates the mitigation action applied to a device |
String |
| Model |
Model name or number of the product from the vendor or manufacturer; only available if device discovery finds enough information about this attribute |
String |
| OnboardingStatus |
Indicates whether the device is currently onboarded or not to Microsoft Defender For Endpoint or if the device is not supported |
String |
| OSArchitecture |
Architecture of the operating system running on the machine |
String |
| OSBuild |
Build version of the operating system running on the machine |
Int64 |
| OSDistribution |
Distribution of the OS platform, such as Ubuntu or RedHat for Linux platforms |
String |
| OSPlatform |
Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
String |
| OSVersion |
Version of the operating system running on the machine |
String |
| OSVersionInfo |
Additional information about the OS version, such as the popular name, code name, or version number |
String |
| PublicIP |
Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
String |
| RegistryDeviceTag |
Device tag added through the registry |
String |
| ReportId |
Event identifier based on a repeating counter.To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
Int64 |
| SensorHealthState |
Indicates health of the device’s EDR sensor, if onboarded to Microsoft Defender For Endpoint |
String |
| SourceSystem |
|
String |
| TenantId |
|
String |
| TimeGenerated |
|
DateTime |
| Timestamp |
Date and time when the record was generated |
DateTime |
| Type |
|
String |
| Vendor |
Name of the product vendor or manufacturer; only available if device discovery finds enough information about this attribute |
String |