Device Security
Microsoft Defender XDR Attribute Reference
Table of Contents
Expand All
|
Collapse All
Device Security Docs
Microsoft Defender XDR Attribute Reference
This reference lists the attributes that Device Security collects from Microsoft Defender XDR,
their names as stored in Device Security, and the Device Security device fields
they map to.
When Device Security integrates with Microsoft Defender XDR, it imports
endpoint and vulnerability data to enrich the device inventory. The attributes in this
reference cover device records, interface data, and vulnerability findings from the
Defender XDR platform.
The third-party attribute name in Device Security refers to the attribute name
as it appears in the Assets Inventory table and in Query Engine. This follows the format
of third-party-name.attribute-name.
When viewing the attribute name in the Assets Inventory table column selector or on a
Device Details page, where the third-party name can be found as a header for the
attributes section, then the third-party name is removed from the attribute name.
For example, micrsoft_defender_xdr.macAddress would appear in the
Query Builder and in the Assets Inventory table, but under Device DetailsAttributesIntegration Specific AttributesMicrosoft Defender, the attribute would appear as macAddress.
Device Attributes
Device Security collects device attributes from the Microsoft Defender XDR API. The following table lists each Microsoft Defender XDR attribute, its name as stored in Device Security, and the Device Security device field it maps to (if applicable).
|
Microsoft Defender XDR Attribute
|
Device Security Attribute Name
|
Device Security Common Attribute*
|
Description
|
|---|---|---|---|
|
"Windows Defender"
|
—
|
Endpoint Protection Vendor
|
Endpoint protection vendor name indicating Windows Defender as the active protection agent
|
|
aadDeviceId
|
microsoft_defender_xdr.aadDeviceId
|
—
|
Azure AD device identifier
|
|
agentVersion
|
microsoft_defender_xdr.agentVersion
|
—
|
Agent version installed
|
|
computerDnsName
|
microsoft_defender_xdr.computerDnsName
|
Hostname
|
Computer DNS name
|
|
defenderAvStatus
|
microsoft_defender_xdr.defenderAvStatus
|
—
|
Defender antivirus status
|
|
deviceValue
|
microsoft_defender_xdr.deviceValue
|
—
|
Value classification of device
|
|
exposureLevel
|
microsoft_defender_xdr.exposureLevel
|
—
|
Exposure level of device
|
|
firstSeen
|
microsoft_defender_xdr.firstSeen
|
First Seen
|
Date when device was first seen
|
|
healthStatus
|
microsoft_defender_xdr.healthStatus
|
Endpoint Protection
|
Health status of device
|
|
ipAddresses
|
microsoft_defender_xdr.ipAddresses
|
—
|
IP addresses attribute collected from Microsoft Defender XDR
|
|
isAadJoined
|
microsoft_defender_xdr.isAadJoined
|
AD Join Status
|
Whether device is Azure AD joined
|
|
isExcluded
|
microsoft_defender_xdr.isExcluded
|
—
|
Whether device is excluded
|
|
lastExternalIpAddress
|
microsoft_defender_xdr.lastExternalIpAddress
|
public_ip_address
|
Last external IP address
|
|
lastIpAddress
|
microsoft_defender_xdr.lastIpAddress
|
ipv4_address
|
Last IP address of device
|
|
lastMacAddress
|
—
|
MAC; id
|
Last MAC address attribute collected from Microsoft Defender XDR
|
|
lastSeen
|
microsoft_defender_xdr.lastSeen
|
Last Third-Party Activity
|
Date when device was last seen
|
|
machineTags
|
microsoft_defender_xdr.machineTags
|
—
|
Tags assigned to machine
|
|
managedBy
|
microsoft_defender_xdr.managedBy
|
—
|
Management authority
|
|
managedByStatus
|
microsoft_defender_xdr.managedByStatus
|
—
|
Management status
|
|
onboardingStatus
|
microsoft_defender_xdr.onboardingStatus
|
—
|
Onboarding status of device
|
|
osBuild
|
microsoft_defender_xdr.osBuild
|
OS Build Number
|
Operating system build number
|
|
osPlatform
|
microsoft_defender_xdr.osPlatform
|
os_name; raw_os
|
Operating system platform
|
|
osVersion
|
microsoft_defender_xdr.osVersion
|
—
|
Operating system version
|
|
rbacGroupId
|
microsoft_defender_xdr.rbacGroupId
|
—
|
RBAC group identifier
|
|
rbacGroupName
|
microsoft_defender_xdr.rbacGroupName
|
—
|
RBAC group name
|
|
riskScore
|
microsoft_defender_xdr.riskScore
|
—
|
Risk score of device
|
|
software
|
microsoft_defender_xdr.software
|
third_party_learned_installed_software
|
Software information
|
|
version
|
microsoft_defender_xdr.version
|
OS Version
|
Version number
|
Interface Attributes
Device Security collects network interface attributes from the Microsoft Defender XDR API. The following table lists each Microsoft Defender XDR interface attribute, its name as stored in Device Security, and the Device Security field it maps to (if applicable).
|
Microsoft Defender XDR Attribute
|
Device Security Attribute Name
|
Device Security Common Attribute*
|
Description
|
|---|---|---|---|
|
ipAddresses
|
microsoft_defender_xdr.ipAddresses
|
third_party_learned_network_interfaces
|
IP addresses attribute collected from Microsoft Defender XDR
|
|
lastIpAddress
|
microsoft_defender_xdr.ipAddress
|
ipv4_address
|
IP address of device
|
|
lastMacAddress
|
microsoft_defender_xdr.macAddress
|
MAC; id
|
MAC address of device
|
Vulnerability Attributes
Device Security collects vulnerability attributes from the Microsoft Defender XDR API. The following table lists each Microsoft Defender XDR vulnerability attribute, its name as stored in Device Security, and the Device Security vulnerability field it maps to (if applicable).
|
Microsoft Defender XDR Attribute
|
Device Security Attribute Name
|
Device Security Common Attribute*
|
Description
|
|---|---|---|---|
|
cveSupportability
|
microsoft_defender_xdr.cveSupportability
|
—
|
CVE supportability information
|
|
cvssV3
|
microsoft_defender_xdr.cvssV3
|
cvss_v3base_score
|
CVSS v3 score
|
|
cvssVector
|
microsoft_defender_xdr.cvssVector
|
—
|
CVSS vector
|
|
description
|
microsoft_defender_xdr.description
|
Description
|
Description text
|
|
epss
|
microsoft_defender_xdr.epss
|
—
|
EPSS score
|
|
exploitInKit
|
microsoft_defender_xdr.exploitInKit
|
—
|
Whether exploit is part of an exploit kit
|
|
exploitTypes
|
microsoft_defender_xdr.exploitTypes
|
—
|
Types of known exploits
|
|
exploitVerified
|
microsoft_defender_xdr.exploitVerified
|
—
|
Whether exploit has been independently verified
|
|
exposedMachines
|
microsoft_defender_xdr.exposedMachines
|
—
|
Total number of machines exposed to this vulnerability
|
|
firstDetected
|
microsoft_defender_xdr.firstDetected
|
detected_time
|
Date when first detected
|
|
id
|
microsoft_defender_xdr.id
|
cve
|
CVE identifier
|
|
machine_id
|
microsoft_defender_xdr.machine_id
|
—
|
Machine identifier
|
|
machine_mac
|
microsoft_defender_xdr.machine_mac
|
id
|
MAC address of machine affected by vulnerability
|
|
name
|
microsoft_defender_xdr.name
|
—
|
Name identifier
|
|
patchFirstAvailable
|
microsoft_defender_xdr.patchFirstAvailable
|
—
|
Date when patch was first available
|
|
publicExploit
|
microsoft_defender_xdr.publicExploit
|
—
|
Public exploit information
|
|
publishedOn
|
microsoft_defender_xdr.publishedOn
|
—
|
Date when published
|
|
severity
|
microsoft_defender_xdr.severity
|
risk_level
|
Severity level
|
|
status
|
microsoft_defender_xdr.status
|
—
|
Current vulnerability status or resolution state
|
|
tags
|
microsoft_defender_xdr.tags
|
—
|
Associated tags
|
|
updatedOn
|
microsoft_defender_xdr.updatedOn
|
—
|
Date when updated
|
* Only some attributes map to a Device Security Common Attribute.