Microsoft Defender · Schema
Machine
Represents a device (machine) that has communicated with Microsoft Defender for Endpoint, including its health status, risk assessment, and configuration details.
Properties
| Name | Type | Description |
|---|---|---|
| id | string | The unique machine identity. |
| computerDnsName | string | The fully qualified domain name of the machine. |
| firstSeen | string | The first date and time where the machine was observed by Microsoft Defender for Endpoint. |
| lastSeen | string | The time and date of the last received full device report. A device typically sends a full report every 24 hours. |
| osPlatform | string | The operating system platform. |
| onboardingStatus | string | The onboarding status of the machine. |
| osProcessor | string | The operating system processor. Deprecated in favor of osArchitecture. |
| version | stringnull | The operating system version. |
| osBuild | integernull | The operating system build number. |
| lastIpAddress | stringnull | The last IP address on the local NIC of the machine. |
| lastExternalIpAddress | stringnull | The last IP address through which the machine accessed the internet. |
| healthStatus | string | The machine health status. |
| rbacGroupName | stringnull | The machine group name. |
| rbacGroupId | integernull | The machine group ID. |
| riskScore | stringnull | The risk score as evaluated by Microsoft Defender for Endpoint. |
| aadDeviceId | stringnull | The Microsoft Entra Device ID (when the machine is Microsoft Entra joined). |
| machineTags | array | Set of machine tags. |
| exposureLevel | stringnull | The exposure level as evaluated by Microsoft Defender for Endpoint. |
| deviceValue | stringnull | The value of the device. |
| ipAddresses | array | Set of IP address objects associated with the machine. |
| osArchitecture | stringnull | The operating system architecture. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/Machine",
"title": "Machine",
"type": "object",
"description": "Represents a device (machine) that has communicated with Microsoft Defender for Endpoint, including its health status, risk assessment, and configuration details.",
"properties": {
"id": {
"type": "string",
"description": "The unique machine identity.",
"examples": [
"1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
]
},
"computerDnsName": {
"type": "string",
"description": "The fully qualified domain name of the machine.",
"examples": [
"mymachine1.contoso.com"
]
},
"firstSeen": {
"type": "string",
"format": "date-time",
"description": "The first date and time where the machine was observed by Microsoft Defender for Endpoint."
},
"lastSeen": {
"type": "string",
"format": "date-time",
"description": "The time and date of the last received full device report. A device typically sends a full report every 24 hours."
},
"osPlatform": {
"type": "string",
"description": "The operating system platform.",
"examples": [
"Windows10",
"Windows11",
"Linux"
]
},
"onboardingStatus": {
"type": "string",
"description": "The onboarding status of the machine.",
"enum": [
"Onboarded",
"CanBeOnboarded",
"Unsupported",
"InsufficientInfo"
]
},
"osProcessor": {
"type": "string",
"description": "The operating system processor. Deprecated in favor of osArchitecture.",
"deprecated": true
},
"version": {
"type": [
"string",
"null"
],
"description": "The operating system version."
},
"osBuild": {
"type": [
"integer",
"null"
],
"format": "int64",
"description": "The operating system build number."
},
"lastIpAddress": {
"type": [
"string",
"null"
],
"description": "The last IP address on the local NIC of the machine."
},
"lastExternalIpAddress": {
"type": [
"string",
"null"
],
"description": "The last IP address through which the machine accessed the internet."
},
"healthStatus": {
"type": "string",
"description": "The machine health status.",
"enum": [
"Active",
"Inactive",
"ImpairedCommunication",
"NoSensorData",
"NoSensorDataImpairedCommunication",
"Unknown"
]
},
"rbacGroupName": {
"type": [
"string",
"null"
],
"description": "The machine group name."
},
"rbacGroupId": {
"type": [
"integer",
"null"
],
"description": "The machine group ID."
},
"riskScore": {
"type": [
"string",
"null"
],
"description": "The risk score as evaluated by Microsoft Defender for Endpoint.",
"enum": [
"None",
"Informational",
"Low",
"Medium",
"High",
null
]
},
"aadDeviceId": {
"type": [
"string",
"null"
],
"format": "uuid",
"description": "The Microsoft Entra Device ID (when the machine is Microsoft Entra joined)."
},
"machineTags": {
"type": "array",
"items": {
"type": "string"
},
"description": "Set of machine tags."
},
"exposureLevel": {
"type": [
"string",
"null"
],
"description": "The exposure level as evaluated by Microsoft Defender for Endpoint.",
"enum": [
"None",
"Low",
"Medium",
"High",
null
]
},
"deviceValue": {
"type": [
"string",
"null"
],
"description": "The value of the device.",
"enum": [
"Normal",
"Low",
"High",
null
]
},
"ipAddresses": {
"type": "array",
"items": {
"$ref": "#/components/schemas/IpAddress"
},
"description": "Set of IP address objects associated with the machine."
},
"osArchitecture": {
"type": [
"string",
"null"
],
"description": "The operating system architecture.",
"enum": [
"32-bit",
"64-bit",
null
]
}
}
}