Microsoft Graph · Schema
microsoft.graph.security.deviceEvidence
Azure ADCollaborationContactsDocumentsEmailGraphIdentityMicrosoftOffice 365PresentationsProductivitySpreadsheetsT1Tasks
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/microsoft.graph.security.deviceEvidence",
"title": "microsoft.graph.security.deviceEvidence",
"allOf": [
{
"$ref": "#/components/schemas/microsoft.graph.security.alertEvidence"
},
{
"title": "deviceEvidence",
"required": [
"@odata.type"
],
"type": "object",
"properties": {
"azureAdDeviceId": {
"type": "string",
"description": "A unique identifier assigned to a device by Microsoft Entra ID when device is Microsoft Entra joined.",
"nullable": true
},
"defenderAvStatus": {
"anyOf": [
{
"$ref": "#/components/schemas/microsoft.graph.security.defenderAvStatus"
},
{
"type": "object",
"nullable": true
}
],
"description": "State of the Defender AntiMalware engine. The possible values are: notReporting, disabled, notUpdated, updated, unknown, notSupported, unknownFutureValue."
},
"deviceDnsName": {
"type": "string",
"description": "The fully qualified domain name (FQDN) for the device.",
"nullable": true
},
"dnsDomain": {
"type": "string",
"description": "The DNS domain that this computer belongs to. A sequence of labels separated by dots.",
"nullable": true
},
"firstSeenDateTime": {
"pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$",
"type": "string",
"description": "The date and time when the device was first seen.",
"format": "date-time",
"nullable": true
},
"healthStatus": {
"anyOf": [
{
"$ref": "#/components/schemas/microsoft.graph.security.deviceHealthStatus"
},
{
"type": "object",
"nullable": true
}
],
"description": "The health state of the device. The possible values are: active, inactive, impairedCommunication, noSensorData, noSensorDataImpairedCommunication, unknown, unknownFutureValue."
},
"hostName": {
"type": "string",
"description": "The hostname without the domain suffix.",
"nullable": true
},
"ipInterfaces": {
"type": "array",
"items": {
"type": "string",
"nullable": true
},
"description": "Ip interfaces of the device during the time of the alert."
},
"lastExternalIpAddress": {
"type": "string",
"nullable": true
},
"lastIpAddress": {
"type": "string",
"nullable": true
},
"loggedOnUsers": {
"type": "array",
"items": {
"$ref": "#/components/schemas/microsoft.graph.security.loggedOnUser"
},
"description": "Users that were logged on the machine during the time of the alert."
},
"mdeDeviceId": {
"type": "string",
"description": "A unique identifier assigned to a device by Microsoft Defender for Endpoint.",
"nullable": true
},
"ntDomain": {
"type": "string",
"description": "A logical grouping of computers within a Microsoft Windows network.",
"nullable": true
},
"onboardingStatus": {
"anyOf": [
{
"$ref": "#/components/schemas/microsoft.graph.security.onboardingStatus"
},
{
"type": "object",
"nullable": true
}
],
"description": "The status of the machine onboarding to Microsoft Defender for Endpoint. The possible values are: insufficientInfo, onboarded, canBeOnboarded, unsupported, unknownFutureValue."
},
"osBuild": {
"type": "number",
"description": "The build version for the operating system the device is running.",
"format": "int64",
"nullable": true
},
"osPlatform": {
"type": "string",
"description": "The operating system platform the device is running.",
"nullable": true
},
"rbacGroupId": {
"maximum": 2147483647,
"minimum": -2147483648,
"type": "number",
"description": "The ID of the role-based access control (RBAC) device group.",
"format": "int32",
"nullable": true
},
"rbacGroupName": {
"type": "string",
"description": "The name of the RBAC device group.",
"nullable": true
},
"riskScore": {
"anyOf": [
{
"$ref": "#/components/schemas/microsoft.graph.security.deviceRiskScore"
},
{
"type": "object",
"nullable": true
}
],
"description": "Risk score as evaluated by Microsoft Defender for Endpoint. The possible values are: none, informational, low, medium, high, unknownFutureValue."
},
"version": {
"type": "string",
"description": "The version of the operating system platform.",
"nullable": true
},
"vmMetadata": {
"anyOf": [
{
"$ref": "#/components/schemas/microsoft.graph.security.vmMetadata"
},
{
"type": "object",
"nullable": true
}
],
"description": "Metadata of the virtual machine (VM) on which Microsoft Defender for Endpoint is running."
},
"@odata.type": {
"type": "string",
"default": "#microsoft.graph.security.deviceEvidence"
}
}
}
],
"x-ms-discriminator-value": "#microsoft.graph.security.deviceEvidence"
}