Advanced Hunting Updates in DeviceInfo

Originally posted by Microsoft Mar 8, 2023 Uncategorized 0 Comments

We are happy to share that we are introducing several updates for DeviceInfo & DeviceNetworkInfo tables in advanced hunting.

The main goals of these updates are to improve data freshness in those tables along with adding new details about devices.

When this will happen:

We will begin rolling out early March 2023 and expect to complete by mid-March 2023.

How this will affect your organization:

Device report cadence

Regular users of the DeviceInfo table in advanced hunting know that each device in the network sends a partial heartbeat every fifteen minutes and a full report once a day. By shifting to a better source for this information, we will be able to send a complete report by device every hour instead of every 24 hours. This means we will no longer send partial heartbeats, but instead, any changes to the previous heartbeat will trigger a complete report when it happens (in addition to the hourly complete report). This update impacts DeviceNetworkInfo table as well, as each device report will add equivalent records with the device network information.

That means you get more updated device information than you ever had before, which allows you to have better visibility and control over what’s happening in your network, should you use DeviceInfo in your hunting queries.

Improvements in DeviceInfo & DeviceNetworkInfo tables

The following fields and values will change in DeviceInfo table in advanced hunting:

  • OsVersion – OS versions string will include the minor version also when it is ‘0’. For example: 9.0, 10.0, 11.0, etc.  
  • DeviceType – Mobile devices will now be assigned with the DeviceType value ‘Mobile,’ instead of ‘Unknown’.
  • MergedMachineIds – MergedMachineIds field will be available for devices onboarded to MDE as well.

What you need to do to prepare:

The following fields and values will change in DeviceNetworkInfo table in advanced hunting:

  • NetworkAdapterVendor – NetworkAdapterVendor field will be available for devices onboarded to MDE as well.

New fields available in DeviceInfo table

The following fields will be added to DeviceInfo table in advanced hunting:

  • SensorHealthState – gives you the health status of an onboarded device’s EDR sensor. We hope this gives you additional insight about devices in your network.
  • IsInternetFacing – indicates whether the device is internet-facing and may be susceptible to external communication. Addition evidence regarding why this device was identified as internet-facing are available in the AdditionalFields column in DeviceInfo table.
  • IsExcluded – determines if the device is currently excluded from Microsoft Defender for Vulnerability Management experiences.
  • ExclusionReason – indicates the reason for device exclusion.

Please go over the above and make sure that no existing flows will be affected by these updates.

Message ID: MC524717

No comments yet

Leave a Reply

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: