Investigating DeviceInfo in Microsoft Defender XDR
DeviceInfo provides important endpoint context inside Microsoft Defender XDR advanced hunting, including device names, operating systems, onboarding state, sensor health, exposure level, risk score and other device posture details.
This table helps defenders understand the device behind an alert, logon, process, file event or network connection. Before you decide how serious an endpoint investigation is, you need to know what kind of device you are looking at and whether it is healthy, onboarded and exposed.
In this lesson, you will learn how to use DeviceInfo to investigate endpoint context, identify risky devices, review onboarding and sensor health, and enrich Microsoft Defender XDR investigations with device posture evidence.
Lesson overview
Learn how DeviceInfo helps defenders understand endpoint identity, health, exposure and risk during Microsoft Defender XDR investigations.
Why DeviceInfo matters
Investigation scenario
Step 1 — Review recent device inventory
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
DeviceInfo | where Timestamp > ago(7d) | summarize LatestSeen = max(Timestamp) by DeviceId, DeviceName, OSPlatform, OSVersion, OnboardingStatus, SensorHealthState, ExposureLevel, RiskScore | order by LatestSeen desc
Step 2 — Focus on one device
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
let TargetDevice = "replace-with-device-name"; DeviceInfo | where Timestamp > ago(30d) | where DeviceName == TargetDevice | project Timestamp, DeviceId, DeviceName, OSPlatform, OSVersion, OnboardingStatus, SensorHealthState, ExposureLevel, RiskScore | order by Timestamp desc
Step 3 — Find exposed or high risk devices
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
DeviceInfo | where Timestamp > ago(30d) | summarize LatestSeen = max(Timestamp) by DeviceId, DeviceName, ExposureLevel, RiskScore, OSPlatform | where ExposureLevel in ("High", "Medium") or RiskScore in ("High", "Medium") | order by ExposureLevel asc, RiskScore asc
Step 4 — Check onboarding and sensor health
- 1
- 2
- 3
- 4
- 5
- 6
- 7
DeviceInfo | where Timestamp > ago(14d) | summarize LatestSeen = max(Timestamp) by DeviceId, DeviceName, OnboardingStatus, SensorHealthState, OSPlatform | where OnboardingStatus != "Onboarded" or SensorHealthState != "Active" | order by LatestSeen desc
Step 5 — Join DeviceInfo to process activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
let DevicePosture = DeviceInfo | where Timestamp > ago(7d) | summarize arg_max(Timestamp, OSPlatform, ExposureLevel, RiskScore, SensorHealthState) by DeviceId, DeviceName; DeviceProcessEvents | where Timestamp > ago(24h) | where ProcessCommandLine has_any ("powershell", "encodedcommand", "rundll32") | join kind=leftouter DevicePosture on DeviceId | project Timestamp, DeviceName, FileName, ProcessCommandLine, OSPlatform, ExposureLevel, RiskScore, SensorHealthState
Step 6 — Summarise devices by operating system and posture
- 1
- 2
- 3
- 4
- 5
- 6
- 7
DeviceInfo | where Timestamp > ago(30d) | summarize LatestSeen = max(Timestamp) by DeviceId, DeviceName, OSPlatform, ExposureLevel, RiskScore | summarize Devices = count() by OSPlatform, ExposureLevel, RiskScore | order by Devices desc
Common investigation uses
Common mistakes
What you learned
Related Agent Foskett Academy lessons
Coming next
Investigating DeviceInfo in Microsoft Defender XDR
Agent Foskett Academy Lesson 41 teaches defenders how to use DeviceInfo to investigate endpoint context, onboarding status, sensor health, exposure level, risk score and device posture in Microsoft Defender XDR.
Learn DeviceInfo for Microsoft Defender XDR hunting
This lesson explains how DeviceInfo supports Microsoft Defender XDR investigations by connecting endpoint alerts and telemetry to device health, operating system details, Defender onboarding state and risk context.
