DeviceInfoDeviceInfo

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

[!附注] DeviceInfo 高級搜尋 架構中的表格包含組織中裝置的相關資訊,包括作業系統版本、作用中使用者及電腦名稱稱。The DeviceInfo table in the advanced hunting schema contains information about devices in the organization, including OS version, active users, and computer name. 使用這個參考來建立從此表格取回之資訊的查詢。Use this reference to construct queries that return information from this table.

如需進階搜捕結構描述中其他表格的資訊,請參閱進階搜捕參考 (部分內容為機器翻譯)。For information on other tables in the advanced hunting schema, see the advanced hunting reference.

欄名稱Column name 資料類型Data type 描述Description
Timestamp datetimedatetime 事件記錄的日期和時間Date and time when the event was recorded
DeviceId stringstring 服務中電腦的唯一識別碼Unique identifier for the machine in the service
DeviceName stringstring 電腦的完整網域名稱 (FQDN)Fully qualified domain name (FQDN) of the machine
ClientVersion stringstring 電腦上執行的端點代理程式或感應器版本Version of the endpoint agent or sensor running on the machine
PublicIP stringstring 架電腦用來連接至 Microsoft Defender for Endpoint service 的公用 IP 位址。Public IP address used by the onboarded machine to connect to the Microsoft Defender for Endpoint service. 這可以是電腦本身、NAT 裝置或 proxy 的 IP 位址This could be the IP address of the machine itself, a NAT device, or a proxy
OSArchitecture 字串string 電腦上執行的作業系統架構。Architecture of the operating system running on the machine
OSPlatform 字串string 電腦上執行的作業系統平台。Platform of the operating system running on the machine. 這表示特定作業系統(包括相同家族內的變化,例如 Windows 10 和 Windows 7)This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7
OSBuild stringstring 電腦上所執行作業系統的組建版本Build version of the operating system running on the machine
IsAzureADJoined 布林值boolean 對電腦是否加入 Azure Active Directory 的布林指標Boolean indicator of whether machine is joined to the Azure Active Directory
AadObjectId stringstring Azure AD 中裝置的唯一識別碼Unique identifier for the device in Azure AD
LoggedOnUsers stringstring 以 JSON 陣列格式出現事件時,在機器上記錄的所有使用者清單List of all users that are logged on the machine at the time of the event in JSON array format
RegistryDeviceTag stringstring 透過登錄加入的電腦標記Machine tag added through the registry
OSVersion 字串string 電腦上執行的作業系統版本。Version of the operating system running on the machine
MachineGroup 字串string 機器的電腦群組。Machine group of the machine. 這個群組是由以角色為基礎的存取控制用來判斷對機器的存取權This group is used by role-based access control to determine access to the machine
ReportId longlong 以重複計數器為基礎的事件識別碼。Event identifier based on a repeating counter. 若要識別唯一的事件,此資料行必須與 DeviceName 及 Timestamp 資料行一起使用To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns
AdditionalFields stringstring 有關 JSON 陣列格式之事件的其他資訊Additional information about the event in JSON array format

DeviceInfo表格提供以心跳方式(即來自裝置的定期報告或信號)為基礎的裝置資訊。The DeviceInfo table provides device information based on heartbeats, which are periodic reports or signals from a device. 每十五分鐘,裝置會傳送部分心跳,其中包含經常變更的屬性,如 LoggedOnUsersEvery fifteen minutes, the device sends a partial heartbeat that contains frequently changing attributes like LoggedOnUsers. 一天一次,會傳送包含裝置之屬性的完整心跳。Once a day, a full heartbeat containing the device's attributes is sent.

您可以使用下列範例查詢取得裝置的最新狀態:You can use the following sample query to get the latest state of a device:

// Get latest information on user/device
DeviceInfo
| where DeviceName == "example" and isnotempty(OSPlatform)
| summarize arg_max(Timestamp, *) by DeviceId