Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
DeviceTvmCertificateInfo (Preview)
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DeviceTvmCertificateInfo table in the advanced hunting schema contains data from Microsoft Defender Vulnerability Management related to certificate information for devices in the organization. Use this reference to construct queries that return information from the table.
This advanced hunting table is populated by records from Microsoft Defender for Endpoint. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Endpoint in Defender XDR, read Deploy supported services.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Important
This Defender Vulnerability Management (TVM) table isn't ingested into Microsoft Sentinel. In Microsoft Sentinel, this table is exposed for schema visibility only (for example, autocomplete and query validation), not for data ingestion. As a result, Microsoft Sentinel can accept queries that reference this table, but those queries return no results.
To query this table’s data, run the query in Defender XDR Advanced Hunting, where the data is available. Using TVM table data directly in Microsoft Sentinel analytics and detections isn't currently supported unless you build a custom ingestion path. For more information, see Which Defender XDR tables aren't supported in Microsoft Sentinel.
| Column name | Data type | Description |
|---|---|---|
DeviceId |
string |
Unique identifier for the device in the service |
Thumbprint |
string |
Unique identifier for the certificate |
Path |
string |
The location of the certificate |
SerialNumber |
string |
Unique identifier for the certificate within a certificate authority's systems |
IssuedTo |
dynamic |
Entity that a certificate belongs to; can be a device, an individual, or an organization |
IssuedBy |
dynamic |
Entity that verified the information and signed the certificate |
FriendlyName |
string |
Easy-to-understand version of a certificate's title |
SignatureAlgorithm |
string |
Hashing algorithm and encryption algorithm used |
KeySize |
string |
Size of the key used in the signature algorithm |
ExpirationDate |
string |
The date and time beyond which the certificate is no longer valid |
IssueDate |
string |
The earliest date and time when the certificate became valid |
SubjectType |
string |
Indicates if the holder of the certificate is a CA or end entity |
KeyUsage |
string |
The valid cryptographic uses of the certificate's public key |
ExtendedKeyUsage |
string |
Other valid uses for the certificate |
Related topics
- Overview of Microsoft Defender Vulnerability Management
- Proactively hunt for threats
- Learn the query language
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Was this page helpful?