Query Details
MDE TVM E IOT
Query
# Microsoft Defender for Endpoint - Enterprise IOT Exposure ## Query Information ### Description Use the below queries to retreive the expore level information for MDE discovered EIOT devices. #### References - [Get started with enterprise IoT monitoring in Microsoft 365 Defender](https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/eiot-defender-for-endpoint) ### Microsoft Sentinel Count of devices by exposure level ```kql DeviceInfo | summarize arg_max(TimeGenerated,*) by DeviceId | where DeviceCategory == "IoT" | summarize count() by ExposureLevel ``` Count of devices broken down by EIOT Device Type and Exposure level ```kql DeviceInfo | summarize arg_max(TimeGenerated,*) by DeviceId | where DeviceCategory == "IoT" | summarize count() by DeviceType, DeviceSubtype, ExposureLevel ```
Explanation
The first query retrieves the count of devices by their exposure level in Microsoft Defender for Endpoint for enterprise IoT (EIOT) devices. It filters the devices based on their device category being "IoT" and then summarizes the count of devices by their exposure level.
The second query breaks down the count of devices by their EIOT device type, device subtype, and exposure level. It also filters the devices based on their device category being "IoT" and then summarizes the count of devices based on the mentioned attributes.
Details
Alex Verboon
Released: November 23, 2023
Tables
DeviceInfo
Keywords
Devices,Intune,User
Operators
summarizearg_maxbywherecount()