Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,760 questions
How to read Machine/Device Dynamic Tags from Graph Security API
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 70%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELK%3C/text%3E%3C/svg%3E)
Lucas Krupinski
0
Reputation points
I have spent a bit of time creating dynamic tagging rules in Defender, in hopes of using those tags to facilitate reporting and am running into an issue plus an inconsistency.
First, the inconsistency: In Defender endpoints are referred to as Devices, tags are Device Tags. In Security Centers Graph API, endpoints are referred to as Machines and the Tags are MachineTags. It's a small difference, but I feel like it's making it harder to find an answer.
The issue: When I retreive Machine data from https://api.security.microsoft.com/api/machines, it only provides Manually applied tags rather than Dynamic tags. The only way I can so far figure out to retrieve these machine tags is through Threat Hunting queries against DeviceInfo table, where booth sets of tags are present as DeviceManualTag and DeviceDynamicTag.
Has anyone else figured out how to coax the machine API endpoint into returning Dynamic tags? Or is using the threat hunting endpoint the only solution at the moment?
And to Microsoft: any timeframe for adding DynamicTags to the data returned from the machine api?
Sign in to answer