fix: change references to deviceid to rawId

jame2O · jame2O · commit ce3dac3bde06 · 2026-06-12T11:05:18.000+01:00
diff --git a/plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json b/plugins/MicrosoftDefender/v1/dataStreams/Vulnerabilities.json
@@ -13,7 +13,7 @@
         "expandInnerObjects": true,
         "endpointPath": "runHuntingQuery",
         "postBody": {
-            "Query": "DeviceTvmSoftwareVulnerabilities | where DeviceId in ({{objects.map(o => {return `\"${o.deviceid}\"`}).join(\",\")}})",
+            "Query": "DeviceTvmSoftwareVulnerabilities | where DeviceId in ({{objects.map(o => {return `\"${o.rawId}\"`}).join(\",\")}})",
             "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}"
         },
         "pathToData": "results",
diff --git a/plugins/MicrosoftDefender/v1/dataStreams/devices.json b/plugins/MicrosoftDefender/v1/dataStreams/devices.json
@@ -13,7 +13,7 @@
         "expandInnerObjects": true,
         "endpointPath": "runHuntingQuery",
         "postBody": {
-            "Query": "DeviceInfo | where DeviceId in ({{objects.map(o => {return `\"${o.deviceid}\"`}).join(\",\")}}) | summarize arg_max(Timestamp, *) by DeviceId"
+            "Query": "DeviceInfo | where DeviceId in ({{objects.map(o => {return `\"${o.rawId}\"`}).join(\",\")}}) | summarize arg_max(Timestamp, *) by DeviceId"
         },
         "pathToData": "results",
         "getArgs": [],
diff --git a/plugins/MicrosoftDefender/v1/dataStreams/recommendations.json b/plugins/MicrosoftDefender/v1/dataStreams/recommendations.json
@@ -13,7 +13,7 @@
         "expandInnerObjects": true,
         "endpointPath": "runHuntingQuery",
         "postBody": {
-            "Query": "DeviceTvmSecureConfigurationAssessment | where DeviceId in ({{objects.map(o => {return `\"${o.deviceid}\"`}).join(\",\")}}) | join kind=leftouter (DeviceTvmSecureConfigurationAssessmentKB) on ConfigurationId | project DeviceId, DeviceName, Timestamp, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationImpact, RiskDescription, RemediationOptions, IsApplicable, IsCompliant, Tags",
+            "Query": "DeviceTvmSecureConfigurationAssessment | where DeviceId in ({{objects.map(o => {return `\"${o.rawId}\"`}).join(\",\")}}) | join kind=leftouter (DeviceTvmSecureConfigurationAssessmentKB) on ConfigurationId | project DeviceId, DeviceName, Timestamp, ConfigurationId, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory, ConfigurationImpact, RiskDescription, RemediationOptions, IsApplicable, IsCompliant, Tags",
             "Timespan": "{{timeframe.enum != \"none\" ? `${timeframe.start}/${timeframe.end}` : \"\" }}"
         },
         "pathToData": "results",
diff --git a/plugins/MicrosoftDefender/v1/indexDefinitions/default.json b/plugins/MicrosoftDefender/v1/indexDefinitions/default.json
@@ -18,10 +18,7 @@
                     "OSVersion",
                     "PublicIP",
                     "OSBuild",
-                    "OSArchitecture",
-                    {
-                        "deviceid": "DeviceId"
-                    }
+                    "OSArchitecture"
                 ]
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -18,10 +18,7 @@`
`18`	`18`	`"OSVersion",`
`19`	`19`	`"PublicIP",`
`20`	`20`	`"OSBuild",`
`21`		`- "OSArchitecture",`
`22`		`- {`
`23`		`- "deviceid": "DeviceId"`
`24`		`- }`
	`21`	`+ "OSArchitecture"`
`25`	`22`	`]`
`26`	`23`	`}`
`27`	`24`	`}`