SOLVED

Microsoft 365 Defender - where to create a custom list of devices

Copper Contributor

Hi - where in MS 365 Defender can I create a custom list of devices, that I can just update once and reference in multiple KQL queries?

 

I have looked in Settings - there is no option for Microsoft Defender for Endpoint lists.

 

Thanks for any help,

 

Mark

5 Replies

@marktait19 

To create a custom list of devices in Microsoft Defender for Endpoint, you can use the Microsoft Defender Security Center. To do so, follow these steps:

  1. Log in to the Microsoft Defender Security Center.
  2. Go to the Devices section.
  3. On the Devices page, select the devices you want to add to the custom list.
  4. From the selection options, choose "Add to custom list".
  5. Give the custom list a name and description.
  6. Click on "Create custom list".

Once the custom list is created, you can use it in multiple KQL queries by referencing the custom list in the query. To do so, use the following syntax:

DeviceList('<CustomListName>')

For example, if your custom list is named "ImportantDevices", the KQL query would be:

DeviceList('ImportantDevices')

@Robina 

Hi Robina - thank you for your reply.

When I select devices on the Devices page, I do not see "Add to custom list", I only see:

  • Manage Tags
  • Initiate Automated Investigation
  • Device Value
  • Exclude
  • Report Inaccuracy

I've attached a screenshot.

 

Have I missed something, or is it perhaps that I don't have specific permissions to create custom lists?

 

Thanks again,

 

Mark

 

selected devices.PNG

best response confirmed by marktait19 (Copper Contributor)
Solution

@marktait19 It sounds like you're using a security or device management platform that may have different options available to you based on your account level or the type of device you have selected. "Add to custom list" is not a standard feature in all security or device management platforms, and its availability may vary.

If you're looking for specific information or functionality that is not available to you, I recommend reaching out to your platform's support team for assistance. They will be able to provide you with more information on the features and functionality that are available to you.

Thank you - I suspect that may be the issue. What I'm trying to do seems pretty simple (create a list of devices I can update once and use across multiple queries). I'll reach out to the platform support to see if they can recommend the specific permissions required.

All the best, Mark
1 best response

Accepted Solutions
best response confirmed by marktait19 (Copper Contributor)
Solution

@marktait19 It sounds like you're using a security or device management platform that may have different options available to you based on your account level or the type of device you have selected. "Add to custom list" is not a standard feature in all security or device management platforms, and its availability may vary.

If you're looking for specific information or functionality that is not available to you, I recommend reaching out to your platform's support team for assistance. They will be able to provide you with more information on the features and functionality that are available to you.

View solution in original post