Purpose
The Device Feed CDP contains up-to-date information when a device was first seen and last seen by a particular feed. The Device Feed CDP is ideal for answering questions about when a device was last seen by a feed.
Understanding the Table
The Device Feed CDP contains first_seen and last_seen time stamps. These timestamps indicate when the device (identified by device_id) was last seen by a particular feed and event_type (identified by feed_name and class_uid).
{
"class_name": "Detection Finding",
"class_uid": 2004,
"device_id": 4884720,
"feed_name": "microsoft_xdr",
"feed_version": null,
"first_seen": "2025-11-24T14:13:49.357000",
"id": 6981552,
"is_managed": false,
"last_seen": "2025-12-12T15:17:56.454000",
"record_created_at": "2025-12-19T06:38:30.884000",
"record_updated_at": null
}Joining to CDPs and OCSF
If the security hygiene entitlement is enabled, device_id can be used to join back to OCSF and other CDP tables
Example Queries
Display user_id from all feeds
SELECT * from cdp.device_feed where device_id is <device_id>