Defender XDR Advanced Hunting Table Schemas
The following reference the specific tables that are associated with advanced hunting.
| Table name | Description |
|---|---|
Microsoft Entra interactive and non-interactive sign-ins | |
Microsoft Entra service principal and managed identity sign-ins | |
Files, IP addresses, URLs, users, or devices associated with alerts | |
Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization | |
Behavior data types in Microsoft Defender for Cloud Apps | |
Alerts from Microsoft Defender for Cloud Apps | |
Events involving accounts and objects in Office 365 and other cloud apps and services | |
Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection | |
Certificate information of signed files obtained from certificate verification events on endpoints | |
File creation, modification, and other file system events | |
DLL loading events | |
Machine information, including OS information | |
Sign-ins and other authentication events on devices | |
Network connection and related events | |
Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains | |
Process creation and related events | |
Creation and modification of registry entries | |
Hardware and firmware information of devices as checked by Defender Vulnerability Management | |
Defender Vulnerability Management assessment events including configuration and attack surface area states | |
Metadata for assessment events collected in the | |
Microsoft Defender Vulnerability Management assessment events, indicating the status of various security configurations on devices | |
Knowledge base of various security configurations used by Microsoft Defender Vulnerability Management to assess devices; includes mappings to various standards and benchmarks | |
Evidence info about where a specific software was detected on a device | |
Inventory of software installed on devices, including their version information and end-of-support status | |
Software vulnerabilities found on devices and the list of available security updates that address each vulnerability | |
Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available | |
Information about files attached to emails | |
Microsoft 365 email events, including email delivery and blocking events | |
Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox | |
Information about URLs on emails | |
Microsoft Security Exposure Management exposure graph edge information provides visibility into relationships between entities and assets in the graph | |
Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties | |
Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller. | |
Account information from various sources, including Microsoft Entra ID | |
Authentication events on Active Directory and Microsoft online services | |
Queries for Active Directory objects, such as users, groups, devices, and domains | |
Safe Links clicks from email messages, Teams, and Office 365 apps |
Related topics
Last updated