Defender XDR Advanced Hunting Table Schemas
The following reference the specific tables that are associated with advanced hunting.
Microsoft Entra interactive and non-interactive sign-ins
Microsoft Entra service principal and managed identity sign-ins
Files, IP addresses, URLs, users, or devices associated with alerts
Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization
Behavior data types in Microsoft Defender for Cloud Apps
Alerts from Microsoft Defender for Cloud Apps
Events involving accounts and objects in Office 365 and other cloud apps and services
Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection
Certificate information of signed files obtained from certificate verification events on endpoints
File creation, modification, and other file system events
DLL loading events
Machine information, including OS information
Sign-ins and other authentication events on devices
Network connection and related events
Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains
Process creation and related events
Creation and modification of registry entries
Hardware and firmware information of devices as checked by Defender Vulnerability Management
Defender Vulnerability Management assessment events including configuration and attack surface area states
Metadata for assessment events collected in the DeviceTvmInfogathering table
Microsoft Defender Vulnerability Management assessment events, indicating the status of various security configurations on devices
Knowledge base of various security configurations used by Microsoft Defender Vulnerability Management to assess devices; includes mappings to various standards and benchmarks
Evidence info about where a specific software was detected on a device
Inventory of software installed on devices, including their version information and end-of-support status
Software vulnerabilities found on devices and the list of available security updates that address each vulnerability
Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available
Information about files attached to emails
Microsoft 365 email events, including email delivery and blocking events
Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox
Information about URLs on emails
Microsoft Security Exposure Management exposure graph edge information provides visibility into relationships between entities and assets in the graph
Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties
Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller.
Account information from various sources, including Microsoft Entra ID
Authentication events on Active Directory and Microsoft online services
Queries for Active Directory objects, such as users, groups, devices, and domains
Safe Links clicks from email messages, Teams, and Office 365 apps
Related topics
Last updated