Supported Microsoft Defender XDR streaming event types in event streaming API

Applies to:

• Microsoft Defender XDR

Note

Try our new APIs using MS Graph security API. Find out more at: Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn.

Important

Some information in this article relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The Event Streaming API is constantly being expanded to support more event types. Learn which Hunting tables are generally available, currently in public preview, or not yet supported.

New - Identity and CloudApp event types/tables are now GA.

Hunting tables support status in Event Streaming API

The following table only includes the list of the tables supported in the streaming API, and is not inclusive of all AH schema. For a full list of the API see, Learn the schema tables.

Table name	Status (Commercial)	GCC	GCC High	DoD
AlertEvidence	GA	GA	GA	GA
AlertInfo	GA	GA	GA	GA
DeviceEvents	GA	GA	GA	GA
DeviceFileCertificateInfo	GA	GA	GA	GA
DeviceFileEvents	GA	GA	GA	GA
DeviceImageLoadEvents	GA	GA	GA	GA
DeviceInfo	GA	GA	GA	GA
DeviceLogonEvents	GA	GA	GA	GA
DeviceNetworkEvents	GA	GA	GA	GA
DeviceNetworkInfo	GA	GA	GA	GA
DeviceProcessEvents	GA	GA	GA	GA
DeviceRegistryEvents	GA	GA	GA	GA
EmailAttachmentInfo	GA	GA	GA	GA
EmailEvents	GA	GA	GA	GA
EmailPostDeliveryEvents	GA	GA	GA	GA
EmailUrlInfo	GA	GA	GA	GA
IdentityLogonEvents	GA	GA	GA	GA
IdentityQueryEvents	GA	GA	GA	GA
IdentityDirectoryEvents	GA	GA	GA	GA
CloudAppEvents	GA	GA	GA	GA
UrlClickEvents	Public preview	Not available	Not available	Not available

Related topics

Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.