DeviceAlertEvents

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

The DeviceAlertEvents table in the advanced hunting schema contains information about alerts in Microsoft 365 Defender. Use this reference to construct queries that return information from the table.

For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.

Column name Data type Description
AlertId string Unique identifier for the alert
Timestamp datetime Date and time when the event was recorded
DeviceId string Unique identifier for the device in the service
DeviceName string Fully qualified domain name (FQDN) of the device
Severity string Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert
Category string Type of threat indicator or breach activity identified by the alert
Title string Title of the alert
FileName string Name of the file that the recorded action was applied to
SHA1 string SHA-1 of the file that the recorded action was applied to
RemoteUrl string URL or fully qualified domain name (FQDN) that was being connected to
RemoteIP string IP address that was being connected to
AttackTechniques string MITRE ATT&CK techniques associated with the activity that triggered the alert
ReportId long Event identifier based on a repeating counter. To identify unique events, this column must be used with the DeviceName and Timestamp columns
Table string Table that contains the details of the event