Advanced hunting schema - Naming changes

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to:

  • Microsoft 365 Defender

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The advanced hunting schema is updated regularly to add new tables and columns. In some cases, existing columns names are renamed or replaced to improve the user experience. Refer to this article to review naming changes that could impact your queries.

Naming changes are automatically applied to queries that are saved in the security center, including queries used by custom detection rules. You don't need to update these queries manually. However, you will need to update the following queries:

  • Queries that are run using the API
  • Queries that are saved elsewhere outside the security center

December 2020

Table name Original column name New column name Reason for change
EmailEvents FinalEmailAction EmailAction Customer feedback
EmailEvents FinalEmailActionPolicy EmailActionPolicy Customer feedback
EmailEvents FinalEmailActionPolicyGuid EmailActionPolicyGuid Customer feedback

January 2021

Column name Original value name New value name Reason for change
DetectionSource MCAS Microsoft Cloud App Security Rebranding
DetectionSource WindowsDefenderAtp EDR Rebranding
DetectionSource WindowsDefenderAv Antivirus Rebranding
DetectionSource WindowsDefenderSmartScreen SmartScreen Rebranding
DetectionSource CustomerTI Custom TI Rebranding
DetectionSource OfficeATP Microsoft Defender for Office 365 Rebranding
DetectionSource MTP Microsoft 365 Defender Rebranding
DetectionSource AzureATP Microsoft Defender for Identity Rebranding
DetectionSource CustomDetection Custom detection Rebranding
DetectionSource AutomatedInvestigation Automated investigation Rebranding
DetectionSource ThreatExperts Microsoft Threat Experts Rebranding
DetectionSource 3rd party TI 3rd Party sensors Rebranding
ServiceSource Microsoft Defender ATP Microsoft Defender for Endpoint Rebranding
ServiceSource Microsoft Threat Protection Microsoft 365 Defender Rebranding
ServiceSource Office 365 ATP Microsoft Defender for Office 365 Rebranding
ServiceSource Azure ATP Microsoft Defender for Identity Rebranding

DetectionSource is available in the AlertInfo table. ServiceSource is available in the AlertEvidence and AlertInfo tables.

February 2021

  1. In the EmailAttachmentInfo and EmailEvents tables, the MalwareFilterVerdictand PhishFilterVerdict columns have been replaced by the ThreatTypes column. The MalwareDetectionMethod and PhishDetectionMethod columns were also replaced by the DetectionMethods column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.
Table name Original column name New column name Reason for change
EmailAttachmentInfo MalwareDetectionMethod
PhishDetectionMethod
DetectionMethods Include more detection methods
EmailAttachmentInfo MalwareFilterVerdict
PhishFilterVerdict
ThreatTypes Include more threat types
EmailEvents MalwareDetectionMethod
PhishDetectionMethod
DetectionMethods Include more detection methods
EmailEvents MalwareFilterVerdict
PhishFilterVerdict
ThreatTypes Include more threat types
  1. In the EmailAttachmentInfo and EmailEvents tables, the ThreatNames column was added to give more information about the email threat. This column contains values like Spam or Phish.

  2. In the DeviceInfo table, the DeviceObjectId column was replaced by the AadDeviceId column based on customer feedback.

  3. In the DeviceEvents table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.

Table name Original ActionType name New ActionType name Reason for change
DeviceEvents DlpPocPrintJob FilePrinted Customer feedback
DeviceEvents UsbDriveMount UsbDriveMounted Customer feedback
DeviceEvents UsbDriveUnmount UsbDriveUnmounted Customer feedback
DeviceEvents WriteProcessMemoryApiCall WriteToLsassProcessMemory Customer feedback