Supported Microsoft 365 Defender event types in event streaming API

Applies to:

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The Event Streaming API is constantly being expanded to support more event types. Learn which Hunting tables are generally available, currently in public preview, or not yet supported. New - Email event types/tables are now GA

Hunting tables support status in Event Streaming API

Table name Status
AlertEvidence GA
AlertInfo GA
CloudAppEvents Not yet supported
DeviceEvents GA
DeviceFileCertificateInfo GA
DeviceFileEvents GA
DeviceImageLoadEvents GA
DeviceInfo GA
DeviceLogonEvents GA
DeviceNetworkEvents GA
DeviceNetworkInfo GA
DeviceProcessEvents GA
DeviceRegistryEvents GA
DeviceTvmSecureConfigurationAssessment GA
DeviceTvmSecureConfigurationAssessmentKB GA
DeviceTvmSoftwareInventory GA
DeviceTvmSoftwareVulnerabilities GA
DeviceTvmSoftwareVulnerabilitiesKB GA
EmailAttachmentInfo GA
EmailEvents GA
EmailPostDeliveryEvents GA
EmailUrlInfo GA
IdentityDirectoryEvents Not yet supported
IdentityInfo Not yet supported
IdentityLogonEvents Not yet supported
IdentityQueryEvents Not yet supported