Understand the advanced hunting schema

Applies to:

  • Microsoft Threat Protection


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The advanced hunting schema is made up of multiple tables that provide either event information or information about machines and entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.

Schema tables

The following reference lists all the tables in the schema. Each table name links to a page describing the column names for that table. Table and column names are also listed in the security center as part of the the schema representation on the advanced hunting screen.

Table name Description
AlertEvidence Files, IP addresses, URLs, users, or devices associated with alerts
AlertInfo Alerts from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP, including severity information and threat categorization
AppFileEvents File-related activities in cloud apps and services
DeviceEvents Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection
DeviceFileCertificateInfo Certificate information of signed files obtained from certificate verification events on endpoints
DeviceFileEvents File creation, modification, and other file system events
DeviceImageLoadEvents DLL loading events
DeviceInfo Machine information, including OS information
DeviceLogonEvents Sign-ins and other authentication events
DeviceNetworkEvents Network connection and related events
DeviceNetworkInfo Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains
DeviceProcessEvents Process creation and related events
DeviceRegistryEvents Creation and modification of registry entries
DeviceTvmSecureConfigurationAssessment Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices
DeviceTvmSecureConfigurationAssessmentKB Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks
DeviceTvmSoftwareInventoryVulnerabilities Inventory of software on devices as well as any known vulnerabilities in these software products
DeviceTvmSoftwareVulnerabilitiesKB Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available
EmailAttachmentInfo Information about files attached to emails
EmailEvents Microsoft 365 email events, including email delivery and blocking events
EmailPostDeliveryEvents Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox
EmailUrlInfo Information about URLs on emails
IdentityInfo Account information from various sources, including Azure Active Directory
IdentityLogonEvents Authentication events recorded by Active Directory and other Microsoft online services
IdentityQueryEvents Query activities performed against Active Directory objects, such as users, groups, devices, and domains