Understand the Advanced hunting schema

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Microsoft Defender ATP Pre-release Disclaimer


Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The Advanced hunting schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.

Schema tables

The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.

Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.

Table name Description
AlertEvents Alerts on Microsoft Defender Security Center
MachineInfo Machine information, including OS information
MachineNetworkInfo Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains
ProcessCreationEvents Process creation and related events
NetworkCommunicationEvents Network connection and related events
FileCreationEvents File creation, modification, and other file system events
RegistryEvents Creation and modification of registry entries
LogonEvents Sign-ins and other authentication events
ImageLoadEvents DLL loading events
MiscEvents Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection
DeviceTvmSoftwareInventoryVulnerabilities Vulnerabilities in your software inventory
DeviceTvmSoftwareVulnerabilitiesKB Publicly-available vulnerabilities and whether they exist in your software inventory
DeviceTvmSecureConfigurationAssessment Security configuration assessment information
DeviceTvmSecureConfigurationAssessmentKB Basis of security configuration assessment such as security industry standards and benchmarks