Understand the Advanced hunting schema
Want to experience Microsoft Defender ATP? Sign up for a free trial.
Microsoft Defender ATP Pre-release Disclaimer
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Advanced hunting schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.
|AlertEvents||Alerts on Microsoft Defender Security Center|
|MachineInfo||Machine information, including OS information|
|MachineNetworkInfo||Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains|
|ProcessCreationEvents||Process creation and related events|
|NetworkCommunicationEvents||Network connection and related events|
|FileCreationEvents||File creation, modification, and other file system events|
|RegistryEvents||Creation and modification of registry entries|
|LogonEvents||Sign-ins and other authentication events|
|ImageLoadEvents||DLL loading events|
|MiscEvents||Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection|
|DeviceTvmSoftwareInventoryVulnerabilities||Vulnerabilities in your software inventory|
|DeviceTvmSoftwareVulnerabilitiesKB||Publicly-available vulnerabilities and whether they exist in your software inventory|
|DeviceTvmSecureConfigurationAssessment||Security configuration assessment information|
|DeviceTvmSecureConfigurationAssessmentKB||Basis of security configuration assessment such as security industry standards and benchmarks|