AlertInfo

Applies to:

• Microsoft Defender XDR

Get access

To use advanced hunting or other Microsoft Defender XDR capabilities, you need an appropriate role in Microsoft Entra ID. Read about required roles and permissions for advanced hunting.

Also, your access to endpoint data is determined by role-based access control (RBAC) settings in Microsoft Defender for Endpoint. Read about managing access to Microsoft Defender XDR.

AlertInfo

The AlertInfo table in the advanced hunting schema contains information about alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Use this reference to construct queries that return information from this table.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name	Data type	Description
Timestamp	datetime	Date and time when the record was generated
AlertId	string	Unique identifier for the alert
Title	string	Title of the alert
Category	string	Type of threat indicator or breach activity identified by the alert
Severity	string	Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert
ServiceSource	string	Product or service that provided the alert information
DetectionSource	string	Detection technology or sensor that identified the notable component or activity
AttackTechniques	string	MITRE ATT&CK techniques associated with the activity that triggered the alert

Related topics

• Advanced hunting overview
• Learn the query language
• Use shared queries
• Hunt across devices, emails, apps, and identities
• Understand the schema
• Apply query best practices

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.