Versions Compared

Old Version 4

changes.mady.by.user Former user

Saved on

compared with

New Version 5

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The tags beginning with edr.microsoft_defender identify events generated by the Microsoft Defender for Endpoint.

...

Tag structure

The full tag must have 4 levels. The first three are fixed as edr.microsoft_defender. The fourth level identifies the type of events sent.

Product / Service

Tags

Data tables

Microsoft

edr.microsoft_defender.

...

Technology

...

Brand

...

Type

...

Subtype

...

edr

...

microsoft_defender

...

endpoint

...

  • software

  • vulnerabilities

  • alerts

  • assesment_software_vulnerabilities

  • assesment_software_inventory

  • investigations

  • assesment_secure_configuration

  • machines

  • recommendations

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software

edr.microsoft_defender.endpoint.vulnerabilities

edr.microsoft_defender.endpoint.alerts

edr.microsoft_defender.endpoint.assessment_software_vulnerabilities

edr.microsoft_defender.endpoint.assessment_software_inventory

edr.microsoft_defender.endpoint.investigations

edr.microsoft_defender.endpoint.assessment_secure_configuration

edr.microsoft_defender.endpoint.machines

edr.microsoft_defender.endpoint.recommendations

Table structure

These are the fields displayed in the tables:

Rw ui tabs macro
Rw tab
titleTable 1-5

[edr.microsoft_defender.endpoint.software] [edr.microsoft_defender.endpoint.vulnerabilities] [edr.microsoft_defender.endpoint.alerts] [edr.microsoft_defender.endpoint.assessment_software

...

_vulnerabilities] [edr.microsoft_defender.endpoint.assessment_software_inventory]

Anchor
edr.microsoft_defender.endpoint.software
edr.microsoft_defender.endpoint.software
edr.microsoft_defender.endpoint.software

...

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

id

str

-

name

str

-

vendor

str

-

weaknesses

int4

-

publicExploit

bool

-

activeAlert

bool

-

exposedMachines

int4

-

installedMachines

int4

-

impactScore

float8

-

isNormalized

bool

-

category

str

-

distributions

str

-

related_vulnerabilities

int4

-

related_machines

int4

-

related_version_distribution

int4

-

related_missing_kbs

int4

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.vulnerabilities
edr.microsoft_defender.endpoint.vulnerabilities
edr.microsoft_defender.endpoint.

...

vulnerabilities

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

at_odata_context

str

-

id

str

-

name

str

-

description

str

-

severity

str

-

cvssV3

float8

-

exposedMachines

int4

-

publishedOn

timestamp

-

updatedOn

timestamp

-

publicExploit

bool

-

exploitVerified

bool

-

exploitInKit

bool

-

exploitTypes

str

-

exploitUris

str

-

at_devo_pulling_id

str

-

related_machines

int4

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.alerts
edr.microsoft_defender.endpoint.alerts
edr.microsoft_defender.endpoint.alerts

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

at_odata_context

str

-

id

str

-

incidentId

str

-

investigationId

str

-

assignedTo

str

-

severity

str

-

status

str

-

classification

str

-

determination

str

-

investigationState

str

-

detectionSource

str

-

detectorId

str

-

category

str

-

threatFamilyName

str

-

title

str

-

description

str

-

alertCreationTime

timestamp

-

firstEventTime

timestamp

-

lastEventTime

timestamp

-

lastUpdateTime

timestamp

-

resolvedTime

timestamp

-

machineId

str

-

computerDnsName

str

-

rbacGroupName

str

-

aadTenantId

str

-

threatName

str

-

mitreTechniques

str

-

loggedOnUsers

str

-

comments

str

-

domains

str

-

at_devo_pulling_id

str

-

related_files

int4

-

related_ips

int4

-

related_machines

int4

-

related_domains

int4

-

related_users

int4

-

relatedUser_userName

str

-

relatedUser_domainName

str

-

related_evidences

int4

-

related_loggedOnUsers

int4

-

raw_evidences

str

-

evidence_entityType

str

-

evidence_evidenceCreationTime

timestamp

-

evidence_sha1

str

-

evidence_sha256

str

-

evidence_fileName

str

-

evidence_filePath

str

-

evidence_processId

str

-

evidence_processCommandLine

str

-

evidence_processCreationTime

timestamp

-

evidence_parentProcessId

str

-

evidence_parentProcessCreationTime

timestamp

-

evidence_parentProcessFileName

str

-

evidence_parentProcessFilePath

str

-

evidence_ipAddress

str

-

evidence_url

str

-

evidence_registryKey

str

-

evidence_registryHive

str

-

evidence_registryValueType

str

-

evidence_registryValue

str

-

evidence_registryValueName

str

-

evidence_accountName

str

-

evidence_domainName

str

-

evidence_userSid

str

-

evidence_aadUserId

str

-

evidence_userPrincipalName

str

-

evidence_detectionStatus

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.assessment_software

...

_vulnerabilities
edr.microsoft_defender.endpoint.assessment_software_vulnerabilities
edr.microsoft_defender.endpoint.assessment_software_vulnerabilities

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

at_devo_pulling_id

str

-

Id

str

-

DeviceId

str

-

DeviceName

str

-

OSPlatform

str

-

OSVersion

str

-

OSArchitecture

str

-

SoftwareVendor

str

-

SoftwareName

str

-

SoftwareVersion

str

-

CveId

str

-

CvssScore

float8

-

VulnerabilitySeverityLevel

str

-

RecommendedSecurityUpdate

str

-

RecommendedSecurityUpdateId

str

-

RecommendedSecurityUpdateUrl

str

-

DiskPaths

str

-

RegistryPaths_str

str

-

LastSeenTimestamp

timestamp

-

FirstSeenTimestamp

timestamp

-

ExploitabilityLevel

str

-

RecommendationReference

str

-

SecurityUpdateAvailable

bool

-

RbacGroupId

int4

-

RbacGroupName

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.assessment_software

...

_inventory
edr.microsoft_defender.endpoint.assessment_software_inventory
edr.microsoft_defender.endpoint.assessment_software_inventory

Field

Type

Extra Field

eventdate

timestamp

-

hostname

str

-

at_devo_pulling_id

str

-

DeviceId

str

-

DeviceName

str

-

OSPlatform

str

-

SoftwareVendor

str

-

SoftwareName

str

-

SoftwareVersion

str

-

NumberOfWeaknesses

int4

-

DiskPaths

str

-

RegistryPaths_str

str

-

SoftwareFirstSeenTimestamp

timestamp

-

SoftwareLastSeenTimestamp

timestamp

-

EndOfSupportStatus

str

-

EndOfSupportDate

str

-

RbacGroupId

int4

-

RbacGroupName

str

-

hostchain

str

tag

str

rawMessage

str

Rw tab
titleTables 6-9

[edr.microsoft_defender.endpoint.investigations] [edr.microsoft_defender.endpoint

...

.assessment_secure_configuration] [edr.microsoft_defender.endpoint.machines] [edr.microsoft_defender.endpoint.recommendations]

Anchor
edr.microsoft_defender.endpoint.investigations
edr.microsoft_defender.endpoint.investigations
edr.microsoft_defender.endpoint

...

.investigations

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

at_devo_pulling_id

str

-

id

str

-

startTime

timestamp

-

endTime

timestamp

-

state

str

-

cancelledBy

str

-

statusDetails

str

-

machineId

str

-

computerDnsName

str

-

triggeringAlertId

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.assessment_secure_configuration
edr.microsoft_defender.endpoint.assessment_secure_configuration
edr.microsoft_defender.endpoint.

...

assessment_secure_configuration

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

at_devo_pulling_id

str

-

DeviceId

str

-

DeviceName

str

-

OSPlatform

str

-

OSVersion

str

-

Timestamp

timestamp

-

ConfigurationId

str

-

ConfigurationCategory

str

-

ConfigurationSubcategory

str

-

ConfigurationImpact

int4

-

IsApplicable

bool

-

ConfigurationName

str

-

RecommendationReference

str

-

RbacGroupId

int4

-

RbacGroupName

str

-

IsCompliant

bool

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.machines
edr.microsoft_defender.endpoint.machines
edr.microsoft_defender.endpoint.machines

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

id

str

-

computerDnsName

str

-

firstSeen

timestamp

-

lastSeen

timestamp

-

osPlatform

str

-

osVersion

str

-

osProcessor

str

-

version

str

-

lastIpAddress

ip4

-

lastExternalIpAddress

ip4

-

agentVersion

str

-

osBuild

int4

-

healthStatus

str

-

deviceValue

str

-

rbacGroupId

int4

-

rbacGroupName

str

-

riskScore

str

-

exposureLevel

str

-

isAadJoined

bool

-

aadDeviceId

str

-

machineTags

str

-

defenderAvStatus

str

-

onboardingStatus

str

-

osArchitecture

str

-

managedBy

str

-

managedByStatus

str

-

ipAddresses

str

-

vmMetadata

str

-

at_devo_pulling_id

str

-

related_logon_users

int4

-

related_alerts

int4

-

related_vulnerabilities

int4

-

related_recommendations

int4

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint

...

.recommendations
edr.microsoft_defender.endpoint.recommendations
edr.microsoft_defender.endpoint.recommendations

Field

Type

Extra Label

eventdate

timestamp

-

hostname

str

-

id

str

-

productName

str

-

recommendationName

str

-

weaknesses

int4

-

vendor

str

-

recommendedVersion

str

-

recommendedVendor

str

-

recommendedProgram

str

-

recommendationCategory

str

-

subCategory

str

-

severityScore

float8

-

publicExploit

bool

-

activeAlert

bool

-

associatedThreats

str

-

remediationType

str

-

status

str

-

configScoreImpact

float8

-

exposureImpact

float8

-

totalMachineCount

int4

-

exposedMachinesCount

int4

-

nonProductivityImpactedAssets

int4

-

relatedComponent

str

-

hasUnpatchableCve

bool

-

at_devo_pulling_id

str

-

related_software

int4

-

related_machines

int4

-

related_vulnerabilities

int4

-

hostchain

str

tag

str

rawMessage

str