Versions Compared

Old Version 6

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 7

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Introduction

The tags beginning with edr.microsoft_defenderidentify events generated by the Microsoft Defender for Endpoint.

Tag structure

The full tag must have 4 levels. The first three are fixed asedr.microsoft_defender. The fourth level identifies the type of events sent.

Product / Service

Tags

Data tables

Microsoft Defender Endpoint

edr.microsoft_defender.endpoint.software.<version>.<format>.advanced_hunting.device_process_events

edr.microsoft_defender.advanced_hunting.device_process_events

edr.microsoft_defender.endpoint.software.<version>.<format>alerts.events

edr.microsoft_defender.alerts.events

edr.microsoft_defender.endpoint.software.<version>.<format>alerts

edr.microsoft_defender.endpoint.alerts

edr.microsoft_defender.endpoint.software.<version>.<format>assesment_secure_configuration

edr.microsoft_defender.endpoint.assesment_secure_configuration

edr.microsoft_defender.endpoint.software.<version>.<format>assesment_software_inventory

edr.microsoft_defender.endpoint.software.<version>.<format>assesment_software_inventory

edr.microsoft_defender.endpoint.software.<version>.<format>assesment_software_vulnerabilities

edr.microsoft_defender.endpoint.software.<version>.<format>assesment_software_vulnerabilities

edr.microsoft_defender.endpoint.software.<version>.<format>investigations

edr.microsoft_defender.endpoint.softwareinvestigations

edr.microsoft_defender.endpoint.vulnerabilitiesmachines

edr.microsoft_defender.endpoint.alertsmachines

edr.microsoft_defender.endpoint.assessment_software_vulnerabilitiesrecommendations

edr.microsoft_defender.endpoint.assessment_software_inventoryrecommendations

edr.microsoft_defender.endpoint.investigationssoftware

edr.microsoft_defender.endpoint.assessment_secure_configurationsoftware

edr.microsoft_defender.endpoint.machinesvulnerabilities

edr.microsoft_defender.endpoint.recommendationsvulnerabilities

Table structure

These are the fields displayed in the tables:

Rw ui tabs macro
Rw tab
titleTable 1-5
[
6
endpoint.software] [vulnerabilities] [alerts] [vulnerabilities] [inventory]

Anchor
edr.microsoft_defender.

endpoint.software

advanced_hunting.device_process_events
edr.microsoft_defender.

endpoint.software

advanced_hunting.device_process_events
edr.microsoft_defender.

endpoint.software

advanced_hunting.device_process_events

Field

Type

Extra

Fieldhostname

fields

eventdate

timestamp

-

hostname

str

Timestamp

timestamp

DeviceId

str

-

DeviceName

str

id

ActionType

str

-

FileName

str

name

FolderPath

str

SHA1

-

str

vendor

SHA256

str

-

MD5

str

weaknesses

FileSize

int4

-

publicExploit

bool

-

activeAlert

bool

-

exposedMachines

int4

-

installedMachines

int4

-

impactScore

float8

-

isNormalized

bool

-

category

str

-

distributions

str

-

related_vulnerabilities

int4

-

related_machines

int4

-

related_version_distribution

int4

-

related_missing_kbs

int4

-

ProcessVersionInfoCompanyName

str

ProcessVersionInfoProductName

str

ProcessVersionInfoProductVersion

str

ProcessVersionInfoInternalFileName

str

ProcessVersionInfoOriginalFileName

str

ProcessVersionInfoFileDescription

str

ProcessId

int4

ProcessCommandLine

str

ProcessIntegrityLevel

str

ProcessTokenElevation

str

ProcessCreationTime

str

AccountDomain

str

AccountName

str

AccountSid

str

AccountUpn

str

AccountObjectId

str

LogonId

int4

InitiatingProcessAccountDomain

str

InitiatingProcessAccountName

str

InitiatingProcessAccountSid

str

InitiatingProcessAccountUpn

str

InitiatingProcessAccountObjectId

str

InitiatingProcessLogonId

int4

InitiatingProcessIntegrityLevel

str

InitiatingProcessTokenElevation

str

InitiatingProcessSHA1

str

InitiatingProcessSHA256

str

InitiatingProcessMD5

str

InitiatingProcessFileName

str

InitiatingProcessFileSize

int4

InitiatingProcessVersionInfoCompanyName

str

InitiatingProcessVersionInfoProductName

str

InitiatingProcessVersionInfoProductVersion

str

InitiatingProcessVersionInfoInternalFileName

str

InitiatingProcessVersionInfoOriginalFileName

str

InitiatingProcessVersionInfoFileDescription

str

InitiatingProcessId

int4

InitiatingProcessCommandLine

str

InitiatingProcessCreationTime

str

InitiatingProcessFolderPath

str

InitiatingProcessParentId

int4

InitiatingProcessParentFileName

str

InitiatingProcessParentCreationTime

timestamp

InitiatingProcessSignerType

str

InitiatingProcessSignatureStatus

str

ReportId

int4

AppGuardContainerId

str

AdditionalFields

str

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.

endpoint

alerts.

vulnerabilities

events
edr.microsoft_defender.

endpoint

alerts.

vulnerabilities

events
edr.microsoft_defender.

endpoint

alerts.

vulnerabilities

events

Field

Type

Extra Field

rawMessage

str

Field transformation

Source field name

Extra fields

eventdate

timestamp

-

hostname

str

-

at_odata_context

str

-

id

str

-

name

str

-

description

str

-

severity

str

-

cvssV3

float8

-

exposedMachines

int4

-

publishedOn

timestamp

-

updatedOn

timestamp

-

publicExploit

bool

-

exploitVerified

bool

-

exploitInKit

bool

-

exploitTypes

str

-

exploitUris

str

-

at_devo_pulling_id

str

-

related_machines

int4

-

hostchain

str

tag

str

 

 

hostname

str

 

 

id

str

 

 

incidentId

int8

 

 

investigationId

int8

 

 

assignedTo

str

 

 

severity

str

 

 

status

str

 

 

classification

str

 

 

determination

str

 

 

investigationState

str

 

 

detectionSource

str

 

 

detectorId

str

 

 

category

str

 

 

threatFamilyName

str

 

 

title

str

 

 

description

str

 

 

alertCreationTime

str

 

 

firstEventTime

str

 

 

lastEventTime

str

 

 

lastUpdateTime

str

 

 

resolvedTime

str

 

 

machineId

str

 

 

computerDnsName

str

 

 

rbacGroupName

str

 

 

aadTenantId

str

 

 

threatName

str

 

 

mitreTechniques_str

str

Code Block
join(mitreTechniques, ',')

mitreTechniques

relatedUser__userName

str

 

 

relatedUser__domainName

str

 

 

comments__comment_str

str

Code Block
join(comments__comment, ',')

comments__comment

comments__createdBy_str

str

Code Block
join(comments__createdBy, ',')

comments__createdBy

comments__createdTime_str

str

Code Block
join(comments__createdTime, ',')

comments__createdTime

evidence__entityType_str

str

Code Block
join(evidence__entityType, ',')

evidence__entityType

evidence__evidenceCreationTime_str

str

Code Block
join(evidence__evidenceCreationTime, ',')

evidence__evidenceCreationTime

evidence__sha1_str

str

Code Block
join(evidence__sha1, ',')

evidence__sha1

evidence__sha256_str

str

Code Block
join(evidence__sha256, ',')

evidence__sha256

evidence__fileName_str

str

Code Block
join(evidence__fileName, ',')

evidence__fileName

evidence__filePath_str

str

Code Block
join(evidence__filePath, ',')

evidence__filePath

evidence__processId_str

str

Code Block
replace(replace(stringify(json(evidence__processId)), "[", ""), "]", "")

evidence__processId

evidence__processCommandLine_str

str

Code Block
join(evidence__processCommandLine, ',')

evidence__processCommandLine

evidence__processCreationTime_str

str

Code Block
join(evidence__processCreationTime, ',')

evidence__processCreationTime

evidence__parentProcessId_str

str

Code Block
replace(replace(stringify(json(evidence__parentProcessId)), "[", ""), "]", "")

evidence__parentProcessId

evidence__parentProcessCreationTime_str

str

Code Block
join(evidence__parentProcessCreationTime, ',')

evidence__parentProcessCreationTime

evidence__parentProcessFileName_str

str

Code Block
join(evidence__parentProcessFileName, ',')

evidence__parentProcessFileName

evidence__parentProcessFilePath_str

str

Code Block
join(evidence__parentProcessFilePath, ',')

evidence__parentProcessFilePath

evidence__ipAddress_str

str

Code Block
join(evidence__ipAddress, ',')

evidence__ipAddress

evidence__url_str

str

Code Block
join(evidence__url, ',')

evidence__url

evidence__registryKey_str

str

Code Block
join(evidence__registryKey, ',')

evidence__registryKey

evidence__registryHive_str

str

Code Block
join(evidence__registryHive, ',')

evidence__registryHive

evidence__registryValueType_str

str

Code Block
join(evidence__registryValueType, ',')

evidence__registryValueType

evidence__registryValue_str

str

Code Block
join(evidence__registryValue, ',')

evidence__registryValue

evidence__accountName_str

str

Code Block
join(evidence__accountName, ',')

evidence__accountName

evidence__domainName_str

str

Code Block
join(evidence__domainName, ',')

evidence__domainName

evidence__userSid_str

str

Code Block
join(evidence__userSid, ',')

evidence__userSid

evidence__aadUserId_str

str

Code Block
join(evidence__aadUserId, ',')

evidence__aadUserId

evidence__userPrincipalName_str

str

Code Block
join(evidence__userPrincipalName, ',')

evidence__userPrincipalName

evidence__detectionStatus_str

str

Code Block
join(evidence__detectionStatus, ',')

evidence__detectionStatus

hostchain

str

 

 

tag

str

 

 

rawMessage

str

 

 

Anchor
edr.microsoft_defender.endpoint.alerts
edr.microsoft_defender.endpoint.alerts
edr.microsoft_defender.endpoint.alerts

Field

Type

Extra Field fields

eventdate

timestamp-

hostname

str

-

at_odata_context

str

-

id

str

-

incidentId

str

-

investigationId

str

-

assignedTo

str-

severity

str-

status

str

-

classification

str-

determination

str

-

investigationState

str-

detectionSource

str-

detectorId

str

-

category

str-

threatFamilyName

str

-

title

str

-

description

str

-

alertCreationTime

timestamp

-

firstEventTime

timestamp-

lastEventTime

timestamp

-

lastUpdateTime

timestamp

-

resolvedTime

timestamp

-

machineId

str

-

computerDnsName

str

-

rbacGroupName

str-

aadTenantId

str

-

threatName

str

-

mitreTechniques

str-

loggedOnUsers

str-

comments

str

-

domains

str-

at_devo_pulling_id

str

-

related_files

int4-

related_ips

int4-

related_machines

int4

-

related_domains

int4

-

related_users

int4

-

relatedUser_userName

str-

relatedUser_domainName

str-

related_evidences

int4

-

related_loggedOnUsers

int4

-

raw_evidences

str

-

evidence_entityType

str

-

evidence_evidenceCreationTime

timestamp

-

evidence_sha1

str-

evidence_sha256

str

-

evidence_fileName

str

-

evidence_filePath

str-

evidence_processId

str

-

evidence_processCommandLine

str

-

evidence_processCreationTime

timestamp

-

evidence_parentProcessId

str

-

evidence_parentProcessCreationTime

timestamp

-

evidence_parentProcessFileName

str-

evidence_parentProcessFilePath

str-

evidence_ipAddress

str

-

evidence_url

str-

evidence_registryKey

str-

evidence_registryHive

str

-

evidence_registryValueType

str

-

evidence_registryValue

str

-

evidence_registryValueName

str

-

evidence_accountName

str

-

evidence_domainName

str-

evidence_userSid

str

-

evidence_aadUserId

str

-

evidence_userPrincipalName

str-

evidence_detectionStatus

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.assessment_

software

secure_

vulnerabilities

configuration
edr.microsoft_defender.endpoint.assessment_

software

secure_

vulnerabilities

configuration
edr.microsoft_defender.endpoint.assessment_

software

secure_

vulnerabilities

configuration

Field

Type

Extra

Field

fields

eventdate

timestamp

-

hostname

str

-

Id

str

-

at_devo_pulling_id

str

-

DeviceId

str

-

DeviceName

str

-

OSPlatform

str

-

OSVersion

str

-

Timestamp

OSArchitecture

timestamp

str

SoftwareVendor

ConfigurationId

-

str

-

ConfigurationCategory

SoftwareName

str

-

SoftwareVersion

ConfigurationSubcategory

str

-

ConfigurationImpact

CveId

int4

str

CvssScore

float8

-

VulnerabilitySeverityLevel

str

-

RecommendedSecurityUpdate

str

-

RecommendedSecurityUpdateId

str

-

RecommendedSecurityUpdateUrl

str

-

DiskPaths

str

-

RegistryPaths_str

str

-

LastSeenTimestamp

timestamp

-

FirstSeenTimestamp

timestamp

-

ExploitabilityLevel

str

-

IsApplicable

-

SecurityUpdateAvailable

bool

-

bool

ConfigurationName

str

RecommendationReference

str

-

RbacGroupId

int4

-

RbacGroupName

str

-

IsCompliant

bool

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.assessment_software_inventory
edr.microsoft_defender.endpoint.assessment_software_inventory
edr.microsoft_defender.endpoint.assessment_software_inventory

Field

Type

Extra Field fields

eventdate

timestamp

-

hostname

str

-

at_devo_pulling_id

str

-

DeviceId

str

-

DeviceName

str

-

OSPlatform

str-

SoftwareVendor

str-

SoftwareName

str

-

SoftwareVersion

str-

NumberOfWeaknesses

int4

-

DiskPaths

str-

RegistryPaths_str

str-

SoftwareFirstSeenTimestamp

timestamp

-

SoftwareLastSeenTimestamp

timestamp-

EndOfSupportStatus

str

-

EndOfSupportDate

str

-

RbacGroupId

int4

-

RbacGroupName

str

-

hostchain

str

tag

str

rawMessage

str

Rw tab
titleTables 6-9
[] [assessment_secure_configuration] [machines] [recommendations]

Anchor
edr.microsoft_defender.endpoint.investigations
edr.microsoft_defender.endpoint.investigations
edr.microsoft_defender.endpoint.investigations

Field

Type

Extra Labelfields

eventdate

timestamp

-

hostname

str

-

at_devo_pulling_id

str

-

id

str

-

startTime

timestamp-

endTime

timestamp

-

state

str

-

cancelledBy

str

-

statusDetails

str

-

machineId

str

-

computerDnsName

str-

triggeringAlertId

str

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.

assessment_secure_configuration

machines
edr.microsoft_defender.endpoint.

assessment_secure_configuration

machines
edr.microsoft_defender.endpoint.

assessment_secure_configuration

machines

Field

Type

Extra

Label

fields

eventdate

timestamp

-

at_devo_pulling_id

hostname

str

id

-

str

computerDnsName

str

-

DeviceId

firstSeen

timestamp

lastSeen

timestamp

osPlatform

str

osVersion

str

-

osProcessor

str

DeviceName

version

str

-

OSPlatform

lastIpAddress

ip4

lastExternalIpAddress

ip4

agentVersion

str

-

osBuild

int4

OSVersion

healthStatus

str

-

deviceValue

Timestamp

str

timestamp

rbacGroupId

-

int4

ConfigurationId

rbacGroupName

str

riskScore

-

str

ConfigurationCategory

exposureLevel

str

-

ConfigurationSubcategory

isAadJoined

bool

aadDeviceId

str

machineTags

str

-

defenderAvStatus

str

ConfigurationImpact

onboardingStatus

int4

str

-

osArchitecture

IsApplicable

str

bool

managedBy

-

str

ConfigurationName

managedByStatus

str

-

ipAddresses

str

RecommendationReference

vmMetadata

str

-

RbacGroupId

at_devo_pulling_id

str

related_logon_users

int4

-

related_alerts

RbacGroupName

int4

str

related_vulnerabilities

-

int4

IsCompliant

related_recommendations

bool

int4

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.

machines

recommendations
edr.microsoft_defender.endpoint.

machines

recommendations
edr.microsoft_defender.endpoint.

machines

recommendations

Field

Type

Extra

Label

fields

eventdate

timestamp

-

hostname

str

-

id

str

-

productName

computerDnsName

firstSeen

timestamp

-

lastSeen

timestamp

-

osPlatform

str

-

recommendationName

str

-

weaknesses

osVersion

str

-

osProcessor

int4

vendor

str

-

recommendedVersion

version

str

-

lastIpAddress

ip4

-

lastExternalIpAddress

ip4

-

agentVersion

recommendedVendor

str

-

osBuild

int4

-

healthStatus

str

-

deviceValue

str

-

rbacGroupId

int4

-

rbacGroupName

recommendedProgram

str

recommendationCategory

str

subCategory

str

-

severityScore

riskScore

float8

str

publicExploit

-

exposureLevel

str

-

isAadJoined

bool

activeAlert

bool

-

associatedThreats

aadDeviceId

str

-

remediationType

machineTags

str

-

defenderAvStatus

status

str

-

configScoreImpact

onboardingStatus

float8

str

exposureImpact

-

float8

osArchitecture

totalMachineCount

str

int4

-

exposedMachinesCount

managedBy

int4

str

nonProductivityImpactedAssets

-

int4

managedByStatus

relatedComponent

str

-

hasUnpatchableCve

ipAddresses

str

-

vmMetadata

str

-

bool

at_devo_pulling_id

str

-

related_

logon_users

software

int4

-

related_

alerts

machines

int4

-

related_vulnerabilities

int4

-

related_recommendations

int4

-

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.

recommendations

software
edr.microsoft_defender.endpoint.

recommendations

software
edr.microsoft_defender.endpoint.

recommendations

software

Field

Type

Extra

Label

fields

eventdate

timestamp

-

hostname

str

-

id

str

-

name

str

productName-

vendor

str

-

recommendationName

str

-

weaknesses

int4

-

vendor

str

-

recommendedVersion

str

-

recommendedVendor

str

-

recommendedProgram

str

-

recommendationCategory

str

-

subCategory

str

-

severityScore

float8

-

publicExploit

bool

-

activeAlert

bool

-

associatedThreats

str

-

remediationType

str

-

status

str

-

configScoreImpact

float8

-

exposureImpact

float8

-

totalMachineCount

int4

-

exposedMachinesCount

int4

-

nonProductivityImpactedAssets

int4

-

relatedComponent

str

-

hasUnpatchableCve

bool

weaknesses

int4

publicExploit

bool

activeAlert

bool

exposedMachines

int4

installedMachines

int4

impactScore

float8

isNormalized

bool

category

str

distributions

str

related_vulnerabilities

int4

related_machines

int4

related_version_distribution

int4

related_missing_kbs

int4

hostchain

str

tag

str

rawMessage

str

Anchor
edr.microsoft_defender.endpoint.vulnerabilities
edr.microsoft_defender.endpoint.vulnerabilities
edr.microsoft_defender.endpoint.vulnerabilities

Field

Type

Extra fields

eventdate

timestamp

hostname

str

at_odata_context

str

id

str

name

str

description

str

severity

str

cvssV3

float8

exposedMachines

int4

publishedOn

timestamp

updatedOn

timestamp

publicExploit

bool

exploitVerified

bool

exploitInKit

bool

exploitTypes

str

exploitUris

str

at_devo_pulling_id

str

-

related_software

int4

-

related_machines

int4

-

related_vulnerabilities

int4

-

hostchain

str

tag

str

rawMessage

str