Page Comparison

Versions Compared

Key

This line was added.
This line was removed.
Formatting was changed.

...

Introduction

The tags beginning with edr.microsoft_defenderidentify events generated by the Microsoft Defender for Endpoint.

Tag structure

The full tag must have 4 levels. The first three are fixed asedr.microsoft_defender. The fourth level identifies the type of events sent.

Product / Service	Tags	Data tables
Microsoft Defender Endpoint	`edr.microsoft_defender.endpoint.software.<version>.<format>advanced_hunting.device_process_events`	`edr.microsoft_defender.endpoint.software.<version>.<format>advanced_hunting.device_process_events`
	`edr.microsoft_defender.endpoint.software.<version>.<format>alerts.events`	`edr.microsoft_defender.endpoint.software.<version>.<format>alerts.events`
	`edr.microsoft_defender.endpoint.software.<version>.<format>alerts`	`edr.microsoft_defender.endpoint.software.<version>.<format>alerts`
	`edr.microsoft_defender.endpoint.software.<version>.<format>assesment_secure_configuration`	`edr.microsoft_defender.endpoint.software.<version>.<format>assesment_secure_configuration`
	`edr.microsoft_defender.endpoint.software.<version>.<format>assesment_software_inventory`	`edr.microsoft_defender.endpoint.assesment_software_inventory`
	`edr.microsoft_defender.endpoint.assesment_software_vulnerabilities`	`edr.microsoft_defender.endpoint.alertsedr.microsoft_defender.endpoint.assessmentassesment_software_vulnerabilities`
	`edr.microsoft_defender.endpoint.assessment_software_inventoryinvestigations`	`edr.microsoft_defender.endpoint.investigations`
	`edr.microsoft_defender.endpoint.assessment_secure_configurationmachines`	`edr.microsoft_defender.endpoint.machines`
	`edr.microsoft_defender.endpoint.recommendations`

Table structure

These are the fields displayed in the tables:

...

Rw tab

title	Table 1-5

...

edr.microsoft_defender.endpoint.

...

recommendations

edr.microsoft_defender.endpoint.

...

software

edr.microsoft_defender.endpoint.

...

software

edr.microsoft_defender.endpoint.

...

vulnerabilities

edr.microsoft_defender.endpoint.

...

`vulnerabilities`
Microsoft Defender for IoT	`edr.microsoft_defender.`

...

iot_security.

...

alert

edr.microsoft_defender.

...

Field

...

Type

...

Extra Field

...

eventdate

...

timestamp

...

-

...

hostname

...

str

...

-

...

id

...

str

...

-

...

name

...

str

...

-

...

vendor

...

str

...

-

...

weaknesses

...

int4

...

-

...

publicExploit

...

bool

...

-

...

activeAlert

...

bool

...

-

...

exposedMachines

...

int4

...

-

...

installedMachines

...

int4

...

-

...

impactScore

...

float8

...

-

...

isNormalized

...

bool

...

-

...

category

...

str

...

-

...

distributions

...

str

...

-

...

related_vulnerabilities

...

int4

...

-

...

related_machines

...

int4

...

-

...

related_version_distribution

...

int4

...

-

...

related_missing_kbs

...

int4

...

-

...

hostchain

...

str

...

✓

...

tag

...

str

...

✓

...

rawMessage

...

str

...

✓

...

Field

...

Type

...

Extra Field

...

eventdate

...

timestamp

...

-

...

hostname

...

str

...

-

...

at_odata_context

...

str

...

-

...

id

...

str

...

-

...

name

...

str

...

-

...

description

...

str

...

-

...

severity

...

str

...

-

...

cvssV3

...

float8

...

-

...

exposedMachines

...

int4

...

-

...

publishedOn

...

timestamp

...

-

...

updatedOn

...

timestamp

...

-

...

publicExploit

...

bool

...

-

...

exploitVerified

...

bool

...

-

...

exploitInKit

...

bool

...

-

...

exploitTypes

...

str

...

-

...

exploitUris

...

str

...

-

...

at_devo_pulling_id

...

str

...

-

...

related_machines

...

int4

...

iot_security.alert

Table structure

These are the fields displayed in the tables:

Rw ui tabs macro

Rw tab

title	Table 1-6

Anchor
edr.microsoft_defender.advanced_hunting.device_process_events
edr.microsoft_defender.advanced_hunting.device_process_events
edr.microsoft_defender.advanced_hunting.device_process_events

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
Timestamp	`timestamp`
DeviceId	`str`
DeviceName	`str`
ActionType	`str`
FileName	`str`
FolderPath	`str`
SHA1	`str`
SHA256	`str`
MD5	`str`
FileSize	`int4`
ProcessVersionInfoCompanyName	`str`
ProcessVersionInfoProductName	`str`
ProcessVersionInfoProductVersion	`str`
ProcessVersionInfoInternalFileName	`str`
ProcessVersionInfoOriginalFileName	`str`
ProcessVersionInfoFileDescription	`str`
ProcessId	`int4`
ProcessCommandLine	`str`
ProcessIntegrityLevel	`str`
ProcessTokenElevation	`str`
ProcessCreationTime	`str`
AccountDomain	`str`
AccountName	`str`
AccountSid	`str`
AccountUpn	`str`
AccountObjectId	`str`
LogonId	`int4`
InitiatingProcessAccountDomain	`str`
InitiatingProcessAccountName	`str`
InitiatingProcessAccountSid	`str`
InitiatingProcessAccountUpn	`str`
InitiatingProcessAccountObjectId	`str`
InitiatingProcessLogonId	`int4`
InitiatingProcessIntegrityLevel	`str`
InitiatingProcessTokenElevation	`str`
InitiatingProcessSHA1	`str`
InitiatingProcessSHA256	`str`
InitiatingProcessMD5	`str`
InitiatingProcessFileName	`str`
InitiatingProcessFileSize	`int4`
InitiatingProcessVersionInfoCompanyName	`str`
InitiatingProcessVersionInfoProductName	`str`
InitiatingProcessVersionInfoProductVersion	`str`
InitiatingProcessVersionInfoInternalFileName	`str`
InitiatingProcessVersionInfoOriginalFileName	`str`
InitiatingProcessVersionInfoFileDescription	`str`
InitiatingProcessId	`int4`
InitiatingProcessCommandLine	`str`
InitiatingProcessCreationTime	`str`
InitiatingProcessFolderPath	`str`
InitiatingProcessParentId	`int4`
InitiatingProcessParentFileName	`str`
InitiatingProcessParentCreationTime	`timestamp`
InitiatingProcessSignerType	`str`
InitiatingProcessSignatureStatus	`str`
ReportId	`int4`
AppGuardContainerId	`str`
AdditionalFields	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.microsoft_defender.

endpoint

alerts.

alerts

events
edr.microsoft_defender.

endpoint

alerts.

alerts

events
edr.microsoft_defender.

endpoint

alerts.

alerts

events

Field	Type	Field transformation	Source field name	Extra

Field

fields
eventdate	`timestamp`

-

at_odata_context

str

-


hostname	`str`

-


id	`str`

-

incidentId
int8
str

-

investigationId
str
int8

-

assignedTo
str

-

severity
str

-

status
str

-

classification
str

-

determination
str
-

investigationState
str

-

detectionSource
str
-

detectorId
str
-

category
str

-

threatFamilyName
str

-

title
str
-

description
str
-

alertCreationTime
str
timestamp

-

firstEventTime
timestamp
str

-

lastEventTime
str
timestamp

-

lastUpdateTime
str
timestamp

-

resolvedTime
timestamp
str
-

machineId
str

-

computerDnsName
str

-

rbacGroupName
str

-

aadTenantId
str

-

threatName
str

-

Rw tab

title	Tables 6-9

[edr.microsoft_defender.endpoint.investigations] [edr.microsoft_defender.endpoint.assessment_secure_configuration] [edr.microsoft_defender.endpoint.machines] [edr.microsoft_defender.endpoint.recommendations]

Anchoredr.microsoft_defender.endpoint.investigationsedr.microsoft_defender.endpoint.investigationsedr.microsoft_defender.endpoint.investigations
Field
Type
Extra Label
eventdate
timestamp
-
hostname
str
-

mitreTechniques_str
str
-
loggedOnUsers
str
-
comments
str
-
domains
str
-
at_devo_pulling_id
str
-
related_files
int4
-
related_ips
int4
-
related_machines
int4
-
related_domains
int4
-
related_users
int4
-
relatedUser_userName
str
-
relatedUser_domainName
str
-
related_evidences
int4
-
related_loggedOnUsers
int4
-
raw_evidences
str
-
evidence_entityType
str
-
evidence_evidenceCreationTime
timestamp
-
evidence_sha1
str
-
evidence_sha256
str
-
evidence_fileName
str
-
evidence_filePath
str
-
evidence_processId
str
-
evidence_processCommandLine
str
-
evidence_processCreationTime
timestamp
-
evidence_parentProcessId
str
-
evidence_parentProcessCreationTime
timestamp
-
evidence_parentProcessFileName
str
-
evidence_parentProcessFilePath
str
-
evidence_ipAddress
str
-
evidence_url
str
-
evidence_registryKey
str
-
evidence_registryHive
str
-
evidence_registryValueType
str
-
evidence_registryValue
str
-
evidence_registryValueName
str
-
evidence_accountName
str
-
evidence_domainName
str
-
evidence_userSid
str
-
evidence_aadUserId
str
-
evidence_userPrincipalName
str
-
evidence_detectionStatus
str
-
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
Anchoredr.microsoft_defender.endpoint.assessment_software_vulnerabilitiesedr.microsoft_defender.endpoint.assessment_software_vulnerabilitiesedr.microsoft_defender.endpoint.assessment_software_vulnerabilities
Field
Type
Extra Field
eventdate
timestamp
-
hostname
str
-
at_devo_pulling_id
str
-
Id
str
-
DeviceId
str
-
DeviceName
str
-
OSPlatform
str
-
OSVersion
str
-
OSArchitecture
str
-
SoftwareVendor
str
-
SoftwareName
str
-
SoftwareVersion
str
-
CveId
str
-
CvssScore
float8
-
VulnerabilitySeverityLevel
str
-
RecommendedSecurityUpdate
str
-
RecommendedSecurityUpdateId
str
-
RecommendedSecurityUpdateUrl
str
-
DiskPaths
str
-
RegistryPaths_str
str
-
LastSeenTimestamp
timestamp
-
FirstSeenTimestamp
timestamp
-
ExploitabilityLevel
str
-
RecommendationReference
str
-
SecurityUpdateAvailable
bool
-
RbacGroupId
int4
-
RbacGroupName
str
-
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
Anchoredr.microsoft_defender.endpoint.assessment_software_inventoryedr.microsoft_defender.endpoint.assessment_software_inventoryedr.microsoft_defender.endpoint.assessment_software_inventory
Field
Type
Extra Field
eventdate
timestamp
-
hostname
str
-
at_devo_pulling_id
str
-
DeviceId
str
-
DeviceName
str
-
OSPlatform
str
-
SoftwareVendor
str
-
SoftwareName
str
-
SoftwareVersion
str
-
NumberOfWeaknesses
int4
-
DiskPaths
str
-
RegistryPaths_str
str
-
SoftwareFirstSeenTimestamp
timestamp
-
SoftwareLastSeenTimestamp
timestamp
-
EndOfSupportStatus
str
-
EndOfSupportDate
str
-
RbacGroupId
int4
-
RbacGroupName
str
-
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
Code Block
join(mitreTechniques, ',')
mitreTechniques
relatedUser__userName
str

relatedUser__domainName
str

comments__comment_str
str
Code Block
join(comments__comment, ',')
comments__comment
comments__createdBy_str
str
Code Block
join(comments__createdBy, ',')
comments__createdBy
comments__createdTime_str
str
Code Block
join(comments__createdTime, ',')
comments__createdTime
evidence__entityType_str
str
Code Block
join(evidence__entityType, ',')
evidence__entityType
evidence__evidenceCreationTime_str
str
Code Block
join(evidence__evidenceCreationTime, ',')
evidence__evidenceCreationTime
evidence__sha1_str
str
Code Block
join(evidence__sha1, ',')
evidence__sha1
evidence__sha256_str
str
Code Block
join(evidence__sha256, ',')
evidence__sha256
evidence__fileName_str
str
Code Block
join(evidence__fileName, ',')
evidence__fileName
evidence__filePath_str
str
Code Block
join(evidence__filePath, ',')
evidence__filePath
evidence__processId_str
str
Code Block
replace(replace(stringify(json(evidence__processId)), "[", ""), "]", "")
evidence__processId
evidence__processCommandLine_str
str
Code Block
join(evidence__processCommandLine, ',')
evidence__processCommandLine
evidence__processCreationTime_str
str
Code Block
join(evidence__processCreationTime, ',')
evidence__processCreationTime
evidence__parentProcessId_str
str
Code Block
replace(replace(stringify(json(evidence__parentProcessId)), "[", ""), "]", "")
evidence__parentProcessId
evidence__parentProcessCreationTime_str
str
Code Block
join(evidence__parentProcessCreationTime, ',')
evidence__parentProcessCreationTime
evidence__parentProcessFileName_str
str
Code Block
join(evidence__parentProcessFileName, ',')
evidence__parentProcessFileName
evidence__parentProcessFilePath_str
str
Code Block
join(evidence__parentProcessFilePath, ',')
evidence__parentProcessFilePath
evidence__ipAddress_str
str
Code Block
join(evidence__ipAddress, ',')
evidence__ipAddress
evidence__url_str
str
Code Block
join(evidence__url, ',')
evidence__url
evidence__registryKey_str
str
Code Block
join(evidence__registryKey, ',')
evidence__registryKey
evidence__registryHive_str
str
Code Block
join(evidence__registryHive, ',')
evidence__registryHive
evidence__registryValueType_str
str
Code Block
join(evidence__registryValueType, ',')
evidence__registryValueType
evidence__registryValue_str
str
Code Block
join(evidence__registryValue, ',')
evidence__registryValue
evidence__accountName_str
str
Code Block
join(evidence__accountName, ',')
evidence__accountName
evidence__domainName_str
str
Code Block
join(evidence__domainName, ',')
evidence__domainName
evidence__userSid_str
str
Code Block
join(evidence__userSid, ',')
evidence__userSid
evidence__aadUserId_str
str
Code Block
join(evidence__aadUserId, ',')
evidence__aadUserId
evidence__userPrincipalName_str
str
Code Block
join(evidence__userPrincipalName, ',')
evidence__userPrincipalName
evidence__detectionStatus_str
str
Code Block
join(evidence__detectionStatus, ',')
evidence__detectionStatus
hostchain
str

✓
tag
str

✓
rawMessage
str

✓
Anchor
edr.microsoft_defender.endpoint.alerts
edr.microsoft_defender.endpoint.alerts
edr.microsoft_defender.endpoint.alerts
Anchoredr.microsoft_defender.endpoint.machinesedr.microsoft_defender.endpoint.machines
Field
Type
Extra fields
eventdate
timestamp
hostname
str
at_odata_context
str
id
str
incidentId
str
investigationId
str
assignedTo
str
severity
str
status
str
classification
str
determination
str
investigationState
str
detectionSource
str
detectorId
str
category
str
threatFamilyName
str
title
str
description
str
alertCreationTime
timestamp
firstEventTime
timestamp
lastEventTime
timestamp
lastUpdateTime
timestamp
resolvedTime
timestamp
machineId
str
computerDnsName
str
rbacGroupName
str
aadTenantId
str
threatName
str
mitreTechniques
str
loggedOnUsers
str
comments
str
domains
str
at_devo_pulling_id
str
-
related_files
id
int4
str
related_ips
-
int4
startTime
related_machines
timestamp
int4
-
related_domains
endTime
int4
timestamp
related_users
-
int4
state
relatedUser_userName
str
-
cancelledBy
relatedUser_domainName
str
-
related_evidences
statusDetails
int4
str
related_loggedOnUsers
-
int4
machineId
raw_evidences
str
-
evidence_entityType
computerDnsName
str
-
triggeringAlertId
evidence_evidenceCreationTime
timestamp
evidence_sha1
str
-
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
Anchoredr.microsoft_defender.endpoint.assessment_secure_configurationedr.microsoft_defender.endpoint.assessment_secure_configurationedr.microsoft_defender.endpoint.assessment_secure_configuration
Field
Type
Extra Label
eventdate
timestamp
-
hostname
str
-
at_devo_pulling_id
str
-
DeviceId
str
-
DeviceName
str
-
OSPlatform
str
-
OSVersion
str
-
Timestamp
timestamp
-
ConfigurationId
str
-
ConfigurationCategory
str
-
ConfigurationSubcategory
str
-
ConfigurationImpact
int4
-
IsApplicable
bool
-
ConfigurationName
str
-
RecommendationReference
str
-
RbacGroupId
int4
-
RbacGroupName
str
-
IsCompliant
bool
-
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
evidence_sha256
str
evidence_fileName
str
evidence_filePath
str
evidence_processId
str
evidence_processCommandLine
str
evidence_processCreationTime
timestamp
evidence_parentProcessId
str
evidence_parentProcessCreationTime
timestamp
evidence_parentProcessFileName
str
evidence_parentProcessFilePath
str
evidence_ipAddress
str
evidence_url
str
evidence_registryKey
str
evidence_registryHive
str
evidence_registryValueType
str
evidence_registryValue
str
evidence_registryValueName
str
evidence_accountName
str
evidence_domainName
str
evidence_userSid
str
evidence_aadUserId
str
evidence_userPrincipalName
str
evidence_detectionStatus
str
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
Anchor
edr.microsoft_defender.endpoint.assessment_secure_configuration
edr.microsoft_defender.endpoint.assessment_secure_configuration
edr.microsoft_defender.endpoint.assessment_secure_configuration
Field
Type
Extra fields
eventdate
timestamp
hostname
str
at_devo_pulling_id
str
DeviceId
str
DeviceName
str
OSPlatform
str
OSVersion
str
Timestamp
timestamp
ConfigurationId
str
ConfigurationCategory
str
ConfigurationSubcategory
str
ConfigurationImpact
int4
IsApplicable
bool
ConfigurationName
str
RecommendationReference
str
RbacGroupId
int4
RbacGroupName
str
IsCompliant
bool
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
Anchor
edr.microsoft_defender.endpoint.assessment_software_inventory
edr.microsoft_defender.endpoint.assessment_software_inventory
edr.microsoft_defender.endpoint.
machines
assessment_software_inventory
Field
Type
Extra
Label
fields
eventdate
timestamp
-
hostname
str
-
at_devo_pulling_id
str
-
computerDnsName
DeviceId
str
-
DeviceName
firstSeen
str
timestamp
OSPlatform
-
str
lastSeen
SoftwareVendor
timestamp
str
-
osPlatform
SoftwareName
str
-
SoftwareVersion
osVersion
str
str
NumberOfWeaknesses
-
int4
osProcessor
DiskPaths
str
-
version
RegistryPaths_str
str
-
SoftwareFirstSeenTimestamp
lastIpAddress
timestamp
ip4
SoftwareLastSeenTimestamp
-
timestamp
lastExternalIpAddress
EndOfSupportStatus
ip4
str
-
agentVersion
EndOfSupportDate
str
-
osBuild
RbacGroupId
int4
-
healthStatus
RbacGroupName
str
-
deviceValue
rbacGroupId
int4
-
rbacGroupName
hostchain
str
-
✓
tag
str
-
✓
riskScore
exposureLevel
str
-
isAadJoined
bool
-
aadDeviceId
str
-
machineTags
str
-
defenderAvStatus
str
-
onboardingStatus
str
-
osArchitecture
str
-
managedBy
str
-
managedByStatus
str
-
ipAddresses
str
-
vmMetadata
str
-
rawMessage
str
-
✓
Rw tab
title Tables 7-12
edr.microsoft_defender.endpoint.investigations
edr.microsoft_defender.endpoint.machines
edr.microsoft_defender.endpoint.recommendations
edr.microsoft_defender.endpoint.software
edr.microsoft_defender.endpoint.vulnerabilities
edr.microsoft_defender.iot_security.alert
Anchor
edr.microsoft_defender.endpoint.investigations
edr.microsoft_defender.endpoint.investigations
edr.microsoft_defender.endpoint.investigations
Field
Type
Extra fields
eventdate
timestamp
hostname
str
at_devo_pulling_id
str
-
related_logon_users
int4
-
related_alerts
int4
-
related_vulnerabilities
int4
-
related_recommendations
int4
-
id
str
startTime
timestamp
endTime
timestamp
state
str
cancelledBy
str
statusDetails
str
machineId
str
computerDnsName
str
triggeringAlertId
str
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
Anchor
edr.microsoft_defender.endpoint.
recommendations
machines
edr.microsoft_defender.endpoint.
recommendations
machines
edr.microsoft_defender.endpoint.
recommendations
machines
Field
Type
Extra
Label
fields
eventdate
timestamp
-
hostname
str
-
id
str
-
productName
computerDnsName
str
-
firstSeen
recommendationName-
timestamp
str
-
weaknesses
int4
-
vendor
str
-
recommendedVersion
str
-
recommendedVendor
str
-
recommendedProgram
str
-
recommendationCategory
str
-
subCategory
str
-
severityScore
float8
-
publicExploit
bool
-
activeAlert
bool
-
associatedThreats
str
-
remediationType
str
-
status
str
-
configScoreImpact
float8
-
exposureImpact
float8
-
totalMachineCount
int4
-
exposedMachinesCount
int4
-
nonProductivityImpactedAssets
int4
-
relatedComponent
str
-
hasUnpatchableCve
bool
lastSeen
timestamp
osPlatform
str
osVersion
str
osProcessor
str
version
str
lastIpAddress
ip4
lastExternalIpAddress
ip4
agentVersion
str
osBuild
int4
healthStatus
str
deviceValue
str
rbacGroupId
int4
rbacGroupName
str
riskScore
str
exposureLevel
str
isAadJoined
bool
aadDeviceId
str
machineTags
str
defenderAvStatus
str
onboardingStatus
str
osArchitecture
str
managedBy
str
managedByStatus
str
ipAddresses
str
vmMetadata
str
at_devo_pulling_id
str
related_logon_users
int4
related_alerts
int4
related_vulnerabilities
int4
related_recommendations
int4
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
Anchor
edr.microsoft_defender.endpoint.recommendations
edr.microsoft_defender.endpoint.recommendations
edr.microsoft_defender.endpoint.recommendations
Field
Type
Extra fields
eventdate
timestamp
hostname
str
id
str
productName
str
recommendationName
str
weaknesses
int4
vendor
str
recommendedVersion
str
recommendedVendor
str
recommendedProgram
str
recommendationCategory
str
subCategory
str
severityScore
float8
publicExploit
bool
activeAlert
bool
associatedThreats
str
remediationType
str
status
str
configScoreImpact
float8
exposureImpact
float8
totalMachineCount
int4
exposedMachinesCount
int4
nonProductivityImpactedAssets
int4
relatedComponent
str
hasUnpatchableCve
bool
at_devo_pulling_id
str
related_software
int4
related_machines
int4
related_vulnerabilities
int4
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
Anchor
edr.microsoft_defender.endpoint.software
edr.microsoft_defender.endpoint.software
edr.microsoft_defender.endpoint.software
Field
Type
Extra fields
eventdate
timestamp
hostname
str
id
str
name
str
vendor
str
weaknesses
int4
publicExploit
bool
activeAlert
bool
exposedMachines
int4
installedMachines
int4
impactScore
float8
isNormalized
bool
category
str
distributions
str
related_vulnerabilities
int4
related_machines
int4
related_version_distribution
int4
related_missing_kbs
int4
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
Anchor
edr.microsoft_defender.endpoint.vulnerabilities
edr.microsoft_defender.endpoint.vulnerabilities
edr.microsoft_defender.endpoint.vulnerabilities
Field
Type
Extra fields
eventdate
timestamp
hostname
str
at_odata_context
str
id
str
name
str
description
str
severity
str
cvssV3
float8
exposedMachines
int4
publishedOn
timestamp
updatedOn
timestamp
publicExploit
bool
exploitVerified
bool
exploitInKit
bool
exploitTypes
str
exploitUris
str
at_devo_pulling_id
str
related_machines
int4
hostchain
str
✓
tag
str
✓
rawMessage
str
✓
Anchor
edr.microsoft_defender.iot_security.alert
edr.microsoft_defender.iot_security.alert
edr.microsoft_defender.iot_security.alert
Field
Type
Field transformation
Source field name
Extra fields
eventdate
timestamp

hostname
str

id
str

name
str

type
str

tenant_id
str

kind
str

location
str

resource_group
str

subscription_id
str

managed_by
str

sku
str

plan
str

properties__product_component_name
str

properties__azure_resource_id
str

properties__extended_properties__device_resource_ids
str

properties__extended_properties__alert_management_uri
str

properties__extended_properties__device_id
str

properties__extended_properties__site_display_name
str

properties__extended_properties__source_device_address_ip4
ip4
Code Block
ip4(properties__extended_properties__source_device_address)
properties__extended_properties__source_device_address
properties__extended_properties__source_device_address_ip6
ip6
Code Block
ip6(properties__extended_properties__source_device_address)
properties__extended_properties__source_device_address
properties__extended_properties__compromised_entity_id
str

properties__extended_properties__sensor_version
str

properties__extended_properties__source_device_ip4
ip4
Code Block
ip4(properties__extended_properties__source_device)
properties__extended_properties__source_device
properties__extended_properties__source_device_ip6
ip6
Code Block
ip6(properties__extended_properties__source_device)
properties__extended_properties__source_device
properties__extended_properties__sensor_zone
str

properties__extended_properties__sensor_type
str

properties__extended_properties__protocol
str

properties__extended_properties__sensor_id
str

properties__extended_properties__category
str

properties__extended_properties_plc_new_operating_mode
str

properties__extended_properties__destination_device_address_ip4
ip4
Code Block
ip4(properties__extended_properties__destination_device_address)
properties__extended_properties__destination_device_address
properties__extended_properties__destination_device_address_ip6
ip6
Code Block
ip6(properties__extended_properties__destination_device_address)
properties__extended_properties__destination_device_address
properties__alert_learn_status
str

properties__system_alert_id
str

properties__start_time_utc
timestamp
Code Block
parsedate(properties__start_time_utc_str, ifthenelse(length(properties__start_time_utc_str) = 25, dateformat("YYYY-MM-DD[T]HH:mm:ssZZ", "UTC"), dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")))
properties__start_time_utc_str
properties__display_name
str

properties__severity
str

properties__techniques
str

properties__end_time_utc_str
str

properties__end_time_utc
timestamp
Code Block
parsedate(properties__end_time_utc_str, ifthenelse(length(properties__end_time_utc_str) = 25, dateformat("YYYY-MM-DD[T]HH:mm:ssZZ", "UTC"), dateformat("YYYY-MM-DD[T]HH:mm:ss.SSSSSSS[Z]", "UTC")))
properties__end_time_utc_str
properties__alert_type
str

properties__entities
str

properties__status
str

properties__intent
str

tags
str

identity
str

zones
str

extended_location
str

at_devo_environment
str

at_devo_pulling_id
str
-

related_software

int4
hostchain
-
str
related_machines

int4

-
✓
related_vulnerabilities
tag
int4
str
-

hostchain
str

✓
tag
rawMessage
str
✓

rawMessage
str

✓

General

Content

Integrations