Introduction
The tags beginning with edr.microsoft_defender identify events generated by the Microsoft Defender for Endpoint.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as edr.microsoft_defender. The third level identifies the type of events sent.
Technology | Brand | Type | Subtype |
---|---|---|---|
edr | microsoft_defender | endpoint |
|
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|---|
edr.microsoft_defender.endpoint.software.<version>.<format> | edr.microsoft_defender.endpoint.software |
edr.microsoft_defender.endpoint.software.<version>.<format> | edr.microsoft_defender.endpoint.vulnerabilities |
edr.microsoft_defender.endpoint.software.<version>.<format> | edr.microsoft_defender.endpoint.alerts |
edr.microsoft_defender.endpoint.software.<version>.<format> | edr.microsoft_defender.endpoint.assessment_software_vulnerabilities |
edr.microsoft_defender.endpoint.software.<version>.<format> | edr.microsoft_defender.endpoint.assessment_software_inventory |
edr.microsoft_defender.endpoint.software.<version>.<format> | edr.microsoft_defender.endpoint.investigations |
edr.microsoft_defender.endpoint.software.<version>.<format> | edr.microsoft_defender.endpoint.assessment_secure_configuration |
edr.microsoft_defender.endpoint.software.<version>.<format> | edr.microsoft_defender.endpoint.machines |
edr.microsoft_defender.endpoint.software.<version>.<format> | edr.microsoft_defender.endpoint.recommendations |