Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Introduction

The tags beginning with edr.microsoft_defender identify events generated by the Microsoft Defender for Endpoint.

Valid tags and data tables

The full tag must have 4 levels. The first two are fixed as edr.microsoft_defender. The third level identifies the type of events sent.

Technology

Brand

Type

Subtype

edr

microsoft_defender

endpoint

  • software

  • vulnerabilities

  • alerts

  • assesment_software_vulnerabilities

  • assesment_software_inventory

  • investigations

  • assesment_secure_configuration

  • machines

  • recommendations

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.vulnerabilities

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.alerts

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.assessment_software_vulnerabilities

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.assessment_software_inventory

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.investigations

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.assessment_secure_configuration

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.machines

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.recommendations

  • No labels