Introduction
The tags beginning with edr.microsoft_defender identify events generated by the Microsoft Defender.
The full tag must have 4 levels. The first three are fixed as edr.microsoft_defender. The fourth level identifies the type of events sent.
Product / Service | Tags | Data tables |
|---|
Microsoft Defender Endpoint | edr.microsoft_defender.advanced_hunting.device_process_events
| edr.microsoft_defender.advanced_hunting.device_process_events
|
edr.microsoft_defender.alerts.events
| edr.microsoft_defender.alerts.events
|
edr.microsoft_defender.endpoint.alerts
| edr.microsoft_defender.endpoint.alerts
|
edr.microsoft_defender.endpoint.assesment_secure_configuration
| edr.microsoft_defender.endpoint.assesment_secure_configuration
|
edr.microsoft_defender.endpoint.assesment_software_inventory
| edr.microsoft_defender.endpoint.assesment_software_inventory
|
edr.microsoft_defender.endpoint.assesment_software_vulnerabilities
| edr.microsoft_defender.endpoint.assesment_software_vulnerabilities
|
edr.microsoft_defender.endpoint.investigations
| edr.microsoft_defender.endpoint.investigations
|
edr.microsoft_defender.endpoint.machines
| edr.microsoft_defender.endpoint.machines
|
edr.microsoft_defender.endpoint.recommendations
| edr.microsoft_defender.endpoint.recommendations
|
edr.microsoft_defender.endpoint.software
| edr.microsoft_defender.endpoint.software
|
edr.microsoft_defender.endpoint.vulnerabilities
| edr.microsoft_defender.endpoint.vulnerabilities
|
Table structure
These are the fields displayed in the tables:
