Document toolboxDocument toolbox

edr.microsoft

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
4 min read
[ 1 Introduction ] [ 2 Tag structure ] [ 3 Table structure ]

Introduction

The tags beginning with edr.microsoft_defender identify events generated by the Microsoft Defender for Endpoint.

Tag structure

The full tag must have 4 levels. The first three are fixed as edr.microsoft_defender. The fourth level identifies the type of events sent.

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Microsoft

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software.<version>.<format>

edr.microsoft_defender.endpoint.software

edr.microsoft_defender.endpoint.vulnerabilities

edr.microsoft_defender.endpoint.alerts

edr.microsoft_defender.endpoint.assessment_software_vulnerabilities

edr.microsoft_defender.endpoint.assessment_software_inventory

edr.microsoft_defender.endpoint.investigations

edr.microsoft_defender.endpoint.assessment_secure_configuration

edr.microsoft_defender.endpoint.machines

edr.microsoft_defender.endpoint.recommendations

Table structure

These are the fields displayed in the tables: