Advanced hunting schema – Naming changes (Microsoft)

0
(0)

 Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.

Applies to:

  • Microsoft 365 Defender

 Important

Some information relates to prereleased product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

The advanced hunting schema is updated regularly to add new tables and columns. In some cases, existing columns names are renamed or replaced to improve the user experience. Refer to this article to review naming changes that could impact your queries.

Naming changes are automatically applied to queries that are saved in the Defender for Cloud, including queries used by custom detection rules. You don’t need to update these queries manually. However, you will need to update the following queries:

  • Queries that are run using the API
  • Queries that are saved elsewhere outside the Defender for Cloud

December 2020

Table name Original column name New column name Reason for change
EmailEvents FinalEmailAction EmailAction Customer feedback
EmailEvents FinalEmailActionPolicy EmailActionPolicy Customer feedback
EmailEvents FinalEmailActionPolicyGuid EmailActionPolicyGuid Customer feedback

January 2021

Column name Original value name New value name Reason for change
DetectionSource Defender for Cloud Apps Microsoft Defender for Cloud Apps Rebranding
DetectionSource WindowsDefenderAtp EDR Rebranding
DetectionSource WindowsDefenderAv Antivirus Rebranding
DetectionSource WindowsDefenderSmartScreen SmartScreen Rebranding
DetectionSource CustomerTI Custom TI Rebranding
DetectionSource OfficeATP Microsoft Defender for Office 365 Rebranding
DetectionSource MTP Microsoft 365 Defender Rebranding
DetectionSource AzureATP Microsoft Defender for Identity Rebranding
DetectionSource CustomDetection Custom detection Rebranding
DetectionSource AutomatedInvestigation Automated investigation Rebranding
DetectionSource ThreatExperts Microsoft Threat Experts Rebranding
DetectionSource 3rd party TI 3rd Party sensors Rebranding
ServiceSource Microsoft Defender ATP Microsoft Defender for Endpoint Rebranding
ServiceSource Microsoft Threat Protection Microsoft 365 Defender Rebranding
ServiceSource Office 365 ATP Microsoft Defender for Office 365 Rebranding
ServiceSource Azure ATP Microsoft Defender for Identity Rebranding

DetectionSource is available in the AlertInfo table. ServiceSource is available in the AlertEvidence and AlertInfo tables.

February 2021

  1. In the EmailAttachmentInfo and EmailEvents tables, the MalwareFilterVerdictand PhishFilterVerdict columns have been replaced by the ThreatTypes column. The MalwareDetectionMethod and PhishDetectionMethod columns were also replaced by the DetectionMethods column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.
    Table name Original column name New column name Reason for change
    EmailAttachmentInfo MalwareDetectionMethod
    PhishDetectionMethod    		 DetectionMethods Include more detection methods
    EmailAttachmentInfo MalwareFilterVerdict
    PhishFilterVerdict    		 ThreatTypes Include more threat types
    EmailEvents MalwareDetectionMethod
    PhishDetectionMethod    		 DetectionMethods Include more detection methods
    EmailEvents MalwareFilterVerdict
    PhishFilterVerdict    		 ThreatTypes Include more threat types
  2. In the EmailAttachmentInfo and EmailEvents tables, the ThreatNames column was added to give more information about the email threat. This column contains values like Spam or Phish.
  3. In the DeviceInfo table, the DeviceObjectId column was replaced by the AadDeviceId column based on customer feedback.
  4. In the DeviceEvents table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.
    Table name Original ActionType name New ActionType name Reason for change
    DeviceEvents DlpPocPrintJob FilePrinted Customer feedback
    DeviceEvents UsbDriveMount UsbDriveMounted Customer feedback
    DeviceEvents UsbDriveUnmount UsbDriveUnmounted Customer feedback
    DeviceEvents WriteProcessMemoryApiCall WriteToLsassProcessMemory Customer feedback

March 2021

The DeviceTvmSoftwareInventoryVulnerabilities table has been deprecated. Replacing it are the DeviceTvmSoftwareInventory and DeviceTvmSoftwareVulnerabilities tables.

May 2021

The AppFileEvents table has been deprecated. The CloudAppEvents table includes information that used to be in the AppFileEvents table, along with other activities in cloud services.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 44 times, 1 visits today)
Tagged: