The DeviceAlertEvents table in the advanced hunting schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see the advanced hunting schema reference.
| Column name | Data type | Description |
|---|---|---|
AlertId |
string | Unique identifier for the alert |
Timestamp |
datetime | Date and time when the event was recorded |
DeviceId |
string | Unique identifier for the device in the service |
DeviceName |
string | Fully qualified domain name (FQDN) of the device |
Severity |
string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
Category |
string | Type of threat indicator or breach activity identified by the alert |
Title |
string | Title of the alert |
FileName |
string | Name of the file that the recorded action was applied to |
SHA1 |
string | SHA-1 of the file that the recorded action was applied to |
RemoteUrl |
string | URL or fully qualified domain name (FQDN) that was being connected to |
RemoteIP |
string | IP address that was being connected to |
AttackTechniques |
string | MITRE ATT&CK techniques associated with the activity that triggered the alert |
ReportId |
long | Event identifier based on a repeating counter. To identify unique events, this column must be used with the DeviceName and Timestamp columns |
Table |
string | Table that contains the details of the event |
Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team
(Visited 20 times, 1 visits today)