The DeviceAlertEvents table in the advanced hunting schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see the advanced hunting schema reference. TABLE 1 Column name Data type Description AlertId string Unique identifier for the alert Timestamp […]
Category: Microsoft Endpoint
Understand the advanced hunting schema in Microsoft Defender for Endpoint
Important Some information relates to prereleased product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The advanced hunting schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that […]
Proactively hunt for threats with advanced hunting (Microsoft)
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. Watch this video for a quick overview of advanced […]
Device health and compliance report in Microsoft Defender for Endpoint
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial. The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 (and Windows 11) versions. The dashboard is structured into two sections: TABLE 1 […]
Threat protection report in Microsoft Defender for Endpoint
The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time. The dashboard is structured into two sections: TABLE 1 Section Description 1 Alerts trends 2 Alert summary Alert trends By default, the alert […]
Create custom reports using Power BI (Microsoft)
Note If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers. Tip For better performance, you can use server closer to your geo location: api-us.securitycenter.microsoft.com api-eu.securitycenter.microsoft.com api-uk.securitycenter.microsoft.com In this section you will learn create a Power BI report on top of Defender for Endpoint APIs. […]
Use sensitivity labels to prioritize incident response (Microsoft)
A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it’s important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected. Defender for Endpoint helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. […]
Live response command examples (Microsoft)
Learn about common commands used in live response and see examples on how they’re typically used. Depending on the role you have, you can run basic or advanced live response commands. For more information on basic and advanced commands, see Investigate entities on devices using live response. analyze ConsoleCopy # Analyze the file malware.txt analyze file […]
Investigate entities on devices using live response (Microsoft)
Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time. Live response is designed to enhance investigations by enabling your […]
Visit the Action center to see remediation actions (Microsoft)
(NEW!) A unified Action center We are pleased to announce a new, unified Action center (https://security.microsoft.com/action-center)! The following table compares the new, unified Action center to the previous Action center. (NEW!) A UNIFIED ACTION CENTER The new, unified Action center The previous Action center Lists pending and completed actions for devices and email in one […]