Schema Tables

Question 1

AADSignInEventsBeta / EntraidSignInEvents

Answer 1

Microsoft Entra interactive and non-interactive sign-ins

Question 2

AADSpnSignInEventsBeta / EntraidSpnSignInEvents

Answer 2

Microsoft Entra service principal and managed identity sign-ins

Question 3

differences between EntraidSignInEvents and EntraidSpnSignInEvents

Answer 3

EntraIdSignInEvents-
Monitoring and troubleshooting user authentication, including MFA, device info, and conditional access policies.

EntraIdSpnSignInEvents-
Monitoring and troubleshooting application authentication, service-to-service communication, and non-interactive processes.

Question 4

AlertEvidence

Answer 4

Files, IP addresses, URLs, users, or devices associated with alerts

Question 5

AlertInfo

Answer 5

Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization

Question 6

AlertEvidence vs AlertInfo

Answer 6

AlertInfo to get a list of alerts and overview of alert.

AlertEvidence for more granual information on the alert.

Question 7

BehaviorEntities

Answer 7

Behavior data types in Microsoft Defender for Cloud Apps (not available for GCC)

The BehaviorEntities table in the Microsoft Defender XDR advanced hunting schema contains detailed information about the specific entities (users, devices, files, IP addresses, etc.) involved in an identified behavior.
Behaviors are an abstract data layer, sourced primarily from Microsoft Defender for Cloud Apps, that provide contextual insight into events, bridging the gap between raw event data and full-blown security alerts.

Question 8

BehaviorInfo

Answer 8

Alerts from Microsoft Defender for Cloud Apps (not available for GCC)

Question 9

CloudAppEvents

Answer 9

Events involving accounts and objects in Office 365 and other cloud apps and services

Question 10

CloudAuditEvents

Answer 10

Cloud audit events for various cloud platforms protected by the organization’s Microsoft Defender for Cloud

Question 11

CloudAppEvents vs CloudAuditEvents

Answer 11

CloudAppEvents
Events involving accounts and objects in Office 365 and other connected third-party cloud apps (like Dropbox, Box, AWS, Azure, GCP user activities).

CloudAuditEvents
Cloud audit events for various cloud platforms, with a strong focus on infrastructure and resource management operations (e.g., Azure Resource Manager operations, Kubernetes API calls).

Use the CloudAppEvents table to hunt for activities related to what users are doing within specific cloud applications (e.g., “Who downloaded this file from SharePoint?”).
Use the CloudAuditEvents table to hunt for activities related to how your cloud infrastructure is being managed or accessed (e.g., “Was a suspicious operation performed on an Azure resource group?” or “Were any unusual Kubernetes API calls made?”).

Question 12

CloudProcessEvents

Answer 12

Cloud process events for various cloud platforms protected by the organization’s Microsoft Defender for Containers

This table is populated by data collected through Microsoft Defender for Cloud and provides crucial visibility into the runtime environment of services like Azure Kubernetes Service (AKS), Amazon Elastic Kubernetes Service (EKS), and Google Kubernetes Engine (GKE).

Question 13

CloudStorageAggregatedEvents

Answer 13

Cloud storage activity and related events

Question 14

DataSecurityBehaviors

Answer 14

Insights about potentially suspicious user behaviors that violate user-defined or default policies configured in the Microsoft Purview suite of solutions

contains insights about potentially suspicious user behaviors that violate the user-defined or default policies configured in the Microsoft Purview suite of solutions.

Insights cover a range of data security related behaviors like behaviors involving exfiltration, obfuscation, risky interactions with AI applications, and others. Insights are generated by aggregating user behaviors over a calendar day and comparing them with previous activity, peer group activity, or other activities done by the user. Insights also capture summaries of various risk pivots like sensitive data, risky destinations, and the like.

This advanced hunting table is populated by records from Microsoft Purview Insider Risk Management.

Question 15

DataSecurityEvents

Answer 15

Information about user activities that violate user-defined or default policies in the Microsoft Purview suite of solutions

Each log represents a single user activity enriched with proprietary Microsoft detections (like sensitive info types) and user-defined enrichment labels like domain categories, sensitivity labels, and others.

This advanced hunting table is populated by records from Microsoft Purview Insider Risk Management.

Question 16

DataSecurityBehaviors vs DataSecurityEvents

Answer 16

DataSecurityEvents gives you the “forest” of individual data points you can filter and analyze to pinpoint exact actions.
DataSecurityBehaviors provides a summary “tree” of user activities, highlighting patterns and anomalies flagged by Microsoft Purview’s machine learning, making it easier to spot potential insider threats without processing massive amounts of raw data.

Question 17

DeviceBaselineComplianceAssessment

Answer 17

Baseline compliance assessment snapshot, which indicates the status of various security configurations related to baseline profiles on devices

Question 18

DeviceBaselineComplianceAssessmentKB

Answer 18

Information about various security configurations used by baseline compliance to assess devices

Question 19

DeviceBaselineComplianceProfiles

Answer 19

Baseline profiles used for monitoring device baseline compliance

Question 20

DeviceBaselineComplianceProfiles vs DeviceBaselineComplianceAssessmentKB vs DeviceBaselineComplianceAssessment

Answer 20

DeviceBaselineComplianceProfiles
to understand your organization’s specific baseline configurations.

Provides details on the customized baseline profiles that an administrator has created and defined in the organization. Information about how baselines are configured (e.g., profile name, associated OS platform, creation time, exception details).

DeviceBaselineComplianceAssessmentKB
to reference the industry-standard definitions for security settings.

Contains a knowledge base of the general security configurations and recommended values. Details on what the ideal setting should be (e.g., “Minimum password length should be 14”), independent of any specific device or custom profile.

DeviceBaselineComplianceAssessment
to view the actual compliance status of each individual device.

Contains the snapshot of the actual assessment results for each device against the defined profiles. Device-specific compliance status (Compliant, NonCompliant, etc.), the actual current value of a setting on the device, the expected value, and the specific DeviceId.

Question 21

DeviceEvents

Answer 21

Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection

Endpoint activity, covering network connections, USB events, scheduled tasks, login events, shell commands, and more.

Question 22

DeviceFileCertificateInfo

Answer 22

Certificate information of signed files obtained from certificate verification events on endpoints

Question 23

DeviceFileEvents

Answer 23

File creation, modification, and other file system events

Question 24

DeviceImageLoadEvents

Answer 24

DLL loading events

Question 25

DeviceInfo

Answer 25

Machine information, including OS information

Question 26

DeviceLogonEvents

Answer 26

Sign-ins and other authentication events on devices

Question 27

DeviceNetworkEvents

Answer 27

Network connection and related events

Question 28

DeviceNetworkInfo

Answer 28

Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains

Question 29

DeviceProcessEvents

Answer 29

Process creation and related events

Question 30

DeviceRegistryEvents

Answer 30

Creation and modification of registry entries

Question 31

DeviceTvmBrowserExtensions

Answer 31

Browser extension installations found on devices from Microsoft Defender Vulnerability Management

Question 32

DeviceTvmBrowserExtensionsKB

Answer 32

Browser extension details and permission information used in the Microsoft Defender Vulnerability Management browser extensions page

Question 33

DeviceTvmCertificateInfo

Answer 33

Certificate information for devices in the organization from Microsoft Defender Vulnerability Management

Question 34

DeviceTvmHardwareFirmware

Answer 34

Hardware and firmware information of devices as checked by Defender Vulnerability Management

Question 35

DeviceTvmInfoGathering

Answer 35

Defender Vulnerability Management assessment events including configuration and attack surface area states

Question 36

DeviceTvmInfoGatheringKB

Answer 36

Metadata for assessment events collected in the DeviceTvmInfogathering table

Question 37

DeviceTvmSecureConfigurationAssessment

Answer 37

Microsoft Defender Vulnerability Management assessment events, indicating the status of various security configurations on devices

Question 38

DeviceTvmSecureConfigurationAssessmentKB

Answer 38

Knowledge base of various security configurations used by Microsoft Defender Vulnerability Management to assess devices; includes mappings to various standards and benchmarks

Question 39

DeviceTvmSoftwareEvidenceBeta

Answer 39

Evidence info about where a specific software was detected on a device

Question 40

DeviceTvmSoftwareInventory

Answer 40

Inventory of software installed on devices, including their version information and end-of-support status

Question 41

DeviceTvmSoftwareVulnerabilities

Answer 41

Software vulnerabilities found on devices and the list of available security updates that address each vulnerability

Question 42

DeviceTvmSoftwareVulnerabilitiesKB

Answer 42

Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available

Question 43

DisruptionAndResponseEvents

Answer 43

Automatic attack disruption events in Microsoft Defender XDR

Question 44

EmailAttachmentInfo

Answer 44

Information about files attached to emails

Question 45

EmailEvents

Answer 45

Microsoft 365 email events, including email delivery and blocking events

Question 46

EmailPostDeliveryEvents

Answer 46

Security events that occur post-delivery, after Microsoft 365 delivers the emails to the recipient mailbox

Question 47

EmailUrlInfo

Answer 47

Information about URLs on emails

Question 48

EntraIdSignInEvents

Answer 48

Microsoft Entra interactive and non-interactive sign-ins

Question 49

EntraIdSpnSignInEvents

Answer 49

Microsoft Entra service principal and managed identity sign-ins

Question 50

ExposureGraphEdges

Answer 50

Microsoft Security Exposure Management exposure graph edge information provides visibility into relationships between entities and assets in the graph

Question 51

ExposureGraphNodes

Answer 51

Microsoft Security Exposure Management exposure graph node information, about organizational entities and their properties

Question 52

GraphApiAuditEvents

Answer 52

Microsoft Entra ID API requests made to Microsoft Graph API for resources in the tenant

Question 53

IdentityDirectoryEvents

Answer 53

Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller.

Question 54

IdentityEvents

Answer 54

Information about identity events obtained from other cloud identity service providers

Question 55

IdentityInfo

Answer 55

Account information from various sources, including Microsoft Entra ID

Question 56

IdentityLogonEvents

Answer 56

Authentication events on Active Directory and Microsoft online services

Question 57

IdentityQueryEvents

Answer 57

Queries for Active Directory objects, such as users, groups, devices, and domains

Question 58

MessageEvents

Answer 58

Messages sent and received within your organization at the time of delivery

Question 59

MessagePostDeliveryEvents

Answer 59

Security events that occurred after the delivery of a Microsoft Teams message in your organization

Question 60

MessageUrlInfo

Answer 60

URLs sent through Microsoft Teams messages in your organization

Question 61

OAuthAppInfo

Answer 61

Microsoft 365-connected OAuth applications registered with Microsoft Entra ID and available in the Defender for Cloud Apps app governance capability

Question 62

UrlClickEvents

Answer 62

Safe Links clicks from email messages, Teams, and Office 365 apps