Skip to content

Latest commit

 

History

History
106 lines (81 loc) · 5.96 KB

advanced-hunting-schema-changes.md

File metadata and controls

106 lines (81 loc) · 5.96 KB
Raw
title description search.appverid ms.service ms.subservice f1.keywords ms.author author ms.localizationpriority manager audience ms.collection ms.custom ms.topic ms.date
Naming changes in the Microsoft Defender XDR advanced hunting schema
Track and review naming changes tables and columns in the advanced hunting schema
met150
defender-xdr
adv-hunting
NOCSH
maccruz
schmurky
medium
dansimp
ITPro
m365-security
tier3
cx-ti
cx-ah
reference
02/16/2024

Advanced hunting schema - Naming changes

[!INCLUDE Microsoft Defender XDR rebranding]

Applies to:

  • Microsoft Defender XDR

[!INCLUDE Prerelease information]

The advanced hunting schema is updated regularly to add new tables and columns. In some cases, existing columns names are renamed or replaced to improve the user experience. Refer to this article to review naming changes that could impact your queries.

Naming changes are automatically applied to queries that are saved in Microsoft Defender XDR, including queries used by custom detection rules. You don't need to update these queries manually. However, you will need to update the following queries:

  • Queries that are run using the API
  • Queries that are saved elsewhere outside Microsoft Defender XDR

December 2020

Table name Original column name New column name Reason for change
EmailEvents FinalEmailAction EmailAction Customer feedback
EmailEvents FinalEmailActionPolicy EmailActionPolicy Customer feedback
EmailEvents FinalEmailActionPolicyGuid EmailActionPolicyGuid Customer feedback

January 2021

Column name Original value name New value name Reason for change
DetectionSource Defender for Cloud Apps Microsoft Defender for Cloud Apps Rebranding
DetectionSource WindowsDefenderAtp EDR Rebranding
DetectionSource WindowsDefenderAv Antivirus Rebranding
DetectionSource WindowsDefenderSmartScreen SmartScreen Rebranding
DetectionSource CustomerTI Custom TI Rebranding
DetectionSource OfficeATP Microsoft Defender for Office 365 Rebranding
DetectionSource MTP Microsoft Defender XDR Rebranding
DetectionSource AzureATP Microsoft Defender for Identity Rebranding
DetectionSource CustomDetection Custom detection Rebranding
DetectionSource AutomatedInvestigation Automated investigation Rebranding
DetectionSource ThreatExperts Microsoft Threat Experts Rebranding
DetectionSource 3rd party TI 3rd Party sensors Rebranding
ServiceSource Microsoft Defender ATP Microsoft Defender for Endpoint Rebranding
ServiceSource Microsoft Threat Protection Microsoft Defender XDR Rebranding
ServiceSource Office 365 ATP Microsoft Defender for Office 365 Rebranding
ServiceSource Azure ATP Microsoft Defender for Identity Rebranding

DetectionSource is available in the AlertInfo table. ServiceSource is available in the AlertEvidence and AlertInfo tables.

February 2021

  1. In the EmailAttachmentInfo and EmailEvents tables, the MalwareFilterVerdictand PhishFilterVerdict columns have been replaced by the ThreatTypes column. The MalwareDetectionMethod and PhishDetectionMethod columns were also replaced by the DetectionMethods column. This streamlining allows us to provide more information under the new columns. The mapping is provided below.

    Table name Original column name New column name Reason for change
    EmailAttachmentInfo MalwareDetectionMethod
    PhishDetectionMethod    		 DetectionMethods Include more detection methods
    EmailAttachmentInfo MalwareFilterVerdict
    PhishFilterVerdict    		 ThreatTypes Include more threat types
    EmailEvents MalwareDetectionMethod
    PhishDetectionMethod    		 DetectionMethods Include more detection methods
    EmailEvents MalwareFilterVerdict
    PhishFilterVerdict    		 ThreatTypes Include more threat types

  2. In the EmailAttachmentInfo and EmailEvents tables, the ThreatNames column was added to give more information about the email threat. This column contains values like Spam or Phish.

  3. In the DeviceInfo table, the DeviceObjectId column was replaced by the AadDeviceId column based on customer feedback.

  4. In the DeviceEvents table, several ActionType names were modified to better reflect the description of the action. Details of the changes can be found below.

    Table name Original ActionType name New ActionType name Reason for change
    DeviceEvents UsbDriveMount UsbDriveMounted Customer feedback
    DeviceEvents UsbDriveUnmount UsbDriveUnmounted Customer feedback
    DeviceEvents WriteProcessMemoryApiCall WriteToLsassProcessMemory Customer feedback

March 2021

The DeviceTvmSoftwareInventoryVulnerabilities table has been deprecated. Replacing it are the DeviceTvmSoftwareInventory and DeviceTvmSoftwareVulnerabilities tables.

May 2021

The AppFileEvents table has been deprecated. The CloudAppEvents table includes information that used to be in the AppFileEvents table, along with other activities in cloud services.

Related topics