Forum Discussion
Which schema belong to which service?
Hello there,
So I'm pretty familiar with KQL and MDATPs default schemas found under Advanced Hunting. There are of course some more schemas/tables found under MTP compared to MDATP (https://security.microsoft.com/advanced-hunting)
Is there any general cheat-sheet on which schema originates from which service?
For example if I would hunt under the "MiscEvents" schema, what do I need to do to add it?
What I mean is, I would like to try this query:
But I can't seem to find "MiscEvents" in either Log Analytics, Defender ATP or M365 Threat Protection.
Do I miss something? Is Azure ATP needed for the "MiscEvents" table to be populated?
Regards
Simon
- There isn't much documentation on the tables.
Know that a lot of tables have changed.
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-updates-usb-events-machine-level-actions-and/ba-p/824152
MiscEvents is now DeviceEvents so you need to adapt that query
- Thijs LecomteBronze ContributorThere isn't much documentation on the tables.
Know that a lot of tables have changed.
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-updates-usb-events-machine-level-actions-and/ba-p/824152
MiscEvents is now DeviceEvents so you need to adapt that query- 0fflinedocsBrass Contributor
Thank you, that explains why I couldn't find it anywhere (except old information).
Good link, I'll save those references for the future. 🙂