Forum Discussion

0fflinedocs's avatar
0fflinedocs
Brass Contributor
Aug 06, 2020

Which schema belong to which service?

Hello there,

 

So I'm pretty familiar with KQL and MDATPs default schemas found under Advanced Hunting. There are of course some more schemas/tables found under MTP compared to MDATP (https://security.microsoft.com/advanced-hunting) 

 

Is there any general cheat-sheet on which schema originates from which service?

For example if I would hunt under the "MiscEvents" schema, what do I need to do to add it?

 

What I mean is, I would like to try this query:

https://techcommunity.microsoft.com/t5/microsoft-defender-atp/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726

 

But I can't seem to find "MiscEvents" in either Log Analytics, Defender ATP or M365 Threat Protection.

Do I miss something? Is Azure ATP needed for the "MiscEvents" table to be populated?

 

 

Regards

Simon

Resources