Forum Discussion
MDE Action Value Mapping in M365 Defender
Is there a mapping of the Action Values (under Additional Fields) for the DeviceEvents table? I see either blank, 1, 2, or 3 but have no clue as to what that is referring to.
I can also see that within the same section, the field WasRemediated will either be True or False, where the Action values dont necessarily link to whether it is true or false for WasRemediated (Action Value = 2 and WasRemediated = False for one event, but then Action Value = 2 and WasRemediated = True for a different event).
Any insight into what these numbers are indicating would be helpful. Thanks!
- I searched around and I don't see much in the way of documentation on this field. It should map to the antimalware action enumeration which we have documented for the Defender CSP here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-threatseveritydefaultaction .
- MichaelJMelone
Microsoft
I searched around and I don't see much in the way of documentation on this field. It should map to the antimalware action enumeration which we have documented for the Defender CSP here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-threatseveritydefaultaction .- Thanks Michael, appreciate the info, this will help with better understanding the mapping. Assuming there isn't another direct doc for this, will mark this one. Thanks!
- I agree with you
could you please share the KQL query to fetch AV detections/Device events for the detected threats and what action has been taken by defender?
