MDE Action Value Mapping in M365 Defender

Is there a mapping of the Action Values (under Additional Fields) for the DeviceEvents table? I see either blank, 1, 2, or 3 but have no clue as to what that is referring to. I can also see that ...

investigation

microsoft defender for endpoint

threat hunting

MichaelJMelone
Jul 27, 2022
I searched around and I don't see much in the way of documentation on this field. It should map to the antimalware action enumeration which we have documented for the Defender CSP here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-threatseveritydefaultaction .

MichaelJMelone

Microsoft

Jul 27, 2022

I searched around and I don't see much in the way of documentation on this field. It should map to the antimalware action enumeration which we have documented for the Defender CSP here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-threatseveritydefaultaction .

pho30

Copper Contributor

Jul 28, 2022

Thanks Michael, appreciate the info, this will help with better understanding the mapping. Assuming there isn't another direct doc for this, will mark this one. Thanks!

Forum Discussion

MDE Action Value Mapping in M365 Defender

Resources