Forum Discussion
pho30
Jul 26, 2022Copper Contributor
MDE Action Value Mapping in M365 Defender
Is there a mapping of the Action Values (under Additional Fields) for the DeviceEvents table? I see either blank, 1, 2, or 3 but have no clue as to what that is referring to. I can also see that ...
- Jul 27, 2022I searched around and I don't see much in the way of documentation on this field. It should map to the antimalware action enumeration which we have documented for the Defender CSP here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-threatseveritydefaultaction .
Rajeshthappeta
May 07, 2024Copper Contributor
could you please share the KQL query to fetch AV detections/Device events for the detected threats and what action has been taken by defender?