DataSources and missing docs?

%3CLINGO-SUB%20id%3D%22lingo-sub-2657109%22%20slang%3D%22en-US%22%3EDataSources%20and%20missing%20docs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2657109%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20probably%20being%20dense%20but%20I%20cannot%20find%20where%20these%20data%20types%20are%20being%20created%2C%20or%20any%20documentation%20on%20them%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22sirkillnotalot_0-1629221415207.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303815iE0C4C2B75067380D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22sirkillnotalot_0-1629221415207.png%22%20alt%3D%22sirkillnotalot_0-1629221415207.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%E2%80%99m%20also%20trying%20to%20determine%20what%20the%20ActionType%20of%20AntiVirusReport%20is%20under%20the%20DeviceEvents%20table%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22sirkillnotalot_1-1629221501728.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303817i221086486D49EF4A%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22sirkillnotalot_1-1629221501728.png%22%20alt%3D%22sirkillnotalot_1-1629221501728.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fadvanced-hunting-deviceevents-table%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fadvanced-hunting-deviceevents-table%3Fview%3Do365-worldwide%3C%2FA%3E%20says%20to%20check%20the%20security.microsoft.com%20documentation%20but%20the%20AntivirusReport%20actiontype%20doesn%E2%80%99t%20appear%20in%20the%20documen%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22sirkillnotalot_2-1629221591039.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F303818i1AA527FC8A765BFC%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22sirkillnotalot_2-1629221591039.png%22%20alt%3D%22sirkillnotalot_2-1629221591039.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAny%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2662155%22%20slang%3D%22en-US%22%3ERe%3A%20DataSources%20and%20missing%20docs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2662155%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F851041%22%20target%3D%22_blank%22%3E%40sirkillnotalot%3C%2FA%3E%26nbsp%3BThe%20data%20connectors%20will%20show%20what%20tables%20they%20populate.%26nbsp%3B%20I%20would%20look%20through%20them%20to%20see%20if%20one%20of%20them%20is%20creating%20the%20tables.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20first%20one%20could%20be%20from%20the%20M365%20Security%20Insights.%26nbsp%3B%20Take%20a%20look%20at%20this%20blog%20post%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmicrosoft-defender-security-insights-in-azure-sentinel%2Fba-p%2F2359705%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fmicrosoft-defender-security-insights-in-azure-sentinel%2Fba-p%2F2359705%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi all,

 

I'm probably being dense but I cannot find where these data types are being created, or any documentation on them:

sirkillnotalot_0-1629221415207.png

I’m also trying to determine what the ActionType of AntiVirusReport is under the DeviceEvents table:

 

sirkillnotalot_1-1629221501728.png

https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table... says to check the security.microsoft.com documentation but the AntivirusReport actiontype doesn’t appear in the documen:

sirkillnotalot_2-1629221591039.png

Any ideas?

3 Replies

@sirkillnotalot The data connectors will show what tables they populate.  I would look through them to see if one of them is creating the tables.

 

The first one could be from the M365 Security Insights.  Take a look at this blog post: https://techcommunity.microsoft.com/t5/azure-sentinel/microsoft-defender-security-insights-in-azure-...

Thanks Gary, that article really helped.

As for the data - yeah it's the MDE connector streaming the data but understanding the actual values is where I'm falling down. None of the documentation actually explains what this particular value actually means. I suspect that it's a detection based off of a scheduled scan but would rather not rely on my assumptions.

I've reached out to the product team to get a steer but not particularly hopefuly.

Have you looked at the tables in Defender. Maybe it has better documentation. Or try posting something similar to this post in the Defender group. Someone there may be able to provide better information.