MDE Action Value Mapping in M365 Defender


Is there a mapping of the Action Values (under Additional Fields) for the DeviceEvents table? I see either blank, 1, 2, or 3 but have no clue as to what that is referring to.


I can also see that within the same section, the field WasRemediated will either be True or False, where the Action values dont necessarily link to whether it is true or false for WasRemediated (Action Value = 2 and WasRemediated = False for one event, but then Action Value = 2 and WasRemediated = True for a different event).


Any insight into what these numbers are indicating would be helpful. Thanks!

3 Replies
best response confirmed by SH30 (Contributor)
I searched around and I don't see much in the way of documentation on this field. It should map to the antimalware action enumeration which we have documented for the Defender CSP here: .
Thanks Michael, appreciate the info, this will help with better understanding the mapping. Assuming there isn't another direct doc for this, will mark this one. Thanks!
I agree with you