Aug 06 2020 06:54 AM
Hello there,
So I'm pretty familiar with KQL and MDATPs default schemas found under Advanced Hunting. There are of course some more schemas/tables found under MTP compared to MDATP (https://security.microsoft.com/advanced-hunting)
Is there any general cheat-sheet on which schema originates from which service?
For example if I would hunt under the "MiscEvents" schema, what do I need to do to add it?
What I mean is, I would like to try this query:
But I can't seem to find "MiscEvents" in either Log Analytics, Defender ATP or M365 Threat Protection.
Do I miss something? Is Azure ATP needed for the "MiscEvents" table to be populated?
Regards
Simon
Aug 06 2020 07:14 AM
SolutionAug 06 2020 07:16 AM
Thank you, that explains why I couldn't find it anywhere (except old information).
Good link, I'll save those references for the future. :)
Aug 06 2020 07:14 AM
Solution