Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Which schema belong to which service?

Brass Contributor

Hello there,

 

So I'm pretty familiar with KQL and MDATPs default schemas found under Advanced Hunting. There are of course some more schemas/tables found under MTP compared to MDATP (https://security.microsoft.com/advanced-hunting) 

 

Is there any general cheat-sheet on which schema originates from which service?

For example if I would hunt under the "MiscEvents" schema, what do I need to do to add it?

 

What I mean is, I would like to try this query:

https://techcommunity.microsoft.com/t5/microsoft-defender-atp/hunting-for-reconnaissance-activities-...

 

But I can't seem to find "MiscEvents" in either Log Analytics, Defender ATP or M365 Threat Protection.

Do I miss something? Is Azure ATP needed for the "MiscEvents" table to be populated?

 

 

Regards

Simon

2 Replies
best response confirmed by Simon Håkansson (Brass Contributor)
Solution
There isn't much documentation on the tables.
Know that a lot of tables have changed.
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-updates-usb-events-ma...

MiscEvents is now DeviceEvents so you need to adapt that query

@Thijs Lecomte 

Thank you, that explains why I couldn't find it anywhere (except old information).

Good link, I'll save those references for the future. :)

1 best response

Accepted Solutions
best response confirmed by Simon Håkansson (Brass Contributor)
Solution
There isn't much documentation on the tables.
Know that a lot of tables have changed.
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-updates-usb-events-ma...

MiscEvents is now DeviceEvents so you need to adapt that query

View solution in original post