SOLVED

Which schema belong to which service?

%3CLINGO-SUB%20id%3D%22lingo-sub-1570668%22%20slang%3D%22en-US%22%3EWhich%20schema%20belong%20to%20which%20service%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1570668%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I'm%20pretty%20familiar%20with%20KQL%20and%20MDATPs%20default%20schemas%20found%20under%20Advanced%20Hunting.%20There%20are%20of%20course%20some%20more%20schemas%2Ftables%20found%20under%20MTP%20compared%20to%20MDATP%20(%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Fadvanced-hunting%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%2Fadvanced-hunting)%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20general%20cheat-sheet%20on%20which%20schema%20originates%20from%20which%20service%3F%3C%2FP%3E%3CP%3EFor%20example%20if%20I%20would%20hunt%20under%20the%20%22MiscEvents%22%20schema%2C%20what%20do%20I%20need%20to%20do%20to%20add%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20mean%20is%2C%20I%20would%20like%20to%20try%20this%20query%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fhunting-for-reconnaissance-activities-using-ldap-search-filters%2Fba-p%2F824726%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fhunting-for-reconnaissance-activities-using-ldap-search-filters%2Fba-p%2F824726%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20can't%20seem%20to%20find%20%22MiscEvents%22%20in%20either%20Log%20Analytics%2C%20Defender%20ATP%20or%20M365%20Threat%20Protection.%3C%2FP%3E%3CP%3EDo%20I%20miss%20something%3F%20Is%20Azure%20ATP%20needed%20for%20the%20%22MiscEvents%22%20table%20to%20be%20populated%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3ESimon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1570668%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Edefender%20atp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eschema%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1570713%22%20slang%3D%22en-US%22%3ERe%3A%20Which%20schema%20belong%20to%20which%20service%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1570713%22%20slang%3D%22en-US%22%3EThere%20isn't%20much%20documentation%20on%20the%20tables.%3CBR%20%2F%3EKnow%20that%20a%20lot%20of%20tables%20have%20changed.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fadvanced-hunting-updates-usb-events-machine-level-actions-and%2Fba-p%2F824152%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-atp%2Fadvanced-hunting-updates-usb-events-machine-level-actions-and%2Fba-p%2F824152%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EMiscEvents%20is%20now%20DeviceEvents%20so%20you%20need%20to%20adapt%20that%20query%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1570724%22%20slang%3D%22en-US%22%3ERe%3A%20Which%20schema%20belong%20to%20which%20service%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1570724%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%20that%20explains%20why%20I%20couldn't%20find%20it%20anywhere%20(except%20old%20information).%3C%2FP%3E%3CP%3EGood%20link%2C%20I'll%20save%20those%20references%20for%20the%20future.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello there,

 

So I'm pretty familiar with KQL and MDATPs default schemas found under Advanced Hunting. There are of course some more schemas/tables found under MTP compared to MDATP (https://security.microsoft.com/advanced-hunting) 

 

Is there any general cheat-sheet on which schema originates from which service?

For example if I would hunt under the "MiscEvents" schema, what do I need to do to add it?

 

What I mean is, I would like to try this query:

https://techcommunity.microsoft.com/t5/microsoft-defender-atp/hunting-for-reconnaissance-activities-...

 

But I can't seem to find "MiscEvents" in either Log Analytics, Defender ATP or M365 Threat Protection.

Do I miss something? Is Azure ATP needed for the "MiscEvents" table to be populated?

 

 

Regards

Simon

2 Replies
Highlighted
Best Response confirmed by Simon Håkansson (Occasional Contributor)
Solution
There isn't much documentation on the tables.
Know that a lot of tables have changed.
https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-updates-usb-events-ma...

MiscEvents is now DeviceEvents so you need to adapt that query
Highlighted

@Thijs Lecomte 

Thank you, that explains why I couldn't find it anywhere (except old information).

Good link, I'll save those references for the future. :)