Jul 26 2022 08:34 AM
Is there a mapping of the Action Values (under Additional Fields) for the DeviceEvents table? I see either blank, 1, 2, or 3 but have no clue as to what that is referring to.
I can also see that within the same section, the field WasRemediated will either be True or False, where the Action values dont necessarily link to whether it is true or false for WasRemediated (Action Value = 2 and WasRemediated = False for one event, but then Action Value = 2 and WasRemediated = True for a different event).
Any insight into what these numbers are indicating would be helpful. Thanks!
Jul 27 2022 08:57 AM
SolutionJul 28 2022 10:25 AM
May 07 2024 03:44 AM
could you please share the KQL query to fetch AV detections/Device events for the detected threats and what action has been taken by defender?
Jul 27 2022 08:57 AM
Solution