SOLVED

MDE Action Value Mapping in M365 Defender

Copper Contributor

Is there a mapping of the Action Values (under Additional Fields) for the DeviceEvents table? I see either blank, 1, 2, or 3 but have no clue as to what that is referring to.

 

I can also see that within the same section, the field WasRemediated will either be True or False, where the Action values dont necessarily link to whether it is true or false for WasRemediated (Action Value = 2 and WasRemediated = False for one event, but then Action Value = 2 and WasRemediated = True for a different event).

 

Any insight into what these numbers are indicating would be helpful. Thanks!

4 Replies
best response confirmed by SH30 (Copper Contributor)
Solution
I searched around and I don't see much in the way of documentation on this field. It should map to the antimalware action enumeration which we have documented for the Defender CSP here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-threatse... .
Thanks Michael, appreciate the info, this will help with better understanding the mapping. Assuming there isn't another direct doc for this, will mark this one. Thanks!
I agree with you

@SH30 

could you please share the KQL query to fetch AV detections/Device events for the detected threats and what action has been taken by defender?

 

1 best response

Accepted Solutions
best response confirmed by SH30 (Copper Contributor)
Solution
I searched around and I don't see much in the way of documentation on this field. It should map to the antimalware action enumeration which we have documented for the Defender CSP here: https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-threatse... .

View solution in original post