Aug 17 2021 10:33 AM
Hi all,
I'm probably being dense but I cannot find where these data types are being created, or any documentation on them:
I’m also trying to determine what the ActionType of AntiVirusReport is under the DeviceEvents table:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table... says to check the security.microsoft.com documentation but the AntivirusReport actiontype doesn’t appear in the documen:
Any ideas?
Aug 18 2021 12:03 PM
@sirkillnotalot The data connectors will show what tables they populate. I would look through them to see if one of them is creating the tables.
The first one could be from the M365 Security Insights. Take a look at this blog post: https://techcommunity.microsoft.com/t5/azure-sentinel/microsoft-defender-security-insights-in-azure-...
Aug 23 2021 02:50 AM - edited Aug 23 2021 02:50 AM
Thanks Gary, that article really helped.
As for the data - yeah it's the MDE connector streaming the data but understanding the actual values is where I'm falling down. None of the documentation actually explains what this particular value actually means. I suspect that it's a detection based off of a scheduled scan but would rather not rely on my assumptions.
I've reached out to the product team to get a steer but not particularly hopefuly.
Aug 23 2021 03:57 AM