Understand Microsoft Defender XDR tables

3 minutes

The Microsoft Defender XDR Sentinel Data Connector can populate tables with raw data collected from the Microsoft Defender XDR solutions.

Table name	Description
AlertEvidence	Files, IP addresses, URLs, users, or devices associated with alerts
CloudAppEvents	Events involving accounts and objects in Office 365 and other cloud apps and services
DeviceEvents	Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection
DeviceFileCertificateInfo	Certificate information of signed files obtained from certificate verification events on endpoints
DeviceFileEvents	File creation, modification, and other file system events
DeviceImageLoadEvents	DLL loading events
DeviceInfo	Machine information, including OS information
DeviceLogonEvents	Sign-ins and other authentication events on devices
DeviceNetworkEvents	Network connection and related events
DeviceNetworkInfo	Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains
DeviceProcessEvents	Process creation and related events
DeviceRegistryEvents	Creation and modification of registry entries
EmailEvents	Microsoft 365 email events, including email delivery and blocking events
EmailPostDeliveryEvents	Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox
EmailUrlInfo	Information about URLs on emails
EmailAttachmentInfo	Information about files attached to Office 365 emails
IdentityDirectoryEvents	Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller.
IdentityLogonEvents	Authentication events on Active Directory and Microsoft online services
IdentityQueryEvents	Queries for Active Directory objects, such as users, groups, devices, and domains