What is a Low, Moderate, High or Severe threat in Defender for Endpoint and how do I find them in the telemetry?

Question

I am trying to understand what a Low, Moderate, High or Severe threat in Defender for Endpoint is,
and how do I find them in the telemetry?

I see that the Intune Endpoint Protection configuration is configured like this:

This makes be believe that for Low severity threats MDE is actually not taking any action. I want to change that to 'Quarantine' but ideally I first find in the telemetry how much of these Low severity threats there are (before changing the setting on thousands of endpoints).

When I query the DeviceEvents table for ActionType 'AntivirusDetection' I don't actually see that severity. How can I find that?
I do see an 'Action' number that can be 0, 1 or 2 but I don't yet understand what it means.

DeviceEvents
| where Timestamp > ago(30d)
| where ActionType == "AntivirusDetection"
| extend ParsedFields = parse_json(AdditionalFields)
| extend Action = tostring(ParsedFields.Action)
| extend ThreatName = tostring(ParsedFields.ThreatName)
| extend WasRemediated = tostring(ParsedFields.WasRemediated)
| where WasRemediated != "true"
| summarize count() by ThreatName, Action, WasRemediated
| sort by count_

Answer 1

Hi @Duncan de Waal

Below is a breakdown of severity levels:

• Low: The threat has the potential to affect resources or data, but it is unlikely to have a significant impact.
• Moderate: The threat could have a significant impact.
• High: The threat is likely to have a significant impact.
• Severe: The threat is expected to have a severe impact.
• For more information regarding severity please refer to: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/alerts-queue?view=o365-worldwide#severity

The Action field you're seeing corresponds to the action taken by Microsoft Defender for Endpoint in response to the threat. Here's what the numbers mean:

• 0: No action was taken
• 1: Quarantine
• 2: Remove

Finally by joining the blow two tables should be able to provide both severity and Action:

DeviceEvents - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide

AlertInfo - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-alertinfo-table?view=o365-worldwide