Below is a breakdown of severity levels:
- Low: The threat has the potential to affect resources or data, but it is unlikely to have a significant impact.
- Moderate: The threat could have a significant impact.
- High: The threat is likely to have a significant impact.
- Severe: The threat is expected to have a severe impact.
- For more information regarding severity please refer to: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/alerts-queue?view=o365-worldwide#severity
The Action
field you're seeing corresponds to the action taken by Microsoft Defender for Endpoint in response to the threat. Here's what the numbers mean:
- 0: No action was taken
- 1: Quarantine
- 2: Remove
Finally by joining the blow two tables should be able to provide both severity and Action:
DeviceEvents - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceevents-table?view=o365-worldwide