Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

Applies to:

  • Microsoft 365 Defender

Get access

To use advanced hunting or other Microsoft 365 Defender capabilities, you need an appropriate role in Azure Active Directory. Read about required roles and permissions for advanced hunting.

Also, your access to endpoint data is determined by role-based access control (RBAC) settings in Microsoft Defender for Endpoint. Read about managing access to Microsoft 365 Defender.


The AlertInfo table in the advanced hunting schema contains information about alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Use this reference to construct queries that return information from this table.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
Timestamp datetime Date and time when the event was recorded
AlertId string Unique identifier for the alert
Title string Title of the alert
Category string Type of threat indicator or breach activity identified by the alert
Severity string Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert
ServiceSource string Product or service that provided the alert information
DetectionSource string Detection technology or sensor that identified the notable component or activity
AttackTechniques string MITRE ATT&CK techniques associated with the activity that triggered the alert