Understand Microsoft Defender XDR tables


The Microsoft Defender XDR Sentinel Data Connector can populate tables with raw data collected from the Microsoft Defender XDR solutions.

Table name Description
AlertEvidence Files, IP addresses, URLs, users, or devices associated with alerts
CloudAppEvents Events involving accounts and objects in Office 365 and other cloud apps and services
DeviceEvents Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection
DeviceFileCertificateInfo Certificate information of signed files obtained from certificate verification events on endpoints
DeviceFileEvents File creation, modification, and other file system events
DeviceImageLoadEvents DLL loading events
DeviceInfo Machine information, including OS information
DeviceLogonEvents Sign-ins and other authentication events on devices
DeviceNetworkEvents Network connection and related events
DeviceNetworkInfo Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains
DeviceProcessEvents Process creation and related events
DeviceRegistryEvents Creation and modification of registry entries
EmailEvents Microsoft 365 email events, including email delivery and blocking events
EmailPostDeliveryEvents Security events that occur post-delivery, after Microsoft 365 has delivered the emails to the recipient mailbox
EmailUrlInfo Information about URLs on emails
EmailAttachmentInfo Information about files attached to Office 365 emails
IdentityDirectoryEvents Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller.
IdentityLogonEvents Authentication events on Active Directory and Microsoft online services
IdentityQueryEvents Queries for Active Directory objects, such as users, groups, devices, and domains