Defender-DeviceEvents

216 ActionTypes

ActionType	Title
any	Defender event (any)
PowerShellCommand	PowerShell command executed
AmsiScriptDetected	AMSI script detected
AmsiScriptContent	AMSI script content captured
CreateRemoteThreadApiCall	CreateRemoteThread API call
ProcessInjectionDetected	Process injection detected
NamedPipeEvent	Named pipe event
UserAccountAddedToLocalGroup	User account added to local group
UserAccountRemovedFromLocalGroup	User account removed from local group
AsrAuditEvent	ASR audit event
AsrLsassCredentialTheftAudited	ASR: LSASS credential theft (audited)
AsrOfficeChildProcessAudited	ASR: Office child process (audited)
AntivirusReport	Antivirus report
ScheduledTaskCreated	Scheduled task created
ScheduledTaskDeleted	Scheduled task deleted
ScheduledTaskUpdated	Scheduled task updated
OpenProcessApiCall	Process opened (OpenProcess API call)
ProcessPrimaryTokenModified	Process primary token modified
LdapSearch	LDAP search
ClrUnbackedModuleLoaded	CLR unbacked module loaded
AsrUntrustedExecutableAudited	ASR untrusted executable (audited)
DriverLoad	Driver loaded
NtAllocateVirtualMemoryRemoteApiCall	Remote virtual memory allocation (NtAllocateVirtualMemory)
MemoryRemoteProtect	Remote virtual memory protection change
NtMapViewOfSectionRemoteApiCall	Remote section map (NtMapViewOfSection)
QueueUserApcRemoteApiCall	Remote APC queued (QueueUserApc)
SetThreadContextRemoteApiCall	Remote thread context change (SetThreadContext)
AsrAbusedSystemToolAudited	ASR copied or impersonated system tool (audited)
AsrAbusedSystemToolBlocked	ASR copied or impersonated system tool (blocked)
AsrAbusedSystemToolWarnBypassed	ASR copied or impersonated system tool (warn bypassed)
AsrAdobeReaderChildProcessAudited	ASR Adobe Reader child process (audited)
AsrAdobeReaderChildProcessBlocked	ASR Adobe Reader child process (blocked)
AsrAdobeReaderChildProcessWarnBypassed	ASR Adobe Reader child process (warn bypassed)
AsrExecutableEmailContentAudited	ASR executable from email client (audited)
AsrExecutableEmailContentBlocked	ASR executable from email client (blocked)
AsrExecutableEmailContentWarnBypassed	ASR executable from email client (warn bypassed)
AsrExecutableOfficeContentAudited	ASR Office app creating executable content (audited)
AsrExecutableOfficeContentBlocked	ASR Office app creating executable content (blocked)
AsrExecutableOfficeContentWarnBypassed	ASR Office app creating executable content (warn bypassed)
AsrLsassCredentialTheftBlocked	ASR LSASS credential theft (blocked)
AsrLsassCredentialTheftWarnBypassed	ASR LSASS credential theft (warn bypassed)
AsrObfuscatedScriptAudited	ASR obfuscated script execution (audited)
AsrObfuscatedScriptBlocked	ASR obfuscated script execution (blocked)
AsrObfuscatedScriptWarnBypassed	ASR obfuscated script execution (warn bypassed)
AsrOfficeChildProcessBlocked	ASR Office app child process (blocked)
AsrOfficeChildProcessWarnBypassed	ASR Office app child process (warn bypassed)
AsrOfficeCommAppChildProcessAudited	ASR Office communication app child process (audited)
AsrOfficeCommAppChildProcessBlocked	ASR Office communication app child process (blocked)
AsrOfficeCommAppChildProcessWarnBypassed	ASR Office communication app child process (warn bypassed)
AsrOfficeMacroWin32ApiCallsAudited	ASR Win32 API calls from Office macros (audited)
AsrOfficeMacroWin32ApiCallsBlocked	ASR Win32 API calls from Office macros (blocked)
AsrOfficeMacroWin32ApiCallsWarnBypassed	ASR Win32 API calls from Office macros (warn bypassed)
AsrOfficeProcessInjectionAudited	ASR Office app code injection (audited)
AsrOfficeProcessInjectionBlocked	ASR Office app code injection (blocked)
AsrOfficeProcessInjectionWarnBypassed	ASR Office app code injection (warn bypassed)
AsrPersistenceThroughWmiAudited	ASR WMI event subscription persistence (audited)
AsrPersistenceThroughWmiBlocked	ASR WMI event subscription persistence (blocked)
AsrPersistenceThroughWmiWarnBypassed	ASR WMI event subscription persistence (warn bypassed)
AsrPsexecWmiChildProcessAudited	ASR PsExec or WMI child process (audited)
AsrPsexecWmiChildProcessBlocked	ASR PsExec or WMI child process (blocked)
AsrPsexecWmiChildProcessWarnBypassed	ASR PsExec or WMI child process (warn bypassed)
AsrRansomwareAudited	ASR ransomware activity (audited)
AsrRansomwareBlocked	ASR ransomware activity (blocked)
AsrRansomwareWarnBypassed	ASR ransomware activity (warn bypassed)
AsrSafeModeRebootAudited	ASR Safe mode reboot configuration (audited)
AsrSafeModeRebootBlocked	ASR Safe mode reboot configuration (blocked)
AsrSafeModeRebootWarnBypassed	ASR Safe mode reboot configuration (warn bypassed)
AsrScriptExecutableDownloadAudited	ASR script launching downloaded executable (audited)
AsrScriptExecutableDownloadBlocked	ASR script launching downloaded executable (blocked)
AsrScriptExecutableDownloadWarnBypassed	ASR script launching downloaded executable (warn bypassed)
AsrUntrustedExecutableBlocked	ASR untrusted executable (blocked)
AsrUntrustedExecutableWarnBypassed	ASR untrusted executable (warn bypassed)
AsrUntrustedUsbProcessAudited	ASR untrusted process from USB (audited)
AsrUntrustedUsbProcessBlocked	ASR untrusted process from USB (blocked)
AsrUntrustedUsbProcessWarnBypassed	ASR untrusted process from USB (warn bypassed)
AsrVulnerableSignedDriverAudited	ASR vulnerable signed driver (audited)
AsrVulnerableSignedDriverBlocked	ASR vulnerable signed driver (blocked)
AsrVulnerableSignedDriverWarnBypassed	ASR vulnerable signed driver (warn bypassed)
AsrWebShellOnServerAudited	ASR webshell creation on Windows Server (audited)
AsrWebShellOnServerBlocked	ASR webshell creation on Windows Server (blocked)
AsrWebShellWarnBypassed	ASR webshell creation (warn bypassed)
AppControlAppInstallationAudited	AppControl app installation (audited)
AppControlAppInstallationBlocked	AppControl app installation (blocked)
AppControlCIScriptAudited	AppControl Config CI script (audited)
AppControlCIScriptBlocked	AppControl Config CI script (blocked)
AppControlCodeIntegrityDriverRevoked	AppControl Code Integrity driver revoked
AppControlCodeIntegrityImageAudited	AppControl Code Integrity image (audited)
AppControlCodeIntegrityImageRevoked	AppControl Code Integrity image revoked
AppControlCodeIntegrityOriginAllowed	AppControl Code Integrity origin allowed
AppControlCodeIntegrityOriginAudited	AppControl Code Integrity origin (audited)
AppControlCodeIntegrityOriginBlocked	AppControl Code Integrity origin (blocked)
AppControlCodeIntegrityPolicyAudited	AppControl Code Integrity policy (audited)
AppControlCodeIntegrityPolicyBlocked	AppControl Code Integrity policy (blocked)
AppControlCodeIntegrityPolicyLoaded	AppControl Code Integrity policy loaded
AppControlCodeIntegritySigningInformation	AppControl Code Integrity signing information
AppControlExecutableAudited	AppControl executable (audited)
AppControlExecutableBlocked	AppControl executable (blocked)
AppControlPackagedAppAudited	AppControl packaged app (audited)
AppControlPackagedAppBlocked	AppControl packaged app (blocked)
AppControlPolicyApplied	AppControl policy applied
AppControlScriptAudited	AppControl script (audited)
AppControlScriptBlocked	AppControl script (blocked)
AppGuardBrowseToUrl	Application Guard browse to URL
AppGuardCreateContainer	Application Guard container created
AppGuardLaunchedWithUrl	Application Guard launched with URL
AppGuardResumeContainer	Application Guard container resumed
AppGuardStopContainer	Application Guard container stopped
AppGuardSuspendContainer	Application Guard container suspended
AppLockerBlockExecutable	AppLocker blocked executable
AppLockerBlockPackagedApp	AppLocker blocked packaged app
AppLockerBlockPackagedAppInstallation	AppLocker blocked packaged app installation
AppLockerBlockScript	AppLocker blocked script
ControlFlowGuardViolation	Control Flow Guard violation
ExploitGuardAcgAudited	Exploit Guard ACG (audited)
ExploitGuardAcgEnforced	Exploit Guard ACG (blocked)
ExploitGuardChildProcessAudited	Exploit Guard child process (audited)
ExploitGuardChildProcessBlocked	Exploit Guard child process (blocked)
ExploitGuardEafViolationAudited	Exploit Guard EAF violation (audited)
ExploitGuardEafViolationBlocked	Exploit Guard EAF violation (blocked)
ExploitGuardIafViolationAudited	Exploit Guard IAF violation (audited)
ExploitGuardIafViolationBlocked	Exploit Guard IAF violation (blocked)
ExploitGuardLowIntegrityImageAudited	Exploit Guard low-integrity image (audited)
ExploitGuardLowIntegrityImageBlocked	Exploit Guard low-integrity image (blocked)
ExploitGuardNetworkProtectionAudited	Exploit Guard Network Protection (audited)
ExploitGuardNetworkProtectionBlocked	Exploit Guard Network Protection (blocked)
ExploitGuardNonMicrosoftSignedAudited	Exploit Guard non-Microsoft signed image (audited)
ExploitGuardNonMicrosoftSignedBlocked	Exploit Guard non-Microsoft signed image (blocked)
ExploitGuardRopExploitAudited	Exploit Guard ROP exploit (audited)
ExploitGuardRopExploitBlocked	Exploit Guard ROP exploit (blocked)
ExploitGuardSharedBinaryAudited	Exploit Guard shared binary load (audited)
ExploitGuardSharedBinaryBlocked	Exploit Guard shared binary load (blocked)
ExploitGuardWin32SystemCallAudited	Exploit Guard Win32k system-call (audited)
ExploitGuardWin32SystemCallBlocked	Exploit Guard Win32k system-call (blocked)
AntivirusDefinitionsUpdateFailed	Antivirus definitions update failed
AntivirusDefinitionsUpdated	Antivirus definitions updated
AntivirusDetection	Antivirus detection
AntivirusEmergencyUpdatesInstalled	Antivirus emergency updates installed
AntivirusError	Antivirus error
AntivirusMalwareActionFailed	Antivirus malware action failed
AntivirusMalwareBlocked	Antivirus malware blocked
AntivirusScanCancelled	Antivirus scan cancelled
AntivirusScanCompleted	Antivirus scan completed
AntivirusScanFailed	Antivirus scan failed
AntivirusTroubleshootModeEvent	Antivirus troubleshoot mode state change
ControlledFolderAccessViolationAudited	Controlled folder access violation (audited)
ControlledFolderAccessViolationBlocked	Controlled folder access violation (blocked)
FirewallInboundConnectionBlocked	Firewall inbound connection blocked
FirewallInboundConnectionToAppBlocked	Firewall inbound connection to app blocked
FirewallOutboundConnectionBlocked	Firewall outbound connection blocked
FirewallServiceStopped	Firewall service stopped
NetworkProtectionUserBypassEvent	Network protection user bypass
NetworkShareObjectAccessChecked	Network share object access checked
NetworkShareObjectAdded	Network share object added
NetworkShareObjectDeleted	Network share object deleted
NetworkShareObjectModified	Network share object modified
SmartScreenAppWarning	SmartScreen app warning
SmartScreenExploitWarning	SmartScreen exploit warning
SmartScreenUrlWarning	SmartScreen URL warning
SmartScreenUserOverride	SmartScreen user override
AccountCheckedForBlankPassword	Account checked for blank password
AuditPolicyModification	Audit policy modified
BitLockerAuditCompleted	BitLocker audit completed
BluetoothPolicyTriggered	Bluetooth policy triggered
BrowserLaunchedToOpenUrl	Browser launched to open URL
BruteForceActivityDetected	Brute force activity detected
CertificateServicesApprovedCertificateRequest	Certificate Services approved certificate request
CertificateServicesLoadedTemplate	Certificate Services loaded template
CertificateServicesReceivedCertificateRequest	Certificate Services received certificate request
CredentialsBackup	Credentials backed up
DeviceBootAttestationInfo	Device boot attestation info
DirectoryServiceObjectCreated	Directory Service object created
DirectoryServiceObjectModified	Directory Service object modified
DnsQueryResponse	DNS query response
DpapiAccessed	DPAPI accessed
ExternalDeviceConnected	External device connected
ExternalDeviceDisconnected	External device disconnected
FileTimestampModificationEvent	File timestamp modified
GetAsyncKeyStateApiCall	GetAsyncKeyState API call
GetClipboardData	GetClipboardData API call
LogonRightsSettingEnabled	Logon rights setting enabled
NtAllocateVirtualMemoryApiCall	NtAllocateVirtualMemory API call
NtProtectVirtualMemoryApiCall	NtProtectVirtualMemory API call
PTraceDetected	PTrace detected
PasswordChangeAttempt	Password change attempt
PlistPropertyModified	Plist property modified
PnpDeviceAllowed	PnP device allowed
PnpDeviceBlocked	PnP device blocked
PnpDeviceConnected	PnP device connected
PrintJobBlocked	Print job blocked
ProcessCreatedUsingWmiQuery	Process created using WMI query
ReadProcessMemoryApiCall	ReadProcessMemory API call
RemoteDesktopConnection	Remote Desktop connection
RemoteWmiOperation	Remote WMI operation
RemovableStorageFileEvent	Removable storage file event
RemovableStoragePolicyTriggered	Removable storage policy triggered
SafeDocFileScan	Safe Documents file scanned
ScheduledTaskDisabled	Scheduled task disabled
ScheduledTaskEnabled	Scheduled task enabled
ScreenshotTaken	Screenshot taken
SecurityGroupCreated	Security group created
SecurityGroupDeleted	Security group deleted
SecurityLogCleared	Security log cleared
SensitiveFileRead	Sensitive file read
ServiceInstalled	Service installed
ShellLinkCreateFileEvent	Shell link (LNK) file created
TamperingAttempt	Tampering attempt
UntrustedWifiConnection	Untrusted Wi-Fi connection
UsbDriveDriveLetterChanged	USB drive letter changed
UsbDriveMounted	USB drive mounted
UsbDriveUnmounted	USB drive unmounted
UserAccountCreated	User account created
UserAccountDeleted	User account deleted
UserAccountModified	User account modified
UserAccountPasswordResetAttempt	User account password reset attempt
WmiBindEventFilterToConsumer	WMI EventFilter bound to consumer
WriteToLsassProcessMemory	Write to LSASS process memory

any: Defender event (any)

Table: DeviceEvents

Description

Defender event (any). DeviceEvents is a catch-all; bridges only apply per-ActionType.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ActionType`
`AdditionalFields`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ConnectionSuccess`	2 rules	kusto
`EventType`	starts_with	`AppControl`	5 rules	kusto
`file_name`	eq	`ncrypt.dll`	4 rules	kusto
`DestinationHostname`	eq	`login.microsoftonline.com`	3 rules	kusto
`GlobalPrevalence`	lt	`250`	3 rules	kusto
`DestinationPort`	eq	`3389`	2 rules	elastic, kusto, sigma, splunk
`NodeLabel`	eq	`device`	2 rules	kusto
`OnboardingStatus`	ne	`Onboarded`	2 rules	kusto
`TpmActivated`	ne	`true`	2 rules	kusto
`TpmEnabled`	ne	`true`	2 rules	kusto
`TpmSupported`	ne	`true`	2 rules	kusto
`parent_process_name`	contains	`powershell`	2 rules	kusto
`parent_process_name`	contains	`python`	2 rules	kusto
`parent_process_name`	ne	`microsoft.tri.sensor.exe`	2 rules	kusto
`type`	eq	`DeviceInventoryId`	2 rules	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Windows host username encoded in base64 web request source medium: This detection will identify network requests in HTTP proxy data that contains Base64 encoded usernames from machines in the DeviceEvents table. This technique was seen usee by POLONIUM in their RunningRAT tool.
Office ASR rule triggered from browser spawned office process. source medium: The attacker sends a spearphishing email to a user. The email contains a link which points to a website that eventually presents the user a download of an MS Office document. This document contains a malicious macro. The macro triggers one of the ASR rules. This detection looks for Office ASR violations triggered by an Office document opened from a browser. Note: be aware that you need to have the proper ASR rules enabled for this detection to work.
SUNSPOT malware hashes source medium: This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike. More details: - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ - https://techcommunity.microsoft.com/blog/microsoftsentinelblog/monitoring-the-software-supply-chain-with-azure-sentinel/2176463/

Show 7 more (10 total)

TEARDROP memory-only dropper source high: Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
Detect LolDriver drop or load from unknown or unsigned process source: Adversaries may use LolDrivers to elevate their privileges on a system. Regularly, their drop their own LolDrivers from their beacon process when the LolDriver is not yet present on the system. This is a detection use case to detect an unknown process dropping these LolDrivers.
Detect device token stealing with WDAC source: This rule uses a WDAC audit policy to ingest missing Microsoft Defender for Endpoint events. By doing this, we can detect PRT token stealing on a device when exploiting the MicrosoftAccountTokenProvider.dll. For more detailed information on the WDAC audit policy, see the blogpost added in the references.
Detect Suspicious ncrypt.dll usage by CLI tool or unknown process source: This detection rule uses a WDAC audit policy to ingest missing DeviceImageLoad events in MDE, and check for suspicious processes using the ncrypt.dll. More information on the attack scenario this is detection is applicable for can be found in the references.
Detect Suspicious ncrypt.dll usage by process requesting Entra ID Nonce source: This detection rule uses a WDAC audit policy to ingest missing DeviceImageLoad events in MDE, and check for suspicious processes using the ncrypt.dll and requesting an Entra ID Nonce. More information on the attack scenario this is detection is applicable for can be found in the references.
Detect Suspicious ncrypt.dll usage on admin device with RDP connections to non TPM protected device source: This detection rule uses a WDAC audit policy to ingest missing DeviceImageLoad events in MDE, and check for suspicious processes using the ncrypt.dll and admin devices performing RDP connection to unmanaged or non-TPM devices. More information on the attack scenario this is detection is applicable for can be found in the references.
Detect Suspicious ncrypt.dll usage with RDP connections to unmanaged or non TPM protected device source: This detection rule uses a WDAC audit policy to ingest missing DeviceImageLoad events in MDE, and check for suspicious processes using the ncrypt.dll and devices performing RDP connection to unmanaged or non-TPM devices. More information on the attack scenario this is detection is applicable for can be found in the references.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

PowerShellCommand: PowerShell command executed

Table: DeviceEvents

Description

PowerShell command executed. PowerShell ScriptBlockLogging captures the same surface.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`PowerShellCommand`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Suspicious Powershell Commandlet Executed source medium: This analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AmsiScriptDetected: AMSI script detected

Table: DeviceEvents

Description

AMSI script detected. Defender-only; no Windows-native equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AmsiScriptContent: AMSI script content captured

Table: DeviceEvents

Description

AMSI script content captured. Defender-only; no Windows-native equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`parent_process_name`	eq	`powershell.exe`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

Deimos Component Execution source high: Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

CreateRemoteThreadApiCall: CreateRemoteThread API call

Table: DeviceEvents

Description

CreateRemoteThread API call

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ConnectionSuccess`	1 rule	kusto
`EventType`	in	`CreateRemoteThreadApiCall`	3 rules	kusto
`EventType`	in	`QueueUserApcRemoteApiCall`	3 rules	kusto
`EventType`	in	`SetThreadContextRemoteApiCall`	3 rules	kusto
`EventType`	in	`NtAllocateVirtualMemoryRemoteApiCall`	2 rules	kusto
`EventType`	in	`NtMapViewOfSectionRemoteApiCall`	2 rules	kusto
`DestinationPort`	eq	`9389`	1 rule	elastic, kusto, sigma, splunk
`parent_process_name`	eq	`mmc.exe`	1 rule	elastic, kusto, splunk
`parent_process_name`	in	`excel.exe`	1 rule	kusto, splunk
`parent_process_name`	in	`powerpnt.exe`	1 rule	kusto, splunk
`parent_process_name`	in	`winword.exe`	1 rule	kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

Suspicious Process Injection from Office application source medium: This query detects process injections using CreateRemoteThread, QueueUserAPC or SetThread context APIs, originating from an Office process (only Word/Excel/PowerPoint)that might contains macros. Performing process injection from a macro is a common technique by attackers to escape out of the Office process into something longer running.
Process Injection From Untrusted Process source: This query searches for processes performing remote process injection via multiple API calls related to process injection. It filters out programs that inject into their own process or into a process from the same directory. It then finds suspicious processes based on the global prevalence.↳ also matches NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matches NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext), NtAllocateVirtualMemoryApiCall: NtAllocateVirtualMemory API call

Show 1 more (4 total)

Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matches NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext), ReadProcessMemoryApiCall: ReadProcessMemory API call

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ProcessInjectionDetected: Process injection detected

Table: DeviceEvents

Description

Process injection detected. Defender-only; no Windows-native equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

NamedPipeEvent: Named pipe event

Table: DeviceEvents

Description

Named pipe event

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`NamedPipeEvent`	2 rules	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Suspicious named pipes source medium: This query looks for Named Pipe events that either contain one of the known IOCs or make use of patterns that can be linked to CobaltStrike usage.
C2-NamedPipe source high: Detects the creation of a named pipe used by known APT malware. Reference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

UserAccountAddedToLocalGroup: User account added to local group

Table: DeviceEvents

Description

User account added to local group

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AdditionalFields`

Detection Rules #

View all rules referencing this event →

Kusto #

Local Admin Group Changes source high: This query searches for changes to the local administrators group. Blogpost: https://www.verboon.info/2020/09/hunting-for-local-group-membership-changes.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

UserAccountRemovedFromLocalGroup: User account removed from local group

Table: DeviceEvents

Description

User account removed from local group

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrAuditEvent: ASR audit event

Table: DeviceEvents

Description

ASR audit event. Defender ASR audit; loosely maps to Defender-1121 channel events.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrLsassCredentialTheftAudited: ASR: LSASS credential theft (audited)

Table: DeviceEvents

Description

ASR: LSASS credential theft (audited). Defender ASR; no native equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeChildProcessAudited: ASR: Office child process (audited)

Table: DeviceEvents

Description

ASR: Office child process (audited). Defender ASR; no native equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusReport: Antivirus report

Table: DeviceEvents

Description

Antivirus report. Defender AV; loosely maps to Defender-1116/1117 detected/quarantined events.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ScheduledTaskCreated: Scheduled task created

Table: DeviceEvents

Description

Scheduled task created

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ScheduledTaskDeleted: Scheduled task deleted

Table: DeviceEvents

Description

Scheduled task deleted

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ScheduledTaskUpdated: Scheduled task updated

Table: DeviceEvents

Description

Scheduled task updated

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

OpenProcessApiCall: Process opened (OpenProcess API call)

Table: DeviceEvents

Description

Process opened (OpenProcess API call). Sysmon-10 is ProcessAccess; Kernel-Audit-API-Calls-5 (TargetProcessId / DesiredAccess / ReturnCode) is the same kernel audit hook MDE consumes and any admin ETW session can collect.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`ProcessId`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

Detection Patterns #

Defender-DeviceEvents OpenProcessApiCall: Process openedORProcessPrimaryTokenModified: Process primary token modifiedORKernel-Audit-API-Calls Event ID 5: OpenProcess API call auditedORSysmon Event ID 10: ProcessAccess

1 rule

Kusto

LSASS Dumping using Debug Privileges (source)

FalconForce

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ProcessPrimaryTokenModified: Process primary token modified

Table: DeviceEvents

Description

Process primary token modified. Security-4696 candidate closed (lab-verified 2026-06-05, Win11 26200): 4696 is emitted on current builds but only for kernel-level token assignments at boot (SYSTEM assigning token to Registry and other early kernel processes). User-space CreateProcessAsUser paths (Task Scheduler, scheduled task with explicit credentials) do not emit 4696. Semantics mismatch: 4696 fires on token assignment at process creation; ProcessPrimaryTokenModified fires on in-place token replacement (NtSetInformationProcess with ProcessAccessToken). Different kernel codepaths; no bridge.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`AccountName`
`InitiatingProcessFileName`

Detection Patterns #

1 rule

Kusto

LSASS Dumping using Debug Privileges (source)

FalconForce

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

LdapSearch: LDAP search

Table: DeviceEvents

Description

LDAP search. Client-side LDAP query telemetry (search filter in AdditionalFields). ETW bridge verified by live capture on Win11 26200 (2026-06-05): Microsoft-Windows-LDAP-Client event 30 (ScopeOfSearch, SearchFilter, DistinguishedName, AttributeList, ProcessId) fires for every wldap32.dll search call including rootDSE probes and paged result sets. Bridge is derivable-from, not one-to-one: event 30 fires for all client-side searches regardless of whether MDE would surface them as LdapSearch ActionType events.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`
`AdditionalFields`

Detection Patterns #

Discovery: Domain Account

Defender-DeviceEvents LdapSearch: LDAP searchORLDAP-Client Event ID 30: LDAP search request

1 rule

Kusto

LDAP reconnaissance via search filters (source)

FalconForce

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ClrUnbackedModuleLoaded: CLR unbacked module loaded

Table: DeviceEvents

Description

CLR unbacked module loaded. Derivable-from, not one-to-one: DotNETRuntime-152 (ModuleLoad) fires for every CLR module; 'unbacked' (no disk-backed image) is a filter over the module-flags payload. CLR ETW is emitted inside the (potentially attacker-controlled) process and can be patched out; the MDE sensor copy is the tamper-resistant variant.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`parent_process_name`	in	`cscript.exe`	1 rule	elastic, kusto, splunk
`parent_process_name`	in	`mmc.exe`	1 rule	kusto, splunk
`parent_process_name`	in	`mshta.exe`	1 rule	elastic, kusto
`parent_process_name`	in	`wscript.exe`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

Script Interpreter Loading DotNet Assembly From Memory source: The query searches for script interpreters (mmc.exe, mshta.exe, wscript.exe, and cscript.exe) loading .NET assemblies from memory. In the case of the MMC executable, the query also checks for the MSC file that was loaded, as some legitimate MSC files are known to load .NET assemblies via MMC.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrUntrustedExecutableAudited: ASR untrusted executable (audited)

Table: DeviceEvents

Description

ASR untrusted executable (audited). Block-mode ASR siblings map to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`InitiatingProcessFileName`

Detection Rules #

View all rules referencing this event →

Kusto #

ASR Rare and Untrusted Executables source: Below query shows Untrusted executables that are seen on few devices (LocalPrevalence). It requires the below ASR rule to be configured and Cloud-delivered protection to be enabled.
Block executable files from running unless they meet a prevalence, age, or trusted list criterion
You may need to exclude software development users/machines/folders.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

DriverLoad: Driver loaded

Table: DeviceEvents

Description

Driver loaded. ETW-TI requires a PPL/ELAM-signed consumer; Sysmon-6 is the collectible equivalent for non-MDE environments.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`DriverLoad`	2 rules	kusto
`dcount_DeviceId`	le	`5`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Microsoft Recommended Driver Block List source: The query below detects loading or creation of a vulnerable driver that is listed in the Microsoft recommended driver block rules.
Suspicious Driver Load source: Below query detects suspicious(unusual/rare) driver loads. Further checks are required on detected files to confirm malicious activity.

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory)

Table: DeviceEvents

Description

Remote virtual memory allocation (NtAllocateVirtualMemory)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ConnectionSuccess`	1 rule	kusto
`EventType`	in	`CreateRemoteThreadApiCall`	2 rules	kusto
`EventType`	in	`NtAllocateVirtualMemoryRemoteApiCall`	2 rules	kusto
`EventType`	in	`NtMapViewOfSectionRemoteApiCall`	2 rules	kusto
`EventType`	in	`QueueUserApcRemoteApiCall`	2 rules	kusto
`EventType`	in	`SetThreadContextRemoteApiCall`	2 rules	kusto
`DestinationPort`	eq	`9389`	1 rule	elastic, kusto, sigma, splunk
`parent_process_name`	eq	`mmc.exe`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

Process Injection From Untrusted Process source: This query searches for processes performing remote process injection via multiple API calls related to process injection. It filters out programs that inject into their own process or into a process from the same directory. It then finds suspicious processes based on the global prevalence.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext), NtAllocateVirtualMemoryApiCall: NtAllocateVirtualMemory API call
Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext), ReadProcessMemoryApiCall: ReadProcessMemory API call

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

MemoryRemoteProtect: Remote virtual memory protection change

Table: DeviceEvents

Description

Remote virtual memory protection change

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`DestinationPort`	eq	`9389`	1 rule	elastic, kusto, sigma, splunk
`EventType`	eq	`ConnectionSuccess`	1 rule	kusto
`parent_process_name`	eq	`mmc.exe`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext), NtAllocateVirtualMemoryApiCall: NtAllocateVirtualMemory API call
Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext), ReadProcessMemoryApiCall: ReadProcessMemory API call

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection)

Table: DeviceEvents

Description

Remote section map (NtMapViewOfSection)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`ConnectionSuccess`	1 rule	kusto
`EventType`	in	`CreateRemoteThreadApiCall`	2 rules	kusto
`EventType`	in	`NtAllocateVirtualMemoryRemoteApiCall`	2 rules	kusto
`EventType`	in	`NtMapViewOfSectionRemoteApiCall`	2 rules	kusto
`EventType`	in	`QueueUserApcRemoteApiCall`	2 rules	kusto
`EventType`	in	`SetThreadContextRemoteApiCall`	2 rules	kusto
`DestinationPort`	eq	`9389`	1 rule	elastic, kusto, sigma, splunk
`parent_process_name`	eq	`mmc.exe`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

Process Injection From Untrusted Process source: This query searches for processes performing remote process injection via multiple API calls related to process injection. It filters out programs that inject into their own process or into a process from the same directory. It then finds suspicious processes based on the global prevalence.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext), NtAllocateVirtualMemoryApiCall: NtAllocateVirtualMemory API call
Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext), ReadProcessMemoryApiCall: ReadProcessMemory API call

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc)

Table: DeviceEvents

Description

Remote APC queued (QueueUserApc)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`CreateRemoteThreadApiCall`	2 rules	kusto
`EventType`	in	`NtAllocateVirtualMemoryRemoteApiCall`	2 rules	kusto
`EventType`	in	`NtMapViewOfSectionRemoteApiCall`	2 rules	kusto
`EventType`	in	`QueueUserApcRemoteApiCall`	2 rules	kusto
`EventType`	in	`SetThreadContextRemoteApiCall`	2 rules	kusto
`parent_process_name`	eq	`mmc.exe`	1 rule	elastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

Process Injection From Untrusted Process source: This query searches for processes performing remote process injection via multiple API calls related to process injection. It filters out programs that inject into their own process or into a process from the same directory. It then finds suspicious processes based on the global prevalence.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)
ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext), NtAllocateVirtualMemoryApiCall: NtAllocateVirtualMemory API call
Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext), ReadProcessMemoryApiCall: ReadProcessMemory API call

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)

Table: DeviceEvents

Description

Remote thread context change (SetThreadContext)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	in	`CreateRemoteThreadApiCall`	2 rules	kusto
`EventType`	in	`NtAllocateVirtualMemoryRemoteApiCall`	2 rules	kusto
`EventType`	in	`NtMapViewOfSectionRemoteApiCall`	2 rules	kusto
`EventType`	in	`QueueUserApcRemoteApiCall`	2 rules	kusto
`EventType`	in	`SetThreadContextRemoteApiCall`	2 rules	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

Process Injection From Untrusted Process source: This query searches for processes performing remote process injection via multiple API calls related to process injection. It filters out programs that inject into their own process or into a process from the same directory. It then finds suspicious processes based on the global prevalence.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc)
ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), NtAllocateVirtualMemoryApiCall: NtAllocateVirtualMemory API call
Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), ReadProcessMemoryApiCall: ReadProcessMemory API call

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrAbusedSystemToolAudited: ASR copied or impersonated system tool (audited)

Table: DeviceEvents

Description

ASR copied or impersonated system tool (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrAbusedSystemToolBlocked: ASR copied or impersonated system tool (blocked)

Table: DeviceEvents

Description

ASR copied or impersonated system tool (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrAbusedSystemToolWarnBypassed: ASR copied or impersonated system tool (warn bypassed)

Table: DeviceEvents

Description

ASR copied or impersonated system tool (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrAdobeReaderChildProcessAudited: ASR Adobe Reader child process (audited)

Table: DeviceEvents

Description

ASR Adobe Reader child process (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrAdobeReaderChildProcessBlocked: ASR Adobe Reader child process (blocked)

Table: DeviceEvents

Description

ASR Adobe Reader child process (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrAdobeReaderChildProcessWarnBypassed: ASR Adobe Reader child process (warn bypassed)

Table: DeviceEvents

Description

ASR Adobe Reader child process (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrExecutableEmailContentAudited: ASR executable from email client (audited)

Table: DeviceEvents

Description

ASR executable from email client (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrExecutableEmailContentBlocked: ASR executable from email client (blocked)

Table: DeviceEvents

Description

ASR executable from email client (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrExecutableEmailContentWarnBypassed: ASR executable from email client (warn bypassed)

Table: DeviceEvents

Description

ASR executable from email client (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrExecutableOfficeContentAudited: ASR Office app creating executable content (audited)

Table: DeviceEvents

Description

ASR Office app creating executable content (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrExecutableOfficeContentBlocked: ASR Office app creating executable content (blocked)

Table: DeviceEvents

Description

ASR Office app creating executable content (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrExecutableOfficeContentWarnBypassed: ASR Office app creating executable content (warn bypassed)

Table: DeviceEvents

Description

ASR Office app creating executable content (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrLsassCredentialTheftBlocked: ASR LSASS credential theft (blocked)

Table: DeviceEvents

Description

ASR LSASS credential theft (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrLsassCredentialTheftWarnBypassed: ASR LSASS credential theft (warn bypassed)

Table: DeviceEvents

Description

ASR LSASS credential theft (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrObfuscatedScriptAudited: ASR obfuscated script execution (audited)

Table: DeviceEvents

Description

ASR obfuscated script execution (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrObfuscatedScriptBlocked: ASR obfuscated script execution (blocked)

Table: DeviceEvents

Description

ASR obfuscated script execution (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrObfuscatedScriptWarnBypassed: ASR obfuscated script execution (warn bypassed)

Table: DeviceEvents

Description

ASR obfuscated script execution (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeChildProcessBlocked: ASR Office app child process (blocked)

Table: DeviceEvents

Description

ASR Office app child process (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeChildProcessWarnBypassed: ASR Office app child process (warn bypassed)

Table: DeviceEvents

Description

ASR Office app child process (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeCommAppChildProcessAudited: ASR Office communication app child process (audited)

Table: DeviceEvents

Description

ASR Office communication app child process (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeCommAppChildProcessBlocked: ASR Office communication app child process (blocked)

Table: DeviceEvents

Description

ASR Office communication app child process (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeCommAppChildProcessWarnBypassed: ASR Office communication app child process (warn bypassed)

Table: DeviceEvents

Description

ASR Office communication app child process (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeMacroWin32ApiCallsAudited: ASR Win32 API calls from Office macros (audited)

Table: DeviceEvents

Description

ASR Win32 API calls from Office macros (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeMacroWin32ApiCallsBlocked: ASR Win32 API calls from Office macros (blocked)

Table: DeviceEvents

Description

ASR Win32 API calls from Office macros (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeMacroWin32ApiCallsWarnBypassed: ASR Win32 API calls from Office macros (warn bypassed)

Table: DeviceEvents

Description

ASR Win32 API calls from Office macros (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeProcessInjectionAudited: ASR Office app code injection (audited)

Table: DeviceEvents

Description

ASR Office app code injection (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeProcessInjectionBlocked: ASR Office app code injection (blocked)

Table: DeviceEvents

Description

ASR Office app code injection (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrOfficeProcessInjectionWarnBypassed: ASR Office app code injection (warn bypassed)

Table: DeviceEvents

Description

ASR Office app code injection (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrPersistenceThroughWmiAudited: ASR WMI event subscription persistence (audited)

Table: DeviceEvents

Description

ASR WMI event subscription persistence (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrPersistenceThroughWmiBlocked: ASR WMI event subscription persistence (blocked)

Table: DeviceEvents

Description

ASR WMI event subscription persistence (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrPersistenceThroughWmiWarnBypassed: ASR WMI event subscription persistence (warn bypassed)

Table: DeviceEvents

Description

ASR WMI event subscription persistence (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrPsexecWmiChildProcessAudited: ASR PsExec or WMI child process (audited)

Table: DeviceEvents

Description

ASR PsExec or WMI child process (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrPsexecWmiChildProcessBlocked: ASR PsExec or WMI child process (blocked)

Table: DeviceEvents

Description

ASR PsExec or WMI child process (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrPsexecWmiChildProcessWarnBypassed: ASR PsExec or WMI child process (warn bypassed)

Table: DeviceEvents

Description

ASR PsExec or WMI child process (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrRansomwareAudited: ASR ransomware activity (audited)

Table: DeviceEvents

Description

ASR ransomware activity (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrRansomwareBlocked: ASR ransomware activity (blocked)

Table: DeviceEvents

Description

ASR ransomware activity (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrRansomwareWarnBypassed: ASR ransomware activity (warn bypassed)

Table: DeviceEvents

Description

ASR ransomware activity (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrSafeModeRebootAudited: ASR Safe mode reboot configuration (audited)

Table: DeviceEvents

Description

ASR Safe mode reboot configuration (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrSafeModeRebootBlocked: ASR Safe mode reboot configuration (blocked)

Table: DeviceEvents

Description

ASR Safe mode reboot configuration (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrSafeModeRebootWarnBypassed: ASR Safe mode reboot configuration (warn bypassed)

Table: DeviceEvents

Description

ASR Safe mode reboot configuration (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrScriptExecutableDownloadAudited: ASR script launching downloaded executable (audited)

Table: DeviceEvents

Description

ASR script launching downloaded executable (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrScriptExecutableDownloadBlocked: ASR script launching downloaded executable (blocked)

Table: DeviceEvents

Description

ASR script launching downloaded executable (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrScriptExecutableDownloadWarnBypassed: ASR script launching downloaded executable (warn bypassed)

Table: DeviceEvents

Description

ASR script launching downloaded executable (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrUntrustedExecutableBlocked: ASR untrusted executable (blocked)

Table: DeviceEvents

Description

ASR untrusted executable (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrUntrustedExecutableWarnBypassed: ASR untrusted executable (warn bypassed)

Table: DeviceEvents

Description

ASR untrusted executable (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrUntrustedUsbProcessAudited: ASR untrusted process from USB (audited)

Table: DeviceEvents

Description

ASR untrusted process from USB (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrUntrustedUsbProcessBlocked: ASR untrusted process from USB (blocked)

Table: DeviceEvents

Description

ASR untrusted process from USB (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrUntrustedUsbProcessWarnBypassed: ASR untrusted process from USB (warn bypassed)

Table: DeviceEvents

Description

ASR untrusted process from USB (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrVulnerableSignedDriverAudited: ASR vulnerable signed driver (audited)

Table: DeviceEvents

Description

ASR vulnerable signed driver (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrVulnerableSignedDriverBlocked: ASR vulnerable signed driver (blocked)

Table: DeviceEvents

Description

ASR vulnerable signed driver (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrVulnerableSignedDriverWarnBypassed: ASR vulnerable signed driver (warn bypassed)

Table: DeviceEvents

Description

ASR vulnerable signed driver (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrWebShellOnServerAudited: ASR webshell creation on Windows Server (audited)

Table: DeviceEvents

Description

ASR webshell creation on Windows Server (audited). Block-mode ASR sibling maps to Defender-1121.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrWebShellOnServerBlocked: ASR webshell creation on Windows Server (blocked)

Table: DeviceEvents

Description

ASR webshell creation on Windows Server (blocked). Audit-mode ASR sibling maps to Defender-1122.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AsrWebShellWarnBypassed: ASR webshell creation (warn bypassed)

Table: DeviceEvents

Description

ASR webshell creation (warn bypassed). Defender ASR user-override event; no ETW-channel equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlAppInstallationAudited: AppControl app installation (audited)

Table: DeviceEvents

Description

AppControl app installation (audited). AppLocker packaged-install audit channel records the same decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlAppInstallationBlocked: AppControl app installation (blocked)

Table: DeviceEvents

Description

AppControl app installation (blocked). AppLocker packaged-install block channel records the same decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCIScriptAudited: AppControl Config CI script (audited)

Table: DeviceEvents

Description

AppControl Config CI script (audited). CI here is the Lockdown Policy script enforcement; AppLocker 8028 records the audit-channel sibling.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCIScriptBlocked: AppControl Config CI script (blocked)

Table: DeviceEvents

Description

AppControl Config CI script (blocked). Lockdown Policy script block surfaces in the AppLocker channel as 8029.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCodeIntegrityDriverRevoked: AppControl Code Integrity driver revoked

Table: DeviceEvents

Description

AppControl Code Integrity driver revoked. CodeIntegrity 3023 records a revoked driver load on the kernel side.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCodeIntegrityImageAudited: AppControl Code Integrity image (audited)

Table: DeviceEvents

Description

AppControl Code Integrity image (audited). CodeIntegrity 3076 records the user-image audit decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCodeIntegrityImageRevoked: AppControl Code Integrity image revoked

Table: DeviceEvents

Description

AppControl Code Integrity image revoked. User-image revocations surface as 3077; driver-side revocations surface as 3023.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCodeIntegrityOriginAllowed: AppControl Code Integrity origin allowed

Table: DeviceEvents

Description

AppControl Code Integrity origin allowed. Intelligent Security Graph reputation lookup; no Windows-native ETW source records a good-reputation allow.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCodeIntegrityOriginAudited: AppControl Code Integrity origin (audited)

Table: DeviceEvents

Description

AppControl Code Integrity origin (audited). Intelligent Security Graph reputation audit; no Windows-native ETW source.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCodeIntegrityOriginBlocked: AppControl Code Integrity origin (blocked)

Table: DeviceEvents

Description

AppControl Code Integrity origin (blocked). Derivable-from, not one-to-one: the ISG bad-reputation decision surfaces as a generic CI policy block 3077; the reputation rationale is not in ETW.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCodeIntegrityPolicyAudited: AppControl Code Integrity policy (audited)

Table: DeviceEvents

Description

AppControl Code Integrity policy (audited). CodeIntegrity 3076 records the user-image policy audit decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCodeIntegrityPolicyBlocked: AppControl Code Integrity policy (blocked)

Table: DeviceEvents

Description

AppControl Code Integrity policy (blocked). CodeIntegrity 3077 records the user-image policy block decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCodeIntegrityPolicyLoaded: AppControl Code Integrity policy loaded

Table: DeviceEvents

Description

AppControl Code Integrity policy loaded. CodeIntegrity 3099 records a successful policy refresh.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlCodeIntegritySigningInformation: AppControl Code Integrity signing information

Table: DeviceEvents

Description

AppControl Code Integrity signing information. 3089 carries signer detail for a paired CodeIntegrity decision event.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlExecutableAudited: AppControl executable (audited)

Table: DeviceEvents

Description

AppControl executable (audited). Smart App Control system execution policy audit surfaces in AppLocker as 8041.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlExecutableBlocked: AppControl executable (blocked)

Table: DeviceEvents

Description

AppControl executable (blocked). 8042 carries the block decision; 8045 carries Smart App Control block detail.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlPackagedAppAudited: AppControl packaged app (audited)

Table: DeviceEvents

Description

AppControl packaged app (audited). AppLocker packaged-install audit 8024 records the same decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlPackagedAppBlocked: AppControl packaged app (blocked)

Table: DeviceEvents

Description

AppControl packaged app (blocked). AppLocker packaged-install block 8025 records the same decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlPolicyApplied: AppControl policy applied

Table: DeviceEvents

Description

AppControl policy applied. CodeIntegrity 3099 records a successful policy refresh on the host.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlScriptAudited: AppControl script (audited)

Table: DeviceEvents

Description

AppControl script (audited). AppLocker 8028 records the Config CI script audit decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppControlScriptBlocked: AppControl script (blocked)

Table: DeviceEvents

Description

AppControl script (blocked). AppLocker 8029 records the Config CI script block decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppGuardBrowseToUrl: Application Guard browse to URL

Table: DeviceEvents

Description

Application Guard browse to URL. Defender Application Guard isolation telemetry; no Windows-native ETW source in the catalog.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AppGuardContainerId`
`RemoteUrl`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppGuardCreateContainer: Application Guard container created

Table: DeviceEvents

Description

Application Guard container created. Defender Application Guard isolation telemetry; no Windows-native ETW source in the catalog.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AppGuardContainerId`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppGuardLaunchedWithUrl: Application Guard launched with URL

Table: DeviceEvents

Description

Application Guard launched with URL. Defender Application Guard isolation telemetry; no Windows-native ETW source in the catalog.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AppGuardContainerId`
`RemoteUrl`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppGuardResumeContainer: Application Guard container resumed

Table: DeviceEvents

Description

Application Guard container resumed. Defender Application Guard isolation telemetry; no Windows-native ETW source in the catalog.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AppGuardContainerId`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppGuardStopContainer: Application Guard container stopped

Table: DeviceEvents

Description

Application Guard container stopped. Defender Application Guard isolation telemetry; no Windows-native ETW source in the catalog.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AppGuardContainerId`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppGuardSuspendContainer: Application Guard container suspended

Table: DeviceEvents

Description

Application Guard container suspended. Defender Application Guard isolation telemetry; no Windows-native ETW source in the catalog.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AppGuardContainerId`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppLockerBlockExecutable: AppLocker blocked executable

Table: DeviceEvents

Description

AppLocker blocked executable. AppLocker EXE-and-DLL channel 8004 records the same block decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppLockerBlockPackagedApp: AppLocker blocked packaged app

Table: DeviceEvents

Description

AppLocker blocked packaged app. AppLocker packaged-app channel 8022 records the same block decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppLockerBlockPackagedAppInstallation: AppLocker blocked packaged app installation

Table: DeviceEvents

Description

AppLocker blocked packaged app installation. AppLocker packaged-install channel 8025 records the same block decision.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AppLockerBlockScript: AppLocker blocked script

Table: DeviceEvents

Description

AppLocker blocked script. AppLocker writes script blocks to the MSI and Script channel.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ControlFlowGuardViolation: Control Flow Guard violation

Table: DeviceEvents

Description

Control Flow Guard violation. CFG enforcement is in-process and surfaces as process termination; kernel ROP/CFG triggers raise shadow-stack mismatch event 33. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardAcgAudited: Exploit Guard ACG (audited)

Table: DeviceEvents

Description

Exploit Guard ACG (audited)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardAcgEnforced: Exploit Guard ACG (blocked)

Table: DeviceEvents

Description

Exploit Guard ACG (blocked)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardChildProcessAudited: Exploit Guard child process (audited)

Table: DeviceEvents

Description

Exploit Guard child process (audited)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardChildProcessBlocked: Exploit Guard child process (blocked)

Table: DeviceEvents

Description

Exploit Guard child process (blocked)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardEafViolationAudited: Exploit Guard EAF violation (audited)

Table: DeviceEvents

Description

Exploit Guard EAF violation (audited). UserMode channel.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardEafViolationBlocked: Exploit Guard EAF violation (blocked)

Table: DeviceEvents

Description

Exploit Guard EAF violation (blocked). UserMode channel.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardIafViolationAudited: Exploit Guard IAF violation (audited)

Table: DeviceEvents

Description

Exploit Guard IAF violation (audited). UserMode channel.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardIafViolationBlocked: Exploit Guard IAF violation (blocked)

Table: DeviceEvents

Description

Exploit Guard IAF violation (blocked). UserMode channel.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardLowIntegrityImageAudited: Exploit Guard low-integrity image (audited)

Table: DeviceEvents

Description

Exploit Guard low-integrity image (audited)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardLowIntegrityImageBlocked: Exploit Guard low-integrity image (blocked)

Table: DeviceEvents

Description

Exploit Guard low-integrity image (blocked)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardNetworkProtectionAudited: Exploit Guard Network Protection (audited)

Table: DeviceEvents

Description

Exploit Guard Network Protection (audited). Network Protection engine writes to Defender-1126; URL detail is in Defender-engine logs, not the DeviceEvents action. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`RemoteUrl`
`RemoteIP`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardNetworkProtectionBlocked: Exploit Guard Network Protection (blocked)

Table: DeviceEvents

Description

Exploit Guard Network Protection (blocked). Network Protection engine writes to Defender-1125; URL detail is in Defender-engine logs. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`RemoteUrl`
`RemoteIP`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardNonMicrosoftSignedAudited: Exploit Guard non-Microsoft signed image (audited)

Table: DeviceEvents

Description

Exploit Guard non-Microsoft signed image (audited)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardNonMicrosoftSignedBlocked: Exploit Guard non-Microsoft signed image (blocked)

Table: DeviceEvents

Description

Exploit Guard non-Microsoft signed image (blocked)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardRopExploitAudited: Exploit Guard ROP exploit (audited)

Table: DeviceEvents

Description

Exploit Guard ROP exploit (audited). UserMode channel; hooked-API audit covers ROP detection.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardRopExploitBlocked: Exploit Guard ROP exploit (blocked)

Table: DeviceEvents

Description

Exploit Guard ROP exploit (blocked). UserMode channel; hooked-API block covers ROP enforcement.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardSharedBinaryAudited: Exploit Guard shared binary load (audited)

Table: DeviceEvents

Description

Exploit Guard shared binary load (audited). Image-load audit covers UNC and shared-path loads.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardSharedBinaryBlocked: Exploit Guard shared binary load (blocked)

Table: DeviceEvents

Description

Exploit Guard shared binary load (blocked). Image-load block covers UNC and shared-path loads.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardWin32SystemCallAudited: Exploit Guard Win32k system-call (audited)

Table: DeviceEvents

Description

Exploit Guard Win32k system-call (audited)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExploitGuardWin32SystemCallBlocked: Exploit Guard Win32k system-call (blocked)

Table: DeviceEvents

Description

Exploit Guard Win32k system-call (blocked)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`InitiatingProcessFileName`
`FileName`
`FolderPath`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusDefinitionsUpdateFailed: Antivirus definitions update failed

Table: DeviceEvents

Description

Antivirus definitions update failed

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusDefinitionsUpdated: Antivirus definitions updated

Table: DeviceEvents

Description

Antivirus definitions updated

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusDetection: Antivirus detection

Table: DeviceEvents

Description

Antivirus detection. Defender-1006 is the legacy ID; 1116 is the modern equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusEmergencyUpdatesInstalled: Antivirus emergency updates installed

Table: DeviceEvents

Description

Antivirus emergency updates installed. Emergency updates use the same 2000 event with elevated priority.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusError: Antivirus error

Table: DeviceEvents

Description

Antivirus error

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusMalwareActionFailed: Antivirus malware action failed

Table: DeviceEvents

Description

Antivirus malware action failed

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusMalwareBlocked: Antivirus malware blocked

Table: DeviceEvents

Description

Antivirus malware blocked

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusScanCancelled: Antivirus scan cancelled

Table: DeviceEvents

Description

Antivirus scan cancelled

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusScanCompleted: Antivirus scan completed

Table: DeviceEvents

Description

Antivirus scan completed

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusScanFailed: Antivirus scan failed

Table: DeviceEvents

Description

Antivirus scan failed

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AntivirusTroubleshootModeEvent: Antivirus troubleshoot mode state change

Table: DeviceEvents

Description

Antivirus troubleshoot mode state change. Troubleshoot mode is a configuration state change; the closest Defender-Operational event is 5007 (configuration changed). Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ControlledFolderAccessViolationAudited: Controlled folder access violation (audited)

Table: DeviceEvents

Description

Controlled folder access violation (audited)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ControlledFolderAccessViolationBlocked: Controlled folder access violation (blocked)

Table: DeviceEvents

Description

Controlled folder access violation (blocked)

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

FirewallInboundConnectionBlocked: Firewall inbound connection blocked

Table: DeviceEvents

Description

Firewall inbound connection blocked. WFP packet drop; Security-5152 fires for all inbound blocks at the filtering layer.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteIP`
`RemotePort`
`LocalIP`
`LocalPort`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

FirewallInboundConnectionToAppBlocked: Firewall inbound connection to app blocked

Table: DeviceEvents

Description

Firewall inbound connection to app blocked. Same WFP event as inbound block; app-specific filter target is the differentiator in the action payload.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteIP`
`RemotePort`
`LocalIP`
`LocalPort`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

FirewallOutboundConnectionBlocked: Firewall outbound connection blocked

Table: DeviceEvents

Description

Firewall outbound connection blocked

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteIP`
`RemotePort`
`LocalIP`
`LocalPort`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

FirewallServiceStopped: Firewall service stopped

Table: DeviceEvents

Description

Firewall service stopped. Firewall service state change; derivable-from, not one-to-one. The MDE sensor inference also rides the service-control surface.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

NetworkProtectionUserBypassEvent: Network protection user bypass

Table: DeviceEvents

Description

Network protection user bypass. Defender-1129 records user-allowed Exploit Guard bypass and covers the same user-initiated override. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteUrl`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

NetworkShareObjectAccessChecked: Network share object access checked

Table: DeviceEvents

Description

Network share object access checked

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`AccountName`
`AccountDomain`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

NetworkShareObjectAdded: Network share object added

Table: DeviceEvents

Description

Network share object added

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`AccountName`
`AccountDomain`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

NetworkShareObjectDeleted: Network share object deleted

Table: DeviceEvents

Description

Network share object deleted

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`AccountName`
`AccountDomain`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

NetworkShareObjectModified: Network share object modified

Table: DeviceEvents

Description

Network share object modified

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`AccountName`
`AccountDomain`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

SmartScreenAppWarning: SmartScreen app warning

Table: DeviceEvents

Description

SmartScreen app warning. SmartScreen-1000 is the app-warn signal; URL and reputation detail live in the engine, not the ETW payload. Engine-side decision; derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`SHA256`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

SmartScreenExploitWarning: SmartScreen exploit warning

Table: DeviceEvents

Description

SmartScreen exploit warning. SmartScreen-1001 is the exploit-warn signal; same caveat as SmartScreen-1000. Engine-side decision; derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteUrl`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

SmartScreenUrlWarning: SmartScreen URL warning

Table: DeviceEvents

Description

SmartScreen URL warning. SmartScreen-1002 is the URL-warn signal; URL string in the action payload, reputation context in the engine. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteUrl`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

SmartScreenUserOverride: SmartScreen user override

Table: DeviceEvents

Description

SmartScreen user override. SmartScreen-1003 records the user-initiated override; engine-side decision context not in the ETW payload.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteUrl`
`FileName`
`InitiatingProcessFileName`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AccountCheckedForBlankPassword: Account checked for blank password

Table: DeviceEvents

Description

Account checked for blank password. MDE engine inference; no ETW source.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

AuditPolicyModification: Audit policy modified

Table: DeviceEvents

Description

Audit policy modified. Security 4719 records system audit policy changes.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

BitLockerAuditCompleted: BitLocker audit completed

Table: DeviceEvents

Description

BitLocker audit completed. MDE-side BitLocker audit summary; no native equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

BluetoothPolicyTriggered: Bluetooth policy triggered

Table: DeviceEvents

Description

Bluetooth policy triggered. Device-control policy; MDE engine only.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

BrowserLaunchedToOpenUrl: Browser launched to open URL

Table: DeviceEvents

Description

Browser launched to open URL. MDE sensor URL-handler interception; no Windows-native equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteUrl`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

BruteForceActivityDetected: Brute force activity detected

Table: DeviceEvents

Description

Brute force activity detected. MDE engine inference over 4625 patterns; no single ETW event.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`RemoteIP`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

CertificateServicesApprovedCertificateRequest: Certificate Services approved certificate request

Table: DeviceEvents

Description

Certificate Services approved certificate request. CA server-side; Security audit captures the same approval on the CA host.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

CertificateServicesLoadedTemplate: Certificate Services loaded template

Table: DeviceEvents

Description

Certificate Services loaded template. Security 4898 records template load on the CA host.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

CertificateServicesReceivedCertificateRequest: Certificate Services received certificate request

Table: DeviceEvents

Description

Certificate Services received certificate request. Security 4886 records the inbound request on the CA host.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

CredentialsBackup: Credentials backed up

Table: DeviceEvents

Description

Credentials backed up. Credential Manager backup UX action; MDE-only.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

DeviceBootAttestationInfo: Device boot attestation info

Table: DeviceEvents

Description

Device boot attestation info. Windows Defender System Guard attestation; MDE-only.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

DirectoryServiceObjectCreated: Directory Service object created

Table: DeviceEvents

Description

Directory Service object created. Security 5137 records DS object creation on the domain controller.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

DirectoryServiceObjectModified: Directory Service object modified

Table: DeviceEvents

Description

Directory Service object modified. Security 5136 records DS object modification on the domain controller.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

DnsQueryResponse: DNS query response

Table: DeviceEvents

Description

DNS query response. DeviceEvents covers query/response pairs MDE selects as interesting; Sysmon-22 is the broader client query stream. Microsoft-Windows-DNS-Client trace logging covers the OS view but is not enabled by default.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`RemoteUrl`
`RemoteIP`
`RemotePort`
`LocalIP`
`LocalPort`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

DpapiAccessed: DPAPI accessed

Table: DeviceEvents

Description

DPAPI accessed. Defender-only; closest analog is Microsoft-Windows-Crypto-DPAPI ETW but the MDE sensor decision criterion is not surfaced there.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExternalDeviceConnected: External device connected

Table: DeviceEvents

Description

External device connected. Generic peripheral connect; Kernel-PnP covers the install side. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ExternalDeviceDisconnected: External device disconnected

Table: DeviceEvents

Description

External device disconnected. Generic peripheral disconnect; Kernel-PnP-440 covers the removal side. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

FileTimestampModificationEvent: File timestamp modified

Table: DeviceEvents

Description

File timestamp modified. MDE sensor minifilter; no Windows-native equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

GetAsyncKeyStateApiCall: GetAsyncKeyState API call

Table: DeviceEvents

Description

GetAsyncKeyState API call. Win32k-1003 is the kernel-side GetAsyncKeyState audit; the Defender Win32k filter forwards selected invocations. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

GetClipboardData: GetClipboardData API call

Table: DeviceEvents

Description

GetClipboardData API call. User32 GetClipboardData has no kernel-side ETW audit comparable to the keystate audit; MDE sensor hooks user-mode API.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

LogonRightsSettingEnabled: Logon rights setting enabled

Table: DeviceEvents

Description

Logon rights setting enabled. Security 4717 records logon right grant.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

NtAllocateVirtualMemoryApiCall: NtAllocateVirtualMemory API call

Table: DeviceEvents

Description

NtAllocateVirtualMemory API call. ETW-TI 6 is KERNEL_THREATINT_TASK_ALLOCVM local-process; PPL-AntiMalware-gated. The remote-process sibling NtAllocateVirtualMemoryRemoteApiCall maps to TI-1.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

Detection Rules #

View all rules referencing this event →

Kusto #

ADWS Connection from Process Injection Target source: The query first collects all network connections to the Active Directory Web Services (ADWS) service. It then searches for processes that inject into a process that makes a connection to ADWS. This can be used to detect process injection into a process that is used to query Active Directory.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

NtProtectVirtualMemoryApiCall: NtProtectVirtualMemory API call

Table: DeviceEvents

Description

NtProtectVirtualMemory API call. ETW-TI 7 is KERNEL_THREATINT_TASK_PROTECTVM local-process; PPL-AntiMalware-gated. Remote-process counterpart maps to TI-2.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

PTraceDetected: PTrace detected

Table: DeviceEvents

Description

PTrace detected. Linux-context AT; no Windows analog.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

PasswordChangeAttempt: Password change attempt

Table: DeviceEvents

Description

Password change attempt. Defender-only; Security 4723/4724 only fire after successful change.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

PlistPropertyModified: Plist property modified

Table: DeviceEvents

Description

Plist property modified. macOS/iOS plist; sensor-only on Windows context (no equivalent).

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

PnpDeviceAllowed: PnP device allowed

Table: DeviceEvents

Description

PnP device allowed. Kernel-PnP covers driver install; device-control policy allow decisions are visible in the install lifecycle but tagged differently in DeviceEvents. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

PnpDeviceBlocked: PnP device blocked

Table: DeviceEvents

Description

PnP device blocked. Driver install failures surface here for policy-blocked devices; the policy reason is not in the ETW payload. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

PnpDeviceConnected: PnP device connected

Table: DeviceEvents

Description

PnP device connected. Kernel-PnP 410 captures all device install activity.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

PrintJobBlocked: Print job blocked

Table: DeviceEvents

Description

Print job blocked. Device-control policy; MDE engine only.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ProcessCreatedUsingWmiQuery: Process created using WMI query

Table: DeviceEvents

Description

Process created using WMI query. WMI provider start fires for every consumer; Sysmon-1 with ParentImage=WmiPrvSE.exe is the derivable view of WMI-spawned processes. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ReadProcessMemoryApiCall: ReadProcessMemory API call

Table: DeviceEvents

Description

ReadProcessMemory API call. ETW-TI 11 is KERNEL_THREATINT_TASK_READVM local-process; PPL-AntiMalware-gated. Cross-process reads emit TI-13 (READVM remote).

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

Detection Rules #

View all rules referencing this event →

Kusto #

Process Injection Initiated By MMC source: This query searches for suspicious behavior initiated by MMC. This is done by looking at a number of actions that are commonly associated with process injection.↳ also matches CreateRemoteThreadApiCall: CreateRemoteThread API call, NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory), MemoryRemoteProtect: Remote virtual memory protection change, NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection), QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc), SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

RemoteDesktopConnection: Remote Desktop connection

Table: DeviceEvents

Description

Remote Desktop connection. RDP session establishment; LogonType=10 in 4624 is the canonical signal. Microsoft-Windows-TerminalServices-RemoteConnectionManager carries the session-broker side.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`RemoteIP`
`AdditionalFields`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

RemoteWmiOperation: Remote WMI operation

Table: DeviceEvents

Description

Remote WMI operation. WMI-Activity covers provider start; the MDE sensor adds remote-context attribution via session and authentication state. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

RemovableStorageFileEvent: Removable storage file event

Table: DeviceEvents

Description

Removable storage file event. Device-control policy decision; MDE engine only.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

RemovableStoragePolicyTriggered: Removable storage policy triggered

Table: DeviceEvents

Description

Removable storage policy triggered. Device-control policy decision; MDE engine only.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

SafeDocFileScan: Safe Documents file scanned

Table: DeviceEvents

Description

Safe Documents file scanned. Office Protected View cloud submission; MDE-only.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ScheduledTaskDisabled: Scheduled task disabled

Table: DeviceEvents

Description

Scheduled task disabled. TaskScheduler-142 is the operational-channel record; Security-4701 is the audit-channel sibling.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ScheduledTaskEnabled: Scheduled task enabled

Table: DeviceEvents

Description

Scheduled task enabled. TaskScheduler-140 is the operational-channel record; Security-4700 is the audit-channel sibling.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ScreenshotTaken: Screenshot taken

Table: DeviceEvents

Description

Screenshot taken. DLP/Insider Risk screenshot capture; MDE-only.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

SecurityGroupCreated: Security group created

Table: DeviceEvents

Description

Security group created. Security 4727 records security global group creation.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

SecurityGroupDeleted: Security group deleted

Table: DeviceEvents

Description

Security group deleted. Security 4730 records security global group deletion.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

SecurityLogCleared: Security log cleared

Table: DeviceEvents

Description

Security log cleared. Security 1102 records audit log clearance.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

SensitiveFileRead: Sensitive file read

Table: DeviceEvents

Description

Sensitive file read. DLP policy match; MDE-only.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ServiceInstalled: Service installed

Table: DeviceEvents

Description

Service installed. Security-4697 requires the Security System Extension subcategory; System-7045 fires unconditionally.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

ShellLinkCreateFileEvent: Shell link (LNK) file created

Table: DeviceEvents

Description

Shell link (LNK) file created. Sysmon-11 covers LNK file create as a regular file-create; MDE flags the .lnk subset. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`FileName`
`FolderPath`
`SHA1`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

TamperingAttempt: Tampering attempt

Table: DeviceEvents

Description

Tampering attempt. Defender-5013 records Tamper Protection state changes from the engine side. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

UntrustedWifiConnection: Untrusted Wi-Fi connection

Table: DeviceEvents

Description

Untrusted Wi-Fi connection. MDE-only inference over Wi-Fi profile state; no native event.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

UsbDriveDriveLetterChanged: USB drive letter changed

Table: DeviceEvents

Description

USB drive letter changed. MDE-only inference over Kernel-PnP and Mountpoint API; no single ETW event.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

UsbDriveMounted: USB drive mounted

Table: DeviceEvents

Description

USB drive mounted. Mount events are derivable from device-install activity; the OS view is in Kernel-PnP, MDE adds drive-letter and policy context. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

UsbDriveUnmounted: USB drive unmounted

Table: DeviceEvents

Description

USB drive unmounted. Removal events surface via Kernel-PnP 440; same caveat as UsbDriveMounted. Derivable-from, not one-to-one.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

UserAccountCreated: User account created

Table: DeviceEvents

Description

User account created. Security 4720 records user account creation.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

UserAccountDeleted: User account deleted

Table: DeviceEvents

Description

User account deleted. Security 4726 records user account deletion.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

UserAccountModified: User account modified

Table: DeviceEvents

Description

User account modified. Security 4738 records user account changes.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

UserAccountPasswordResetAttempt: User account password reset attempt

Table: DeviceEvents

Description

User account password reset attempt. 4723 records self password change; 4724 records admin-initiated reset. Distinct actions, not sensor-equivalent.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AccountName`
`AccountDomain`
`AccountSid`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

WmiBindEventFilterToConsumer: WMI EventFilter bound to consumer

Table: DeviceEvents

Description

WMI EventFilter bound to consumer. Sysmon-21 and WMI-Activity-5861 both record the FilterToConsumerBinding registration.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`AdditionalFields`
`InitiatingProcessFileName`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

WriteToLsassProcessMemory: Write to LSASS process memory

Table: DeviceEvents

Description

Write to LSASS process memory. ETW-TI 14 is KERNEL_THREATINT_TASK_WRITEVM remote-process (cross-process write to LSASS); LSASS-target filtering is downstream of the ETW source. PPL-AntiMalware-gated.

Fields #

Name	Description
`DeviceId`
`Timestamp`
`ProcessId`
`InitiatingProcessFileName`
`InitiatingProcessCommandLine`

References #

Microsoft Defender XDR: advanced hunting reference https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-deviceevents-table
xdrinternals: XDR table schema https://xdrinternals.com/docs/microsoftxdr/devices/deviceevents/

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)