Windows-itpro-docs: MDATP Advanced Hunting table name changes
Advanced Hunting table names have changed to:
- DeviceAlertEvents
- DeviceInfo
- DeviceNetworkInfo
- DeviceProcessEvents
- DeviceNetworkEvents
- DeviceFileEvents
*DeviceRegistryEvents - DeviceLogonEvents
- DeviceImageLoadEvents
- DeviceEvents
- DeviceTvmSoftwareInventoryVulnerabilities
- DeviceTvmSoftwareVulnerabilitiesKB
- DeviceTvmSecureConfigurationAssessment
- DeviceTvmSecureConfigurationAssessmentKB
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 465c3bf3-a207-3113-1052-f237a224ebfb
- Version Independent ID: 733dac2c-2e47-8c0e-a0c1-fd925c3184ea
- Content: Advanced hunting schema reference - Windows security
- Content Source: windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
- Product: w10
- Technology: windows
- GitHub Login: @lomayor
- Microsoft Alias: lomayor
iadgovuser1
All 5 comments
@lomayor
Looks like one was missed in the update AlertEvents should be DeviceAlertEvents.
iadgovuser1
on 9 Jan 2020
@lomayor
Here are a few other small changes needed related to this:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table - "The AlertEvents table" needs to be changed to "The DeviceAlertEvents table".
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table - "The DeviceImageLoadEvents table in" The word 'table' is highlighted when it should only be the table name that is highlighted.
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table - "The DeviceTvmSoftwareInventoryVulnerabilities table" needs to be changed to "The DeviceTvmSoftwareInventoryVulnerabilitiesKB table".
iadgovuser1
on 9 Jan 2020
Hello, As someone who consumes the advanced_queries api resource these recent changes without any sort of versioning or even documented change log has caused a significant disruption. Is there any plan in the future to provide a warning before breaking changes such as these are made to the api?
benkawecki-expel
on 13 Jan 2020
@benkawecki-expel The change was announced December 3: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914 and even farther back on August 27: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-updates-usb-events-machine-level-actions-and/ba-p/824152
iadgovuser1
on 14 Jan 2020
Thanks everyone for chiming in.
@benkawecki-expel, old names will continue to work for several months to give folks the chance to fully transition. I do need to check how we are monitoring use of old names and whether we need to provided additional guidance for when we fully retire them.
@iadgovuser1, appreciate the feedback as always. All issues you've listed have been fixed.
Closing this case, but feel free to open a new one anytime.
lomayor
on 23 Jan 2020
Related issues
ATR-Master
·
3Comments
iadgovuser1
·
3Comments
sundhaug92
·
3Comments
ang216
·
3Comments
SwiftOnSecurity
·
3Comments
Most helpful comment
@benkawecki-expel The change was announced December 3: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914 and even farther back on August 27: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-updates-usb-events-machine-level-actions-and/ba-p/824152