|
| 1 | +--- |
| 2 | +title: DisruptionAndResponseEvents table in the advanced hunting schema |
| 3 | +description: Learn about the DisruptionAndResponseEvents table in the advanced hunting schema |
| 4 | +search.appverid: met150 |
| 5 | +ms.service: defender-xdr |
| 6 | +ms.subservice: adv-hunting |
| 7 | +f1.keywords: |
| 8 | + - NOCSH |
| 9 | +ms.author: maccruz |
| 10 | +author: schmurky |
| 11 | +ms.localizationpriority: medium |
| 12 | +manager: dansimp |
| 13 | +audience: ITPro |
| 14 | +ms.collection: |
| 15 | +- m365-security |
| 16 | +- tier3 |
| 17 | +ms.custom: |
| 18 | +- cx-ti |
| 19 | +- cx-ah |
| 20 | +ms.topic: reference |
| 21 | +ms.date: 06/11/2025 |
| 22 | +--- |
| 23 | + |
| 24 | +# DisruptionAndResponseEvents (Preview) |
| 25 | + |
| 26 | +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] |
| 27 | + |
| 28 | + |
| 29 | + |
| 30 | +> [!IMPORTANT] |
| 31 | +> Some information relates to prereleased product which might be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. |
| 32 | +
|
| 33 | + |
| 34 | +The `DisruptionAndResponseEvents` table in the [advanced hunting](advanced-hunting-overview.md) contains information about [automatic attack disruption](automatic-attack-disruption.md) events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads. |
| 35 | + |
| 36 | +Users can use this table to increase their visibility and awareness of active, complex attacks disrupted by automatic attack disruption. Understanding the scope of even complex attacks, their context, impact, and why disruption actions were taken, can help users make better and faster decisions and allocate resources more efficiently. |
| 37 | + |
| 38 | +This advanced hunting table is populated by records from various Microsoft security services. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return complete results. For more information about how to deploy supported services in Defender XDR, read [Deploy supported services](deploy-supported-services.md). |
| 39 | + |
| 40 | +Use this reference to construct queries that return information from this table. |
| 41 | + |
| 42 | +> [!TIP] |
| 43 | +> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR. |
| 44 | +
|
| 45 | +For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md). |
| 46 | + |
| 47 | + |
| 48 | +| Column name | Data type | Description | |
| 49 | +|-------------|-----------|-------------| |
| 50 | +| `Timestamp` | `datetime` | Date and time when the event was recorded | |
| 51 | +| `ActionType` | `string` | Type of disruption action taken, for example: ContainedUserLogonBlocked, ContainedUserSmbFileOpenBlocked, SafeBootGuardApplied | |
| 52 | +| `DeviceId` | `string` | Unique identifier for the device that reported the event; the reporting device can be the one that blocked the access, the compromised device itself, or even a different device that is aware of the attack | |
| 53 | +| `SourceDeviceId` | `string` | Unique identifier for the device that the attack originated from | |
| 54 | +| `TargetDeviceId` | `string` | Unique identifier for the device that was targeted or attacked | |
| 55 | +| `TargetDeviceName ` | `string` | Name of the device that was targeted or attacked | |
| 56 | +| `TargetDomainName ` | `string` | Domain name of the device that was targeted or attacked | |
| 57 | +| `DeviceName` | `string` | Name of the device that reported the event; the reporting device can be the one that blocked the access, the compromised device itself, or even a different device that is aware of the attack | |
| 58 | +| `DomainName` | `string` | Domain name that the device that reported the event is joined to; the reporting device can be the one that blocked the access, the compromised device itself, or even a different device that is aware of the attack | |
| 59 | +| `InitiatingProcessId` | `integer` | Process ID (PID) of the process that triggered that block action, based on the perspective of the reporting device | |
| 60 | +| `InitiatingProcessFileName` | `string` |Name of the process that triggered the block action, based on the perspective of the reporting device | |
| 61 | +| `SourceUserSid` | `string` | The security identifier of the account conducting the malicious activity | |
| 62 | +| `SourceUserName` | `string` | The user name of the account conducting the malicious activity | |
| 63 | +| `SourceUserDomainName` | `string` | The domain name of the account conducting the malicious activity | |
| 64 | +| `SourceIPAddress` | `string` | IP address where the attacker communication originated from and was blocked by automatic attack disruption | |
| 65 | +| `SourcePort` | `integer` | Port where the attacker communication originated from | |
| 66 | +| `IPAddress` | `string` | IP address that the attacker attempted to access | |
| 67 | +| `Port` | `string` | Port that the attacker attempted to access | |
| 68 | +| `SourceDeviceName` | `string` | Host name of the device where the attack originated from | |
| 69 | +| `SourceDomainName` | `string` | Domain name of the device where the attack originated from | |
| 70 | +| `AuthenticationProtocol` | `string` | Authentication protocol that the compromised user used to sign in; possible values: Undefined, NTLM, Kerberos | |
| 71 | +| `Service` | `string` | Name of the service the attacker attempted to use, if the attacker signed in using Kerberos or NTLM; for example: SMB, HTTP, cifs, SMB, host, ldap, SMB, krbtgt | |
| 72 | +| `InterfaceUuidSourceDomainName` | `string` | Unique identifier (UUID) for the Remote Procedure Call (RPC) interface that the attacker attempted to access | |
| 73 | +| `InterfaceFriendlyName` | `string` |Friendly name of the interface represented by the interface UUID | |
| 74 | +| `FileName` | `string` | Name of the file that the attacker attempted to access | |
| 75 | +| `ShareName` | `string` | Name of the share location that the attacker attempted to access | |
| 76 | +| `LogonType` | `string` | Type of logon session the user attempted; possible values: interactive, remote interactive (RDP), network, batch job, service | |
| 77 | +| `LogonId ` | `long` | Identifier for a logon session; this is unique on the same device only between restarts | |
| 78 | +| `SessionId ` | `long` | Unique number assigned to a user by a website's server for the duration of the visit or session | |
| 79 | +| `CompromisedAccountCount` | `integer` | Number of compromised accounts that are part of the policy | |
| 80 | +| `PolicyId` | `string` | Unique identifier for the policy | |
| 81 | +| `PolicyName` | `string` | Name of the policy | |
| 82 | +| `PolicyVersion` | `string` | Version of the policy | |
| 83 | +| `PolicyHash` | `string` | Unique hash of the policy | |
| 84 | +| `DataSources` | `array` |Products or services that provided information for the event; for example: Microsoft Defender for Endpoint | |
| 85 | +| `IsPolicyOn` | `boolean` |Indicates the current state of the policy on the device at the time of the disruption event; possible values: true (the policy is on, therefore it was applied or enforced), false (the policy was turned off or revoked from the device) | |
| 86 | +|`ReportType` | `string` | The nature and impact level of the reported event; possible values: Prevented (the action, such as a connection or authentication attempt, was fully blocked before execution), Blocked (an active connection or session was forcibly terminated, with partial impact on the device), PolicyUpdated (the client received and possibly applied a new policy) | |
| 87 | + |
| 88 | +## Related topics |
| 89 | +- [Advanced hunting overview](advanced-hunting-overview.md) |
| 90 | +- [Learn the query language](advanced-hunting-query-language.md) |
| 91 | +- [Use shared queries](advanced-hunting-shared-queries.md) |
| 92 | +- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md) |
| 93 | +- [Understand the schema](advanced-hunting-schema-tables.md) |
| 94 | +- [Apply query best practices](advanced-hunting-best-practices.md) |
![m365-skilling-repo-management[bot]](https://avatars.githubusercontent.com/in/1161012?v=4&size=40){kind=avatar}
0 commit comments