Merge pull request #1966 from MicrosoftDocs/samanthagy-tvmtables

TVM tables

Author: padmagit77

defender-xdr/TOC.yml

@@ -305,7 +305,13 @@
                 - name: CloudAuditEvents
                   href: advanced-hunting-cloudauditevents-table.md
                 - name: CloudProcessEvents
-                  href: advanced-hunting-cloudprocessevents-table.md                  
+                  href: advanced-hunting-cloudprocessevents-table.md                     
+                - name: DeviceBaselineComplianceAssessment
+                  href: advanced-hunting-devicebaselinecomplianceassessment-table.md
+                - name: DeviceBaselineComplianceAssessmentKB
+                  href: advanced-hunting-devicebaselinecomplianceassessmentkb-table.md
+                - name: DeviceBaselineComplianceProfiles
+                  href: advanced-hunting-devicebaselinecomplianceprofiles-table.md     
                 - name: DeviceEvents
                   href: advanced-hunting-deviceevents-table.md
                 - name: DeviceFileCertificateInfo
@@ -326,6 +332,12 @@
                   href: advanced-hunting-deviceprocessevents-table.md
                 - name: DeviceRegistryEvents
                   href: advanced-hunting-deviceregistryevents-table.md
+                - name: DeviceTvmBrowserExtensions
+                  href: advanced-hunting-devicetvmbrowserextensions-table.md
+                - name: DeviceTvmBrowserExtensionsKB
+                  href: advanced-hunting-devicetvmbrowserextensionskb-table.md
+                - name: DeviceTvmCertificateInfo
+                  href: advanced-hunting-devicetvmcertificateinfo-table.md
                 - name: DeviceTvmHardwareFirmware
                   href: advanced-hunting-devicetvmhardwarefirmware-table.md
                 - name: DeviceTvmInfoGathering

defender-xdr/advanced-hunting-cloudauditevents-table.md

@@ -21,7 +21,7 @@ ms.topic: reference
 ms.date: 12/29/2023
 ---
 
-# CloudAuditEvents
+# CloudAuditEvents (Preview)
 
 [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
 

defender-xdr/advanced-hunting-devicebaselinecomplianceassessment-table.md

@@ -0,0 +1,64 @@
+---
+title: DeviceBaselineComplianceAssessment table in the advanced hunting schema
+description: Learn about the baseline compliance assessment snapshot, indicating the status of various security configurations related to baseline profiles on devices in Microsoft Defender XDR.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: v-sgoyagoy
+author: samanthagy
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 11/20/2024
+---
+
+# DeviceBaselineComplianceAssessment (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+- Microsoft Defender XDR
+- Microsoft Defender for Endpoint
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `DeviceBaselineComplianceAssessment` table in the advanced hunting schema contains baseline compliance assessment snapshot, which indicates the status of various security configurations related to baseline profiles on devices. 
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `DeviceId` | `string` | Unique identifier for the device in the service |
+| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |
+| `OSPlatform` | `string` | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. |
+| `OSVersion` | `string` | Version of the operating system running on the device |
+| `ConfigurationId` | `string` | Unique identifier for a specific configuration |
+| `ProfileId` | `string` | Unique identifier for the profile |
+| `IsCompliant` | `boolean` | Indicates whether the device that initiated the event is compliant or not |
+| `IsApplicable` | `boolean` | Indicates whether the configuration or policy is applicable |
+| `Source` | `dynamic` | The registry path or other location used to determine the current device setting |
+| `RecommendedValue` | `dynamic` | Set of expected values for the current device setting to be compliant |
+| `CurrentValue` | `dynamic` | Set of detected values found on the device |
+| `IsExempt` | `boolean` | Indicates whether the device is exempt from having the baseline configuration |
+
+
+## Related topics
+
+- [Proactively hunt for threats](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/advanced-hunting-devicebaselinecomplianceassessmentkb-table.md

@@ -0,0 +1,62 @@
+---
+title: DeviceBaselineComplianceAssessmentKB table in the advanced hunting schema
+description: Learn about the various security configurations used by baseline compliance to assess devices in the DeviceBaselineComplianceAssessmentKB table in the advanced hunting schema.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: v-sgoyagoy
+author: samanthagy
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 11/20/2024
+---
+
+# DeviceBaselineComplianceAssessmentKB (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+- Microsoft Defender XDR
+- Microsoft Defender for Endpoint
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `DeviceBaselineComplianceAssessmentKB` table in the advanced hunting schema contains information about various security configurations used by baseline compliance to assess devices.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `ConfigurationId` | `string` | Unique identifier for a specific configuration |
+| `ConfigurationName` | `string` | Display name of the configuration |
+| `ConfigurationDescription` | `string` | Description of the configuration |
+| `ConfigurationRationale` | `string` | Description of any associated risks and rationale behind the configuration |
+| `ConfigurationCategory` | `string` | Category or grouping to which the configuration belongs |
+| `BenchmarkProfileLevels` | `dynamic` | List of benchmark compliance levels for which the configuration is applicable |
+| `CCEReference` | `string` | Unique Common Configuration Enumeration (CCE) identifier for the configuration |
+| `RemediationOptions` | `string` | Recommended actions to reduce or address any associated risks |
+| `ConfigurationBenchmark` | `string` | Industry benchmark recommending the configuration |
+| `Source` | `dynamic` | The registry path or other location used to determine the current device setting |
+| `RecommendedValue` | `dynamic` | Set of expected values for the current device setting to be compliant |
+
+
+## Related topics
+
+- [DeviceBaselineComplianceAssessment](advanced-hunting-devicebaselinecomplianceassessment-table.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Overview of Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/advanced-hunting-devicebaselinecomplianceprofiles-table.md

@@ -0,0 +1,64 @@
+---
+title: DeviceBaselineComplianceProfiles table in the advanced hunting schema
+description: Learn about the baseline profiles used for monitoring device baseline compliance in the DeviceBaselineComplianceProfiles table in the advanced hunting schema.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: v-sgoyagoy
+author: samanthagy
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 11/20/2024
+---
+
+# DeviceBaselineComplianceProfiles (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+- Microsoft Defender XDR
+- Microsoft Defender for Endpoint
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `DeviceBaselineComplianceProfiles` table in the advanced hunting schema contains baseline profiles used for monitoring device baseline compliance. Use this reference to construct queries that return information from the table.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `ProfileId` | `string` | Unique identifier for the profile |
+| `ProfileName` | `string` | Display name of the profile |
+| `ProfileDescription` | `string` | Optional description providing additional information related to the profile |
+| `OSPlatform` | `dynamic` | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7.  |
+| `OSVersion` | `string` | Version of the operating system running on the device |
+| `BaseBenchmark` | `string` | Industry benchmark on top of which the profile was created |
+| `BenchmarkVersion` | `string` | Version of the industry benchmark on top of which the profile was created  |
+| `BenchmarkProfileLevel` | `string` | Benchmark compliance level set for the profile |
+| `Status` | `boolean` | Indicator of the profile status - can be Enabled or Disabled |
+| `CreatedBy` | `string` | Identity of the user account who created the profile |
+| `CreatedOn` | `datetime` | Date and time when the profile was created |
+| `LastUpdatedBy` | `string` | Identity of the user account who last updated the profile |
+| `LastUpdatedOn` | `datetime` | Date and time when the profile was last updated |
+
+
+## Related topics
+
+- [Proactively hunt for threats](advanced-hunting-overview.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Overview Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/advanced-hunting-devicetvmbrowserextensions-table.md

@@ -0,0 +1,63 @@
+---
+title: DeviceTvmBrowserExtensions table in the advanced hunting schema
+description: Learn about browser extension installations found on devices as shown in Microsoft Defender Vulnerability Management.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: v-sgoyagoy
+author: samanthagy
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 11/20/2024
+---
+
+# DeviceTvmBrowserExtensions (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+**Applies to:**
+- Microsoft Defender XDR
+- Microsoft Defender for Endpoint
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Each row in the `DeviceTvmBrowserExtensions` table contains information about browser extension installations found on devices from [Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt).
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `DeviceId` | `string` | Unique identifier for the device in the service |
+| `BrowserName` | `string` | Name of the web browser with the extension |
+| `ExtensionId` | `string` | Unique identifier for the browser extension |
+| `ExtensionName` | `string` | Name of the extension |
+| `ExtensionDescription` | `string` | Description from the publisher about the extension |
+| `ExtensionVersion` | `string` | Version number of the extension |
+| `ExtensionRisk` | `string` | Risk level for the extension based on the permissions it has requested |
+| `ExtensionVendor` | `string` | Name of the vendor offering the extension |
+| `IsActivated` | `string` | Whether the extension is turned on or off on the devices |
+| `InstallationTime` | `datetime` | Date and time when the browser extension was first installed |
+
+
+## Related topics
+
+- [Proactively hunt for threats](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]

defender-xdr/advanced-hunting-devicetvmbrowserextensionskb-table.md

@@ -0,0 +1,65 @@
+---
+title: DeviceTvmBrowserExtensionsKB table in the advanced hunting schema
+description: Learn about the various browser extension details and permission information used in the Microsoft Defender Vulnerability Management browser extensions page in the DeviceTvmBrowserExtensionsKB table in the advanced hunting schema.
+search.appverid: met150
+ms.service: defender-xdr
+ms.subservice: adv-hunting
+f1.keywords: 
+  - NOCSH
+ms.author: v-sgoyagoy
+author: samanthagy
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: 
+- m365-security
+- tier3
+ms.custom: 
+- cx-ti
+- cx-ah
+ms.topic: reference
+ms.date: 11/20/2024
+---
+
+# DeviceTvmBrowserExtensionsKB (Preview)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+- Microsoft Defender XDR
+- Microsoft Defender for Endpoint
+
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The `DeviceTvmBrowserExtensionsKB` table in the advanced hunting schema contains information about browser extension details and permission information used in [Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) browser extensions page.
+
+For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-schema-tables.md).
+
+| Column name | Data type | Description |
+|-------------|-----------|-------------|
+| `BrowserName` | `string` | Name of the web browser with the extension |
+| `ExtensionId` | `string` | Unique identifier for the browser extension |
+| `ExtensionName` | `string` | Name of the extension |
+| `ExtensionDescription` | `string` | Description from the publisher about the extension |
+| `ExtensionVersion` | `dynamic` | Version number of the extension |
+| `ExtensionRisk` | `string` | Risk level for the extension based on the permissions it has requested |
+| `PermissionId` | `string` | Unique identifier for the permission |
+| `PermissionName` | `string` | Name given to each permission based on what the extension is asking for |
+| `PermissionDescription` | `string` | Explanation of what the permission is supposed to do |
+| `PermissionRisk` | `string` | Risk level for the permission based on the type of access it would allow |
+| `IsPermissionRequired` | `string` | Whether the permission is required for the extension to run, or optional |
+
+
+## Related topics
+
+- [Proactively hunt for threats](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Use shared queries](advanced-hunting-shared-queries.md)
+- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
+- [Apply query best practices](advanced-hunting-best-practices.md)
+- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)]