You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-disruptionandresponseevents-table.md
+15-9Lines changed: 15 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,7 +27,13 @@ ms.date: 06/11/2025
27
27
28
28
29
29
30
-
The `DisruptionAndResponseEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information automatic attack disruption events in Microsoft Defender for Endpoint. [ADD MORE DESCRIPTION] Use this reference to construct queries that return information from this table.
30
+
The `DisruptionAndResponseEvents` table in the [advanced hunting](advanced-hunting-overview.md) contains information about [automatic attack disruption](automatic-attack-disruption.md) events in Microsoft Defender XDR. These events include both block and policy application events related to triggered attack disruption policies, and automatic actions that were taken across related workloads.
31
+
32
+
Users can use this table to increase their visibility and awareness of active, complex attacks disrupted by automatic attack disruption. Understanding the scope of even complex attacks, their context, impact, and why disruption actions were taken, can help users make better and faster decisions and allocate resources more efficiently.
33
+
34
+
This advanced hunting table is populated by records from various Microsoft security services. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return complete results. For more information about how to deploy supported services in Defender XDR, read [Deploy supported services](deploy-supported-services.md).
35
+
36
+
Use this reference to construct queries that return information from this table.
31
37
32
38
> [!TIP]
33
39
> For detailed information about the events types (`ActionType` values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.
@@ -39,18 +45,18 @@ For information on other tables in the advanced hunting schema, [see the advance
39
45
|-------------|-----------|-------------|
40
46
|`Timestamp`|`datetime`| Date and time when the event was recorded |
41
47
|`ActionType`|`string`| Type of disruption action taken |
42
-
|`DeviceId`|`string`| Unique identifier for the device that reported the event; the reporting device can be the device that reported the event, the device that blocked the access, or the compromised device itself |
43
-
|`SourceDeviceId`|`string`| Unique identifier for the device that blocked the traffic or access attempt|
44
-
|`TargetDeviceId`|`string`| Unique identifier for the device that was contained by other devices in the network |
48
+
|`DeviceId`|`string`| Unique identifier for the device that reported the event; the reporting device can be the one that blocked the access, the compromised device itself, or even a different device that is aware of the attack|
49
+
|`SourceDeviceId`|`string`| Unique identifier for the device that the attack originated from|
50
+
|`TargetDeviceId`|`string`| Unique identifier for the device that was targeted or attacked|
45
51
|`TargetDeviceName `|`string`| Name of the device that the compromised account attempted to access |
46
52
|`TargetDomainName `|`string`| Domain name of the device that the compromised account attempted to access |
47
-
|`DeviceName`|`string`| Name of the device that reported the event; the reporting device can be the device that reported the event, the device that blocked the access, or the compromised device itself |
48
-
|`DomainName`|`string`| Domain name that the device that reported the event is joined to; the reporting device can be the device that reported the event, the device that blocked the access, or the compromised device itself |
53
+
|`DeviceName`|`string`| Name of the device that reported the event; the reporting device can be the one that blocked the access, the compromised device itself, or even a different device that is aware of the attack|
54
+
|`DomainName`|`string`| Domain name that the device that reported the event is joined to; the reporting device can be the one that blocked the access, the compromised device itself, or even a different device that is aware of the attack|
49
55
|`InitiatingProcessId `|`integer`| Process ID (PID) of the process that triggered that block action, based on the perspective of the device that logged the event |
50
56
|`InitiatingProcessFileName`|`string`|Name of the process that triggered the block action, based on the perspective of the device that logged the event |
51
-
|`SourceUserSid`|`string`| The compromised account’s security identifier|
52
-
|`SourceUserName`|`string`| The compromised account’s user name|
53
-
|`SourceUserDomainName`|`string`| The compromised account’s domain name|
57
+
|`SourceUserSid`|`string`| The security identifier of the account where the attack originated from|
58
+
|`SourceUserName`|`string`| The user name of the account where the attack originated from|
59
+
|`SourceUserDomainName`|`string`| The domain name of the account where the attack originated from |
54
60
|`SourceIPAddress`|`string`| IP address where the attacker communication came from, if the IP was not blocked by automatic attack disruption |
55
61
|`SourcePort`|`integer`| Port where the attacker communication came from |
56
62
|`IPAddress`|`string`| IP address that was blocked by automatic attack disruption |
0 commit comments