Defender-DeviceEvents

27 ActionTypes

ActionTypeTitle
anyDefender event (any)
PowerShellCommandPowerShell command executed
AmsiScriptDetectedAMSI script detected
AmsiScriptContentAMSI script content captured
CreateRemoteThreadApiCallCreateRemoteThread API call
ProcessInjectionDetectedProcess injection detected
NamedPipeEventNamed pipe event
UserAccountAddedToLocalGroupUser account added to local group
UserAccountRemovedFromLocalGroupUser account removed from local group
AsrAuditEventASR audit event
AsrLsassCredentialTheftAuditedASR — LSASS credential theft (audited)
AsrOfficeChildProcessAuditedASR — Office child process (audited)
AntivirusReportAntivirus report
ScheduledTaskCreatedScheduled task created
ScheduledTaskDeletedScheduled task deleted
ScheduledTaskUpdatedScheduled task updated
OpenProcessApiCallProcess opened (OpenProcess API call)
ProcessPrimaryTokenModifiedProcess primary token modified
LdapSearchLDAP search
ClrUnbackedModuleLoadedCLR unbacked module loaded
AsrUntrustedExecutableAuditedASR untrusted executable (audited)
DriverLoadDriver loaded
NtAllocateVirtualMemoryRemoteApiCallRemote virtual memory allocation (NtAllocateVirtualMemory)
MemoryRemoteProtectRemote virtual memory protection change
NtMapViewOfSectionRemoteApiCallRemote section map (NtMapViewOfSection)
QueueUserApcRemoteApiCallRemote APC queued (QueueUserApc)
SetThreadContextRemoteApiCallRemote thread context change (SetThreadContext)

any: Defender event (any)

#
Provider
Defender-DeviceEvents
Channel
DeviceEvents

Description

Defender event (any) — DeviceEvents is a catch-all; bridges only apply per-ActionType.

Fields #

NameDescription
DeviceId
Timestamp
ActionType
AdditionalFields
InitiatingProcessFileName
InitiatingProcessCommandLine

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
useris_not_null1 rulekusto, splunk
DestinationPorteq93891 ruleelastic, kusto, sigma, splunk
parent_process_nameeqmmc.exe1 ruleelastic, kusto, splunk
EventTypeeqConnectionSuccess1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

Show 3 more (6 total)

References #

PowerShellCommand: PowerShell command executed

#
Provider
Defender-DeviceEvents
Channel
PowerShellCommand

Description

PowerShell command executed — PowerShell ScriptBlockLogging captures the same surface.

Fields #

NameDescription
DeviceId
Timestamp
AdditionalFields
InitiatingProcessFileName
InitiatingProcessCommandLine

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeeqPowerShellCommand1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

  • Suspicious Powershell Commandlet Executed source medium: This analytic rule detects when a suspicious PowerShell commandlet is executed on a host. Threat actors often use PowerShell to execute commands and scripts to move laterally, escalate privileges, and exfiltrate data.

References #

AmsiScriptDetected: AMSI script detected

#
Provider
Defender-DeviceEvents
Channel
AmsiScriptDetected

Description

AMSI script detected — Defender-only; no Windows-native equivalent.

Fields #

NameDescription
DeviceId
Timestamp
AdditionalFields
InitiatingProcessFileName

References #

AmsiScriptContent: AMSI script content captured

#
Provider
Defender-DeviceEvents
Channel
AmsiScriptContent

Description

AMSI script content captured — Defender-only; no Windows-native equivalent.

Fields #

NameDescription
DeviceId
Timestamp
AdditionalFields

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
parent_process_nameeqpowershell.exe1 ruleelastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

  • Deimos Component Execution source high: Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising in order to successfully encourage users to download malicious templates and documents. This malware has been popular since 2020 and currently is still active as of 2021.

References #

CreateRemoteThreadApiCall: CreateRemoteThread API call

#
Provider
Defender-DeviceEvents
Channel
CreateRemoteThreadApiCall

Description

CreateRemoteThread API call

Fields #

NameDescription
DeviceId
Timestamp
ProcessId
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeinCreateRemoteThreadApiCall3 ruleskusto
EventTypeinQueueUserApcRemoteApiCall3 ruleskusto
EventTypeinSetThreadContextRemoteApiCall3 ruleskusto
EventTypeinNtAllocateVirtualMemoryRemoteApiCall2 ruleskusto
EventTypeinNtMapViewOfSectionRemoteApiCall2 ruleskusto
parent_process_nameinexcel.exe1 rulekusto, splunk
parent_process_nameinwinword.exe1 rulekusto, splunk
parent_process_nameinpowerpnt.exe1 rulekusto, splunk
DestinationPorteq93891 ruleelastic, kusto, sigma, splunk
parent_process_nameeqmmc.exe1 ruleelastic, kusto, splunk
EventTypeeqConnectionSuccess1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

Show 1 more (4 total)

References #

ProcessInjectionDetected: Process injection detected

#
Provider
Defender-DeviceEvents
Channel
ProcessInjectionDetected

Description

Process injection detected — Defender-only; no Windows-native equivalent.

Fields #

NameDescription
DeviceId
Timestamp
ProcessId
InitiatingProcessFileName

References #

NamedPipeEvent: Named pipe event

#
Provider
Defender-DeviceEvents
Channel
NamedPipeEvent

Description

Named pipe event

Fields #

NameDescription
DeviceId
Timestamp
FileName
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeeqNamedPipeEvent2 ruleskusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

References #

UserAccountAddedToLocalGroup: User account added to local group

#
Provider
Defender-DeviceEvents
Channel
UserAccountAddedToLocalGroup

Description

User account added to local group

Fields #

NameDescription
DeviceId
Timestamp
AccountName
AdditionalFields

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

References #

UserAccountRemovedFromLocalGroup: User account removed from local group

#
Provider
Defender-DeviceEvents
Channel
UserAccountRemovedFromLocalGroup

Description

User account removed from local group

Fields #

NameDescription
DeviceId
Timestamp
AccountName
AdditionalFields

References #

AsrAuditEvent: ASR audit event

#
Provider
Defender-DeviceEvents
Channel
AsrAuditEvent

Description

ASR audit event — Defender ASR audit; loosely maps to Defender-1121 channel events.

Fields #

NameDescription
DeviceId
Timestamp
AdditionalFields
InitiatingProcessFileName

References #

AsrLsassCredentialTheftAudited: ASR — LSASS credential theft (audited)

#
Provider
Defender-DeviceEvents
Channel
AsrLsassCredentialTheftAudited

Description

ASR — LSASS credential theft (audited) — Defender ASR; no native equivalent.

Fields #

NameDescription
DeviceId
Timestamp
InitiatingProcessFileName

References #

AsrOfficeChildProcessAudited: ASR — Office child process (audited)

#
Provider
Defender-DeviceEvents
Channel
AsrOfficeChildProcessAudited

Description

ASR — Office child process (audited) — Defender ASR; no native equivalent.

Fields #

NameDescription
DeviceId
Timestamp
InitiatingProcessFileName
FileName

References #

AntivirusReport: Antivirus report

#
Provider
Defender-DeviceEvents
Channel
AntivirusReport

Description

Antivirus report — Defender AV; loosely maps to Defender-1116/1117 detected/quarantined events.

Fields #

NameDescription
DeviceId
Timestamp
FileName
FolderPath
AdditionalFields

References #

ScheduledTaskCreated: Scheduled task created

#
Provider
Defender-DeviceEvents
Channel
ScheduledTaskCreated

Description

Scheduled task created

Fields #

NameDescription
DeviceId
Timestamp
AdditionalFields
InitiatingProcessFileName

References #

ScheduledTaskDeleted: Scheduled task deleted

#
Provider
Defender-DeviceEvents
Channel
ScheduledTaskDeleted

Description

Scheduled task deleted

Fields #

NameDescription
DeviceId
Timestamp
AdditionalFields
InitiatingProcessFileName

References #

ScheduledTaskUpdated: Scheduled task updated

#
Provider
Defender-DeviceEvents
Channel
ScheduledTaskUpdated

Description

Scheduled task updated

Fields #

NameDescription
DeviceId
Timestamp
AdditionalFields
InitiatingProcessFileName

References #

OpenProcessApiCall: Process opened (OpenProcess API call)

#
Provider
Defender-DeviceEvents
Channel
OpenProcessApiCall

Description

Process opened (OpenProcess API call) — Sysmon-10 is ProcessAccess; Kernel-Audit-API-Calls-5 (TargetProcessId / DesiredAccess / ReturnCode) is the same kernel audit hook MDE consumes and any admin ETW session can collect.

Fields #

NameDescription
DeviceId
Timestamp
FileName
ProcessId
InitiatingProcessFileName
InitiatingProcessCommandLine

Detection Patterns #

References #

ProcessPrimaryTokenModified: Process primary token modified

#
Provider
Defender-DeviceEvents
Channel
ProcessPrimaryTokenModified

Description

Process primary token modified — Security-4696 (primary token assigned) is a bridge candidate, but assigned-at-creation vs replaced-in-place semantics are unverified, so no bridge yet.

Fields #

NameDescription
DeviceId
Timestamp
ProcessId
AccountName
InitiatingProcessFileName

Detection Patterns #

References #

LdapSearch: LDAP search

#
Provider
Defender-DeviceEvents
Channel
LdapSearch

Description

LDAP search — Client-side LDAP query telemetry (search filter in AdditionalFields). ETW equivalent is Microsoft-Windows-LDAP-Client's search-call events; bridge deferred until the exact event-id is verified against a captured trace (the manifest carries no event names).

Fields #

NameDescription
DeviceId
Timestamp
InitiatingProcessFileName
InitiatingProcessCommandLine
AdditionalFields

Detection Patterns #

References #

ClrUnbackedModuleLoaded: CLR unbacked module loaded

#
Provider
Defender-DeviceEvents
Channel
ClrUnbackedModuleLoaded

Description

CLR unbacked module loaded — Derivable-from, not one-to-one: DotNETRuntime-152 (ModuleLoad) fires for every CLR module; 'unbacked' (no disk-backed image) is a filter over the module-flags payload. CLR ETW is emitted inside the (potentially attacker-controlled) process and can be patched out; the MDE sensor copy is the tamper-resistant variant.

Fields #

NameDescription
DeviceId
Timestamp
InitiatingProcessFileName
AdditionalFields

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
parent_process_nameincscript.exe1 rulekusto, splunk
parent_process_nameinmmc.exe1 rulekusto, splunk
parent_process_nameinwscript.exe1 rulekusto, splunk
parent_process_nameinmshta.exe1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

  • Script Interpreter Loading DotNet Assembly From Memory source: The query searches for script interpreters (mmc.exe, mshta.exe, wscript.exe, and cscript.exe) loading .NET assemblies from memory. In the case of the MMC executable, the query also checks for the MSC file that was loaded, as some legitimate MSC files are known to load .NET assemblies via MMC.

References #

AsrUntrustedExecutableAudited: ASR untrusted executable (audited)

#
Provider
Defender-DeviceEvents
Channel
AsrUntrustedExecutableAudited

Description

ASR untrusted executable (audited) — Block-mode ASR siblings map to Defender-1121.

Fields #

NameDescription
DeviceId
Timestamp
FileName
FolderPath
InitiatingProcessFileName

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

References #

DriverLoad: Driver loaded

#
Provider
Defender-DeviceEvents
Channel
DriverLoad

Description

Driver loaded — ETW-TI requires a PPL/ELAM-signed consumer; Sysmon-6 is the collectible equivalent for non-MDE environments.

Fields #

NameDescription
DeviceId
Timestamp
FileName
FolderPath
SHA1
SHA256

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeeqDriverLoad2 ruleskusto
dcount_DeviceIdle51 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

References #

NtAllocateVirtualMemoryRemoteApiCall: Remote virtual memory allocation (NtAllocateVirtualMemory)

#
Provider
Defender-DeviceEvents
Channel
NtAllocateVirtualMemoryRemoteApiCall

Description

Remote virtual memory allocation (NtAllocateVirtualMemory)

Fields #

NameDescription
DeviceId
Timestamp
ProcessId
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeinCreateRemoteThreadApiCall2 ruleskusto
EventTypeinQueueUserApcRemoteApiCall2 ruleskusto
EventTypeinSetThreadContextRemoteApiCall2 ruleskusto
EventTypeinNtAllocateVirtualMemoryRemoteApiCall2 ruleskusto
EventTypeinNtMapViewOfSectionRemoteApiCall2 ruleskusto
DestinationPorteq93891 ruleelastic, kusto, sigma, splunk
parent_process_nameeqmmc.exe1 ruleelastic, kusto, splunk
EventTypeeqConnectionSuccess1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

References #

MemoryRemoteProtect: Remote virtual memory protection change

#
Provider
Defender-DeviceEvents
Channel
MemoryRemoteProtect

Description

Remote virtual memory protection change

Fields #

NameDescription
DeviceId
Timestamp
ProcessId
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
DestinationPorteq93891 ruleelastic, kusto, sigma, splunk
parent_process_nameeqmmc.exe1 ruleelastic, kusto, splunk
EventTypeeqConnectionSuccess1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

References #

NtMapViewOfSectionRemoteApiCall: Remote section map (NtMapViewOfSection)

#
Provider
Defender-DeviceEvents
Channel
NtMapViewOfSectionRemoteApiCall

Description

Remote section map (NtMapViewOfSection)

Fields #

NameDescription
DeviceId
Timestamp
ProcessId
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeinCreateRemoteThreadApiCall2 ruleskusto
EventTypeinQueueUserApcRemoteApiCall2 ruleskusto
EventTypeinSetThreadContextRemoteApiCall2 ruleskusto
EventTypeinNtAllocateVirtualMemoryRemoteApiCall2 ruleskusto
EventTypeinNtMapViewOfSectionRemoteApiCall2 ruleskusto
parent_process_nameeqmmc.exe1 ruleelastic, kusto, splunk
EventTypeeqConnectionSuccess1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

References #

QueueUserApcRemoteApiCall: Remote APC queued (QueueUserApc)

#
Provider
Defender-DeviceEvents
Channel
QueueUserApcRemoteApiCall

Description

Remote APC queued (QueueUserApc)

Fields #

NameDescription
DeviceId
Timestamp
ProcessId
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeinCreateRemoteThreadApiCall2 ruleskusto
EventTypeinQueueUserApcRemoteApiCall2 ruleskusto
EventTypeinSetThreadContextRemoteApiCall2 ruleskusto
EventTypeinNtAllocateVirtualMemoryRemoteApiCall2 ruleskusto
EventTypeinNtMapViewOfSectionRemoteApiCall2 ruleskusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

References #

SetThreadContextRemoteApiCall: Remote thread context change (SetThreadContext)

#
Provider
Defender-DeviceEvents
Channel
SetThreadContextRemoteApiCall

Description

Remote thread context change (SetThreadContext)

Fields #

NameDescription
DeviceId
Timestamp
ProcessId
InitiatingProcessFileName

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeinCreateRemoteThreadApiCall2 ruleskusto
EventTypeinQueueUserApcRemoteApiCall2 ruleskusto
EventTypeinSetThreadContextRemoteApiCall2 ruleskusto
EventTypeinNtAllocateVirtualMemoryRemoteApiCall2 ruleskusto
EventTypeinNtMapViewOfSectionRemoteApiCall2 ruleskusto

Detection Rules #

View all rules referencing this event →

Kusto # view in coverage

References #