Field | Description |
---|---|
platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. |
machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
app_version | Version of the Microsoft Defender ATP for Mac application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized. |
sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
supported_compressions | List of compression algorithms supported by the application, for example ['gzip'] . Allows Microsoft to understand what types of compressions can be used when it communicates with the application. |
release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. |
Field | Description |
---|---|
correlation_id | Unique identifier associated with the installation. |
version | Version of the package. |
severity | Severity of the message (for example Informational). |
code | Code that describes the operation. |
text | Additional information associated with the product installation. |
Field | Description |
---|---|
antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. |
antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. |
cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. |
cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. |
cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. |
cloud_service.service_uri | URI used to communicate with the cloud. |
cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. |
edr.early_preview | Whether the machine should run EDR early preview features. |
edr.group_id | Group identifier used by the detection and response component. |
edr.tags | User-defined tags. |
features.[optional feature name] | List of preview features, along with whether they are enabled or not. |
Field | Description |
---|---|
version | Version of Microsoft Defender ATP for Mac. |
instance_id | Unique identifier generated on kernel extension startup. |
trace_level | Trace level of the kernel extension. |
ipc.connects | Number of connection requests received by the kernel extension. |
ipc.rejects | Number of connection requests rejected by the kernel extension. |
ipc.connected | Whether there is any active connection to the kernel extension. |
Field | Description |
---|---|
connection_retry_timeout | Connection retry time out when communication with the cloud. |
file_hash_cache_maximum | Size of the product cache. |
crash_upload_daily_limit | Limit of crash logs uploaded daily. |
antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. |
antivirus_engine.exclusions[].path | Path that was excluded from scanning. |
antivirus_engine.exclusions[].extension | Extension excluded from scanning. |
antivirus_engine.exclusions[].name | Name of the file excluded from scanning. |
antivirus_engine.scan_cache_maximum | Size of the product cache. |
antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. |
antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. |
filesystem_scanner.full_scan_directory | Full scan directory. |
filesystem_scanner.quick_scan_directories | List of directories used in quick scan. |
edr.latency_mode | Latency mode used by the detection and response component. |
edr.proxy_address | Proxy address used by the detection and response component. |
Field | Description |
---|---|
how_to_check | Determines how product updates are checked (for example automatic or manual). |
channel_name | Update channel associated with the device. |
manifest_server | Server used for downloading updates. |
update_cache | Location of the cache used to store updates. |
Field | Description |
---|---|
sha256 | SHA256 identifier of the support log. |
size | Size of the support log. |
original_path | Path to the support log (always under /Library/Application Support/Microsoft/Defender/wdavdiag/). |
format | Format of the support log. |
Field | Description |
---|---|
request_id | Correlation ID for the support log upload request. |
sha256 | SHA256 identifier of the support log. |
blob_sas_uri | URI used by the application to upload the support log. |
Field | Description |
---|---|
pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. |
pkt_ack_conn_timeout | |
ipc.ack_pkts | |
ipc.nack_pkts | |
ipc.send.ack_no_conn | |
ipc.send.nack_no_conn | |
ipc.send.ack_no_qsq | |
ipc.send.nack_no_qsq | |
ipc.ack.no_space | |
ipc.ack.timeout | |
ipc.ack.ackd_fast | |
ipc.ack.ackd | |
ipc.recv.bad_pkt_len | |
ipc.recv.bad_reply_len | |
ipc.recv.no_waiter | |
ipc.recv.copy_failed | |
ipc.kauth.vnode.mask | |
ipc.kauth.vnode.read | |
ipc.kauth.vnode.write | |
ipc.kauth.vnode.exec | |
ipc.kauth.vnode.del | |
ipc.kauth.vnode.read_attr | |
ipc.kauth.vnode.write_attr | |
ipc.kauth.vnode.read_ex_attr | |
ipc.kauth.vnode.write_ex_attr | |
ipc.kauth.vnode.read_sec | |
ipc.kauth.vnode.write_sec | |
ipc.kauth.vnode.take_own | |
ipc.kauth.vnode.denied | |
ipc.kauth.file_op.mask | |
ipc.kauth_file_op.open | |
ipc.kauth.file_op.close | |
ipc.kauth.file_op.close_modified | |
ipc.kauth.file_op.move | |
ipc.kauth.file_op.link | |
ipc.kauth.file_op.exec | |
ipc.kauth.file_op.remove | |
ipc.kauth.file_op.fork | |
ipc.kauth.file_op.create |