BehaviorAnalytics

BehaviorAnalytics Schema #

Table description #

TableSection	TableType	TableSectionName	Description
Usx	Regular	Microsoft Sentinel	This table stores the enriched events for Sentinel UEBA, providing behavior analytics over raw data.

Table retention #

HotDays	ColdDays	TotalInteractiveDays
14	76	90

Schema #

Name	Description	Type
_BilledSize		Double
_IsBillable		String
_ResourceId	A unique identifier for the resource that the record is associated with	String
_SubscriptionId	A unique identifier for the subscription that the record is associated with	String
ActionType	The specific type of action that triggered the event.	String
ActivityInsights	Activity and behavioral insights.	Object
ActivityType	The activity type that triggered the event.	String
ActorName	The name of the user initiating the action that generated the event.	String
ActorPrincipalName	The principal name of the user initiating the action that generated the event.	String
DestinationDevice	The hostname of the destination device.	String
DestinationIPAddress	The destination IP address.	String
DestinationIPLocation	The destination Geo location based on the IP address.	String
Device	The name of the device on which the event occurred or which reported the event, depending on the schema.	String
DevicesInsights	Devices metadata and insights.	Object
EventProductVersion	The version of the product generating the event.	String
EventSource	Data source for this event.	String
EventVendor	The vendor of the product generating the event.	String
InvestigationPriority	Investigation priority score.	Int32
NativeTableName	The original table from which the record was fetched.	String
SourceDevice	The hostname of the source device.	String
SourceIPAddress	The source IP address.	String
SourceIPLocation	The source Geo location based on the IP address.	String
SourceRecordId	The unique Id of the source raw event.	String
SourceSystem	The entity provider source system.	String
TargetName	The name of the target user in the action that generated the event.	String
TargetPrincipalName	The name of the target user in the action that generated the event.	String
TenantId		String
TimeGenerated	Time when the raw event was generated (UTC).	DateTime
TimeProcessed	Time when enrichment processing occurred (UTC).	DateTime
Type	The name of the table	String
UserName	User name of the account.	String
UserPrincipalName	User principal name of the account.	String
UsersInsights	Users metadata and insights.	Object

Schema changes #

Date	Action
2024-10-18	Table added to tracking