| AccountDomain |
Domain of the account |
String |
| AccountName |
User name of the account |
String |
| AccountObjectId |
Unique identifier for the account in Microsoft Entra ID |
String |
| AccountSid |
Security Identifier (SID) of the account |
String |
| AccountUpn |
User principal name (UPN) of the account |
String |
| ActionType |
Type of behavior |
String |
| AdditionalFields |
Additional information about the behavior |
String |
| Application |
Application that performed the recorded action |
String |
| ApplicationId |
Unique identifier for the application |
Int32 |
| BehaviorId |
Unique identifier for the behavior |
String |
| Categories |
Type of threat indicator or breach activity identified by the behavior |
String |
| DataSources |
Products or services that provided information for the behavior |
String |
| DetailedEntityRole |
The role of the entity in the behavior |
String |
| DetectionSource |
Detection technology or sensor that identified the notable component or activity |
String |
| DeviceId |
Unique identifier for the device in Microsoft Defender for Endpoint |
String |
| DeviceName |
Fully qualified domain name (FQDN) of the device |
String |
| EmailClusterId |
Identifier for the group of similar emails clustered based on heuristic analysis of their contents |
String |
| EmailSubject |
Subject of the email |
String |
| EntityRole |
Indicates whether the entity is impacted or merely related |
String |
| EntityType |
Type of object, such as a file, a process, a device, or a user |
String |
| FileName |
Name of the file that the recorded action was applied to |
String |
| FileSize |
Size of the file in bytes |
Int64 |
| FolderPath |
Folder containing the file that the recorded action was applied to |
String |
| LocalIP |
IP address assigned to the local machine used during communication |
String |
| NetworkMessageId |
Unique identifier for the email, generated by Microsoft 365 |
String |
| OAuthApplicationId |
Unique identifier of the third-party OAuth application |
String |
| ProcessCommandLine |
Command line used to create the new process |
String |
| RegistryKey |
Registry key that the recorded action was applied to |
String |
| RegistryValueData |
Data of the registry value that the recorded action was applied to |
String |
| RegistryValueName |
Name of the registry value that the recorded action was applied to |
String |
| RemoteIP |
IP address that was being connected to |
String |
| RemoteUrl |
URL or fully qualified domain name (FQDN) that was being connected to |
String |
| ServiceSource |
Product or service that identified the behavior |
String |
| SHA1 |
SHA-1 hash of the file that the recorded action was applied to |
String |
| SHA256 |
SHA-256 of the file that the recorded action was applied to |
String |
| SourceSystem |
|
String |
| TenantId |
|
String |
| ThreatFamily |
Malware family that the suspicious or malicious file or process has been classified under |
String |
| TimeGenerated |
|
DateTime |
| Timestamp |
Date and time when the record was generated |
DateTime |
| Type |
|
String |