BehaviorInfo

BehaviorInfo Schema #

Table description #

TableSection	TableType	TableSectionName	Description
AlertsAndObservations	Regular		Contains information about behaviors, which in the context of Microsoft Defender XDR refers to a conclusion or insight based on one or more raw events, which can provide analysts more context in investigations

Table retention #

HotDays	ColdDays	TotalInteractiveDays
30	0	30

Schema #

Name	Description	Type
AccountObjectId	Unique identifier for the account in Microsoft Entra ID	String
AccountUpn	User principal name (UPN) of the account	String
ActionType	Type of behavior	String
AdditionalFields	Additional information about the behavior	String
AttackTechniques	MITRE ATT&CK techniques associated with the activity that triggered the behavior	String
BehaviorId	Unique identifier for the behavior	String
Categories	Type of threat indicator or breach activity identified by the behavior	String
DataSources	Products or services that provided information for the behavior	String
Description	Description of behavior	String
DetectionSource	Detection technology or sensor that identified the notable component or activity	String
DeviceId	Unique identifier for the device in Microsoft Defender for Endpoint	String
EndTime	Date and time of the last activity related to the behavior	DateTime
ServiceSource	Product or service that identified the behavior	String
SourceSystem		String
StartTime	Date and time of the first activity related to the behavior	DateTime
TenantId		String
TimeGenerated		DateTime
Timestamp	Date and time when the record was generated	DateTime
Type		String

Schema changes #

Date	Action
2026-01-02	Table added to tracking