| AccountDomain |
Domain of the account |
String |
| AccountName |
User name of the account |
String |
| AccountObjectId |
Unique identifier for the account in Microsoft Entra ID |
String |
| AccountSid |
Security Identifier (SID) of the account |
String |
| AccountUpn |
User principal name (UPN) of the account |
String |
| ActionType |
Type of activity that triggered the event |
String |
| AdditionalFields |
Additional information about the entity or event |
String |
| AppGuardContainerId |
Identifier for the virtualized container used by Application Guard to isolate browser activity |
String |
| CreatedProcessSessionId |
Windows session ID of the created process |
Int64 |
| DeviceId |
Unique identifier for the device in the service |
String |
| DeviceName |
Fully qualified domain name (FQDN) of the device |
String |
| FileName |
Name of the file that the recorded action was applied to |
String |
| FileSize |
Size of the file in bytes |
Int64 |
| FolderPath |
Folder containing the file that the recorded action was applied to |
String |
| InitiatingProcessAccountDomain |
Domain of the account that ran the process responsible for the event |
String |
| InitiatingProcessAccountName |
User name of the account that ran the process responsible for the event |
String |
| InitiatingProcessAccountObjectId |
Microsoft Entra object ID of the user account that ran the process responsible for the event |
String |
| InitiatingProcessAccountSid |
Security Identifier (SID) of the account that ran the process responsible for the event |
String |
| InitiatingProcessAccountUpn |
User principal name (UPN) of the account that ran the process responsible for the event |
String |
| InitiatingProcessCommandLine |
Command line used to run the process that initiated the event |
String |
| InitiatingProcessCreationTime |
Date and time when the process that initiated the event was started |
DateTime |
| InitiatingProcessFileName |
Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
String |
| InitiatingProcessFileSize |
Size of the process (image file) that initiated the event |
Int64 |
| InitiatingProcessFolderPath |
Folder containing the process (image file) that initiated the event |
String |
| InitiatingProcessId |
Process ID (PID) of the process that initiated the event |
Int64 |
| InitiatingProcessIntegrityLevel |
Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
String |
| InitiatingProcessLogonId |
Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
Int64 |
| InitiatingProcessMD5 |
MD5 hash of the process (image file) that initiated the event |
String |
| InitiatingProcessParentCreationTime |
Date and time when the parent of the process responsible for the event was started |
DateTime |
| InitiatingProcessParentFileName |
Name of the parent process that spawned the process responsible for the event |
String |
| InitiatingProcessParentId |
Process ID (PID) of the parent process that spawned the process responsible for the event |
Int64 |
| InitiatingProcessRemoteSessionDeviceName |
Device name of the remote device from which the initiating process’s RDP session was initiated |
String |
| InitiatingProcessRemoteSessionIP |
IP address of the remote device from which the initiating process’s RDP session was initiated |
String |
| InitiatingProcessSessionId |
Windows session ID of the initiating process |
Int64 |
| InitiatingProcessSHA1 |
SHA-1 hash of the process (image file) that initiated the event |
String |
| InitiatingProcessSHA256 |
SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available. |
String |
| InitiatingProcessSignatureStatus |
Information about the signature status of the process (image file) that initiated the event |
String |
| InitiatingProcessSignerType |
Type of file signer of the process (image file) that initiated the event |
String |
| InitiatingProcessTokenElevation |
Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
String |
| InitiatingProcessUniqueId |
Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices |
String |
| InitiatingProcessVersionInfoCompanyName |
Company name from the version information of the process (image file) responsible for the event |
String |
| InitiatingProcessVersionInfoFileDescription |
Description from the version information of the process (image file) responsible for the event |
String |
| InitiatingProcessVersionInfoInternalFileName |
Internal file name from the version information of the process (image file) responsible for the event |
String |
| InitiatingProcessVersionInfoOriginalFileName |
Original file name from the version information of the process (image file) responsible for the event |
String |
| InitiatingProcessVersionInfoProductName |
Product name from the version information of the process (image file) responsible for the event |
String |
| InitiatingProcessVersionInfoProductVersion |
Product version from the version information of the process (image file) responsible for the event |
String |
| IsInitiatingProcessRemoteSession |
Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
Boolean |
| IsProcessRemoteSession |
Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
Boolean |
| LogonId |
Identifier for a logon session. This identifier is unique on the same machine only between restarts |
Int64 |
| MachineGroup |
|
String |
| MD5 |
MD5 hash of the file that the recorded action was applied to |
String |
| ProcessCommandLine |
Command line used to create the new process |
String |
| ProcessCreationTime |
Date and time the process was created |
DateTime |
| ProcessId |
Process ID (PID) of the newly created process |
Int64 |
| ProcessIntegrityLevel |
Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
String |
| ProcessRemoteSessionDeviceName |
Device name of the remote device from which the created process’s RDP session was initiated |
String |
| ProcessRemoteSessionIP |
IP address of the remote device from which the created process’s RDP session was initiated |
String |
| ProcessTokenElevation |
Indicates the type of token elevation applied to the newly created process. Possible values: TokenElevationTypeLimited (restricted), TokenElevationTypeDefault (standard), and TokenElevationTypeFull (elevated) |
String |
| ProcessUniqueId |
Unique identifier of the process; this is equal to the Process Start Key in Windows devices |
String |
| ProcessVersionInfoCompanyName |
Company name from the version information of the newly created process |
String |
| ProcessVersionInfoFileDescription |
Description from the version information of the newly created process |
String |
| ProcessVersionInfoInternalFileName |
Internal file name from the version information of the newly created process |
String |
| ProcessVersionInfoOriginalFileName |
Original file name from the version information of the newly created process |
String |
| ProcessVersionInfoProductName |
Product name from the version information of the newly created process |
String |
| ProcessVersionInfoProductVersion |
Product version from the version information of the newly created process |
String |
| ReportId |
Event identifier based on a repeating counter.To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
Int64 |
| SHA1 |
SHA-1 hash of the file that the recorded action was applied to |
String |
| SHA256 |
SHA-256 of the file that the recorded action was applied to |
String |
| SourceSystem |
|
String |
| TenantId |
|
String |
| TimeGenerated |
|
DateTime |
| Timestamp |
Date and time when the record was generated |
DateTime |
| Type |
|
String |