| ActionType |
Type of activity that triggered the event |
String |
| AuthenticationProtocol |
Authentication protocol that the compromised user used to sign in; possible values: Undefined, NTLM, Kerberos |
String |
| CompromisedAccountCount |
Number of compromised accounts that are part of the policy |
Int32 |
| DataSource |
Data source of the cloud audit event. Could be Azure ARM Logs, AWS CloudTrail, GCP Logging or other |
String |
| DeviceId |
Unique identifier for the device in Microsoft Defender for Endpoint |
String |
| DeviceName |
Fully qualified domain name (FQDN) of the device |
String |
| DomainName |
Domain name that the device that reported the event is joined to; the reporting device can be the one that blocked the access, the compromised device itself, or even a different device that is aware of the attack |
String |
| FileName |
Name of the file that the recorded action was applied to |
String |
| InitiatingProcessFileName |
Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
String |
| InitiatingProcessId |
Process ID (PID) of the process that initiated the event |
Int64 |
| InterfaceFriendlyName |
Friendly name of the interface represented by the interface UUID |
String |
| InterfaceUuid |
Unique identifier (UUID) for the Remote Procedure Call (RPC) interface that the attacker attempted to access |
String |
| IpAddress |
IP address that the attacker attempted to access |
String |
| IsPolicyOn |
Indicates the current state of the policy on the device at the time of the disruption event; possible values: true (the policy is on, therefore it was applied or enforced), false (the policy was turned off or revoked from the device) |
Boolean |
| LogonId |
Identifier for a logon session. This identifier is unique on the same machine only between restarts |
Int64 |
| LogonType |
Type of logon session, specifically interactive, remote interactive (RDP), network, batch, and service |
String |
| MachineGroup |
|
String |
| PolicyHash |
Unique hash of the policy |
String |
| PolicyId |
Unique identifier for the policy |
String |
| PolicyName |
Name of the policy |
String |
| PolicyVersion |
Version of the policy |
String |
| Port |
TCP port used during communication |
Int32 |
| ReportId |
Event identifier based on a repeating counter.To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
Int64 |
| ReportType |
Type of reported event; Prevented/Blocked/PolicyUpdated |
String |
| Service |
Name of the service the attacker attempted to use, if the attacker signed in using Kerberos or NTLM; for example: SMB, HTTP, cifs, SMB, host, ldap, SMB, krbtgt |
String |
| SessionId |
Unique number assigned to a user by a website’s server for the duration of the visit or session |
String |
| ShareName |
Name of shared folder containing the file |
String |
| SourceDeviceId |
Unique identifier for the device that the attack originated from |
String |
| SourceDeviceName |
Host name of the device where the attack originated from |
String |
| SourceDomainName |
Domain name of the device where the attack originated from |
String |
| SourceIpAddress |
IP address where the attacker communication originated from and was blocked by automatic attack disruption |
String |
| SourcePort |
Port where the attacker communication originated from |
Int32 |
| SourceSystem |
|
String |
| SourceUserDomainName |
The domain name of the account conducting the malicious activity |
String |
| SourceUserName |
The user name of the account conducting the malicious activity |
String |
| SourceUserSid |
The security identifier of the account conducting the malicious activity |
String |
| TargetDeviceId |
Unique identifier for the device that was targeted or attacked |
String |
| TargetDeviceName |
Fully qualified domain name (FQDN) of the device that the recorded action was applied to |
String |
| TargetDomainName |
Domain name of the device that was targeted or attacked |
String |
| TenantId |
|
String |
| TimeGenerated |
|
DateTime |
| Timestamp |
Date and time when the record was generated |
DateTime |
| Type |
|
String |