Important
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.
Applies to:
- Microsoft 365 Defender
The AlertEvidence table in the advanced hunting schema contains information about various entities—files, IP addresses, URLs, users, or devices—associated with alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Use this reference to construct queries that return information from this table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
AlertId |
string |
Unique identifier for the alert |
ServiceSource |
string |
Product or service that provided the alert information |
EntityType |
string |
Type of object, such as a file, a process, a device, or a user |
EvidenceRole |
string |
How the entity is involved in an alert, indicating whether it is impacted or is merely related |
EvidenceDirection |
string |
Indicates whether the entity is the source or the destination of a network connection |
FileName |
string |
Name of the file that the recorded action was applied to |
FolderPath |
string |
Folder containing the file that the recorded action was applied to |
SHA1 |
string |
SHA-1 of the file that the recorded action was applied to |
SHA256 |
string |
SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
FileSize |
int |
Size of the file in bytes |
ThreatFamily |
string |
Malware family that the suspicious or malicious file or process has been classified under |
RemoteIP |
string |
IP address that was being connected to |
RemoteUrl |
string |
URL or fully qualified domain name (FQDN) that was being connected to |
AccountName |
string |
User name of the account |
AccountDomain |
string |
Domain of the account |
AccountSid |
string |
Security Identifier (SID) of the account |
AccountObjectId |
string |
Unique identifier for the account in Azure Active Directory |
AccountUpn |
string |
User principal name (UPN) of the account |
DeviceId |
string |
Unique identifier for the device in the service |
DeviceName |
string |
Fully qualified domain name (FQDN) of the machine |
LocalIP |
string |
IP address assigned to the local device used during communication |
NetworkMessageId |
string |
Unique identifier for the email, generated by Office 365 |
EmailSubject |
string |
Subject of the email |
ApplicationId |
string |
Unique identifier for the application |
Application |
string |
Application that performed the recorded action |
ProcessCommandLine |
string |
Command line used to create the new process |
AdditionalFields |
string |
Additional information about the event in JSON array format |
RegistryKey |
string |
Registry key that the recorded action was applied to |
RegistryValueName |
string |
Name of the registry value that the recorded action was applied to |
RegistryValueData |
string |
Data of the registry value that the recorded action was applied to |
Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team
(Visited 31 times, 1 visits today)