Important
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.
Applies to:
- Microsoft 365 Defender
The CloudAppEvents table in the advanced hunting schema contains information about activities in various cloud apps and services covered by Microsoft Defender for Cloud Apps. For a complete list, jump to Apps and services covered. Use this reference to construct queries that return information from this table.
Important
This table includes information that used to be available in the AppFileEvents table. Starting March 7, 2021, users hunting through file-related activities in cloud services on and beyond this date should use the CloudAppEvents table instead.
Make sure to search for queries and custom detection rules that still use the AppFileEvents table and edit them to use the CloudAppEvents table. More guidance about converting affected queries can be found in Hunt across cloud app activities with Microsoft 365 Defender advanced hunting.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
ActionType |
string |
Type of activity that triggered the event |
Application |
string |
Application that performed the recorded action |
ApplicationId |
string |
Unique identifier for the application |
AccountObjectId |
string |
Unique identifier for the account in Azure Active Directory |
AccountId |
string |
An identifier for the account as found by Microsoft Defender for Cloud Apps. Could be Azure Active Directory ID, user principal name, or other identifiers. |
AccountDisplayName |
string |
Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. |
IsAdminOperation |
string |
Indicates whether the activity was performed by an administrator |
DeviceType |
string |
Type of device based on purpose and functionality, such as “Network device”, “Workstation”, “Server”, “Mobile”, “Gaming console”, or “Printer” |
OSPlatform |
string |
Platform of the operating system running on the device. This column indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. |
IPAddress |
string |
IP address assigned to the endpoint and used during related network communications |
IsAnonymousProxy |
string |
Indicates whether the IP address belongs to a known anonymous proxy |
CountryCode |
string |
Two-letter code indicating the country where the client IP address is geolocated |
City |
string |
City where the client IP address is geolocated |
Isp |
string |
Internet service provider (ISP) associated with the IP address |
UserAgent |
string |
User agent information from the web browser or other client application |
ActivityType |
string |
Type of activity that triggered the event |
ActivityObjects |
dynamic |
List of objects, such as files or folders, that were involved in the recorded activity |
ObjectName |
string |
Name of the object that the recorded action was applied to |
ObjectType |
string |
Type of object, such as a file or a folder, that the recorded action was applied to |
ObjectId |
string |
Unique identifier of the object that the recorded action was applied to |
ReportId |
string |
Unique identifier for the event |
RawEventData |
string |
Raw event information from the source application or service in JSON format |
AdditionalFields |
dynamic |
Additional information about the entity or event |
AccountType |
string |
Type of user account, indicating its general role and access levels, such as Regular, System, Admin, DcAdmin, System, Application |
IsExternalUser |
boolean |
Indicates whether a user inside the network doesn’t belong to the organization’s domain |
IsImpersonated |
boolean |
Indicates whether the activity was performed by one user for another (impersonated) user |
IPTags |
dynamic |
Customer-defined information applied to specific IP addresses and IP address ranges |
IPCategory |
string |
Additional information about the IP address |
UserAgentTags |
dynamic |
More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot |
Apps and services covered
- Dropbox
- Dynamics 365
- Exchange Online
- Microsoft Teams
- OneDrive for Business
- Power Automate
- Power BI
- SharePoint Online
- Skype for Business
- Office 365
- Yammer