Timestamp |
datetime |
Date and time when the event was recorded |
AlertId |
string |
Unique identifier for the alert |
Title |
string |
Title of the alert |
Categories |
string |
List of categories that the information belongs to, in JSON array format |
AttackTechniques |
string |
MITRE ATT&CK techniques associated with the activity that triggered the alert |
ServiceSource |
string |
Product or service that provided the alert information |
DetectionSource |
string |
Detection technology or sensor that identified the notable component or activity |
EntityType |
string |
Type of object, such as a file, a process, a device, or a user |
EvidenceRole |
string |
How the entity is involved in an alert, indicating whether it is impacted or is merely related |
EvidenceDirection |
string |
Indicates whether the entity is the source or the destination of a network connection |
FileName |
string |
Name of the file that the recorded action was applied to |
FolderPath |
string |
Folder containing the file that the recorded action was applied to |
SHA1 |
string |
SHA-1 of the file that the recorded action was applied to |
SHA256 |
string |
SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
FileSize |
long |
Size of the file in bytes |
ThreatFamily |
string |
Malware family that the suspicious or malicious file or process has been classified under |
RemoteIP |
string |
IP address that was being connected to |
RemoteUrl |
string |
URL or fully qualified domain name (FQDN) that was being connected to |
AccountName |
string |
User name of the account |
AccountDomain |
string |
Domain of the account |
AccountSid |
string |
Security Identifier (SID) of the account |
AccountObjectId |
string |
Unique identifier for the account in Microsoft Entra ID |
AccountUpn |
string |
User principal name (UPN) of the account |
DeviceId |
string |
Unique identifier for the device in the service |
DeviceName |
string |
Fully qualified domain name (FQDN) of the device |
LocalIP |
string |
IP address assigned to the local device used during communication |
NetworkMessageId |
string |
Unique identifier for the email, generated by Office 365 |
EmailSubject |
string |
Subject of the email |
Application |
string |
Application that performed the recorded action |
ApplicationId |
int |
Unique identifier for the application |
OAuthApplicationId |
string |
Unique identifier of the third-party OAuth application |
ProcessCommandLine |
string |
Command line used to create the new process |
RegistryKey |
string |
Registry key that the recorded action was applied to |
RegistryValueName |
string |
Name of the registry value that the recorded action was applied to |
RegistryValueData |
string |
Data of the registry value that the recorded action was applied to |
AdditionalFields |
string |
Additional information about the entity or event |
Severity |
string |
Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
CloudResource |
string |
Cloud resource name |
CloudPlatform |
string |
The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform |
ResourceType |
string |
Type of cloud resource |
ResourceID |
string |
Unique identifier of the cloud resource accessed |
SubscriptionId |
string |
Unique identifier of the cloud service subscription |