Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Contains information about process events in multicloud hosted environments such as Azure Kubernetes Service, Amazon Elastic Kubernetes Service, and Google Kubernetes Engine as protected by the organization's Microsoft Defender for Cloud.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | Yes |
| Ingestion-time DCR support | No |
| Lake-only ingestion | Yes |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AccountName | string | User name of the account |
| ActionType | string | Type of activity that triggered the event. See the in-portal schema reference for details. |
| AdditionalFields | string | Additional information about the event in JSON array format |
| AwsResourceName | string | Unique identifier specific to Amazon Web Services devices, containing the Amazon resource name |
| AzureResourceId | string | Unique identifier of the Azure resource associated with the process |
| _BilledSize | real | The record size in bytes |
| ContainerId | string | The container identifier in Kubernetes or another runtime environment |
| ContainerImageName | string | The container image name or ID, if it exists |
| ContainerName | string | Name of the container in Kubernetes or another runtime environment |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| GcpFullResourceName | string | Unique identifier specific to Google Cloud Platform devices, containing a combination of zone and ID for GCP |
| InitiatingProcessId | string | Process ID (PID) of the process that initiated the event |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| KubernetesNamespace | string | The Kubernetes namespace name |
| KubernetesPodName | string | The Kubernetes pod name |
| KubernetesResource | string | Identifier value that includes namespace, resource type and name |
| LogonId | long | Identifier for a logon session. This identifier is unique on the same pod or container between restarts. |
| ParentProcessId | string | The process ID (PID) of the parent process |
| ParentProcessName | string | The name of the parent process |
| ProcessCommandLine | string | Command line used to create the new process |
| ProcessCreationTime | datetime | Date and time the process was created |
| ProcessCurrentWorkingDirectory | string | Current working directory of the running process |
| ProcessId | long | Process ID (PID) of the newly created process |
| ProcessName | string | The name of the process |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated |
| Type | string | The name of the table |