A generic windows events table for data collected by the Defender for Endpoint agent
|Security identifier (SID) of the account.
|Additional information about the entity or event.
|Identifier for the virtualized container used by Application Guard to isolate browser activity.
|The record size in bytes
|Unique identifier for the device in the service.
|Fully qualified domain name (FQDN) of the device.
|Contains the unique event identifier.
|Domain of the account that ran the process responsible for the event.
|User name of the account that ran the process responsible for the event.
|Azure AD object ID of the user account that ran the process responsible for the event.
|Security Identifier (SID) of the account that ran the process responsible for the event.
|User principal name (UPN) of the account that ran the process responsible for the event. In Active Directory, a UPN is the name of a system user in an email address format (for example: firstname.lastname@example.org)
|Folder containing the process (image file) that initiated the event.
|Process ID (PID) of the process that initiated the event.
|Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts.
|MD5 hash of the process (image file) that initiated the event.
|Name of the parent process that spawned the process responsible for the event.
|Process ID (PID) of the parent process that spawned the process responsible for the event.
|SHA-1 hash of the process (image file) that initiated the event.
|Specifies whether ingesting the data is billable. When _IsBillable is
false ingestion isn't billed to your Azure account
|IP address assigned to the local machine used during communication.
|TCP port on the local machine used during communication.
|Machine group of the machine. This group is used by role-based access control to determine access to the machine.
|Command line used to create the new process.
|Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information..
|IP address that was being connected to.
|TCP port on the remote device that was being connected to.
|Unique identifier for the event.
|The type of agent the event was collected by. For example,
OpsManager for Windows agent, either direct connect or Operations Manager,
Linux for all Linux agents, or
Azure for Azure Diagnostics
|The Log Analytics workspace ID
|Date and time (UTC) when the record was generated.
|The name of the table