AlertEvidence
Note
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
Applies to:
- Microsoft Defender XDR
The AlertEvidence table in the advanced hunting schema contains information about various entities—files, IP addresses, URLs, users, or devices—associated with alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Use this reference to construct queries that return information from this table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
AlertId |
string |
Unique identifier for the alert |
ServiceSource |
string |
Product or service that provided the alert information |
EntityType |
string |
Type of object, such as a file, a process, a device, or a user |
EvidenceRole |
string |
How the entity is involved in an alert, indicating whether it is impacted or is merely related |
EvidenceDirection |
string |
Indicates whether the entity is the source or the destination of a network connection |
FileName |
string |
Name of the file that the recorded action was applied to |
FolderPath |
string |
Folder containing the file that the recorded action was applied to |
SHA1 |
string |
SHA-1 of the file that the recorded action was applied to |
SHA256 |
string |
SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
FileSize |
int |
Size of the file in bytes |
ThreatFamily |
string |
Malware family that the suspicious or malicious file or process has been classified under |
RemoteIP |
string |
IP address that was being connected to |
RemoteUrl |
string |
URL or fully qualified domain name (FQDN) that was being connected to |
AccountName |
string |
User name of the account |
AccountDomain |
string |
Domain of the account |
AccountSid |
string |
Security Identifier (SID) of the account |
AccountObjectId |
string |
Unique identifier for the account in Microsoft Entra ID |
AccountUpn |
string |
User principal name (UPN) of the account |
DeviceId |
string |
Unique identifier for the device in the service |
DeviceName |
string |
Fully qualified domain name (FQDN) of the machine |
LocalIP |
string |
IP address assigned to the local device used during communication |
NetworkMessageId |
string |
Unique identifier for the email, generated by Office 365 |
EmailSubject |
string |
Subject of the email |
ApplicationId |
int |
Unique identifier for the application |
Application |
string |
Application that performed the recorded action |
ProcessCommandLine |
string |
Command line used to create the new process |
AdditionalFields |
string |
Additional information about the event in JSON array format |
RegistryKey |
string |
Registry key that the recorded action was applied to |
RegistryValueName |
string |
Name of the registry value that the recorded action was applied to |
RegistryValueData |
string |
Data of the registry value that the recorded action was applied to |
Related topics
- Advanced hunting overview
- Learn the query language
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Submit and view feedback for