AlertEvidence

Note

Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

  • Microsoft Defender XDR

The AlertEvidence table in the advanced hunting schema contains information about various entities—files, IP addresses, URLs, users, or devices—associated with alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Use this reference to construct queries that return information from this table.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
Timestamp datetime Date and time when the event was recorded
AlertId string Unique identifier for the alert
Title string Title of the alert
Categories string List of categories that the information belongs to, in JSON array format
AttackTechniques string MITRE ATT&CK techniques associated with the activity that triggered the alert
ServiceSource string Product or service that provided the alert information
DetectionSource string Detection technology or sensor that identified the notable component or activity
EntityType string Type of object, such as a file, a process, a device, or a user
EvidenceRole string How the entity is involved in an alert, indicating whether it is impacted or is merely related
EvidenceDirection string Indicates whether the entity is the source or the destination of a network connection
FileName string Name of the file that the recorded action was applied to
FolderPath string Folder containing the file that the recorded action was applied to
SHA1 string SHA-1 of the file that the recorded action was applied to
SHA256 string SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available.
FileSize long Size of the file in bytes
ThreatFamily string Malware family that the suspicious or malicious file or process has been classified under
RemoteIP string IP address that was being connected to
RemoteUrl string URL or fully qualified domain name (FQDN) that was being connected to
AccountName string User name of the account
AccountDomain string Domain of the account
AccountSid string Security Identifier (SID) of the account
AccountObjectId string Unique identifier for the account in Microsoft Entra ID
AccountUpn string User principal name (UPN) of the account
DeviceId string Unique identifier for the device in the service
DeviceName string Fully qualified domain name (FQDN) of the device
LocalIP string IP address assigned to the local device used during communication
NetworkMessageId string Unique identifier for the email, generated by Office 365
EmailSubject string Subject of the email
Application string Application that performed the recorded action
ApplicationId int Unique identifier for the application
OAuthApplicationId string Unique identifier of the third-party OAuth application
ProcessCommandLine string Command line used to create the new process
RegistryKey string Registry key that the recorded action was applied to
RegistryValueName string Name of the registry value that the recorded action was applied to
RegistryValueData string Data of the registry value that the recorded action was applied to
AdditionalFields string Additional information about the entity or event
Severity string Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert
CloudResource string Cloud resource name
CloudPlatform string The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform
ResourceType string Type of cloud resource
ResourceID string Unique identifier of the cloud resource accessed
SubscriptionId string Unique identifier of the cloud service subscription

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.