BehaviorEntities (Preview)

Applies to:

• Microsoft Defender XDR

The BehaviorEntities table in the advanced hunting schema contains information about behaviors in Microsoft Defender for Cloud Apps. Use this reference to construct queries that return information from this table.

Important

The BehaviorEntities table is in preview and is not available for GCC. The information here may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. Have feedback to share? Fill out our feedback form.

Behaviors are a type of data in Microsoft Defender XDR based on one or more raw events. Behaviors provide contextual insight into events and can, but not necessarily, indicate malicious activity. Read more about behaviors

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name	Data type	Description
Timestamp	datetime	Date and time when the record was generated
BehaviorId	string	Unique identifier for the behavior
ActionType	string	Type of behavior
Categories	string	Type of threat indicator or breach activity identified by the behavior
ServiceSource	string	Product or service that identified the behavior
DetectionSource	string	Detection technology or sensor that identified the notable component or activity
DataSources	string	Products or services that provided information for the behavior
EntityType	string	Type of object, such as a file, a process, a device, or a user
EntityRole	string	Indicates whether the entity is impacted or merely related
DetailedEntityRole	string	The roles of the entity in the behavior
FileName	string	Name of the file that the behavior applies to
FolderPath	string	Folder containing the file that the behavior applies to
SHA1	string	SHA-1 of the file that the behavior applies to
SHA256	string	SHA-256 of the file that the behavior applies to
FileSize	long	Size, in bytes, of the file that the behavior applies to
ThreatFamily	string	Malware family that the suspicious or malicious file or process has been classified under
RemoteIP	string	IP address that was being connected to
RemoteUrl	string	URL or fully qualified domain name (FQDN) that was being connected to
AccountName	string	User name of the account
AccountDomain	string	Domain of the account
AccountSid	string	Security Identifier (SID) of the account
AccountObjectId	string	Unique identifier for the account in Microsoft Entra ID
AccountUpn	string	User principal name (UPN) of the account
DeviceId	string	Unique identifier for the device in the service
DeviceName	string	Fully qualified domain name (FQDN) of the device
LocalIP	string	IP address assigned to the local device used during communication
NetworkMessageId	string	Unique identifier for the email, generated by Office 365
EmailSubject	string	Subject of the email
EmailClusterId	string	Identifier for the group of similar emails clustered based on heuristic analysis of their contents
Application	string	Application that performed the recorded action
ApplicationId	int	Unique identifier for the application
OAuthApplicationId	string	Unique identifier of the third-party OAuth application
ProcessCommandLine	string	Command line used to create the new process
RegistryKey	string	Registry key that the recorded action was applied to
RegistryValueName	string	Name of the registry value that the recorded action was applied to
RegistryValueData	string	Data of the registry value that the recorded action was applied to
AdditionalFields	string	Additional information about the behavior

Related topics

• Advanced hunting overview
• Learn the query language
• Use shared queries
• Hunt across devices, emails, apps, and identities
• Understand the schema
• Apply query best practices

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.