DeviceImageLoadEvents

This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains DLL loading events.

Table attributes

Attribute Value
Resource types -
Categories Security
Solutions SecurityInsights
Basic log No
Ingestion-time transformation Yes
Sample Queries -

Columns

Column Type Description
ActionType string Type of activity that triggered the event.
AppGuardContainerId string Identifier for the virtualized container used by Application Guard to isolate browser activity.
_BilledSize real The record size in bytes
DeviceId string Unique identifier for the device in the service.
DeviceName string Fully qualified domain name (FQDN) of the device.
FileName string Domain of the account.
FileSize long Size of the file in bytes.
FolderPath string Domain of the account.
InitiatingProcessAccountDomain string Domain of the account that ran the process responsible for the event.
InitiatingProcessAccountName string User name of the account that ran the process responsible for the event.
InitiatingProcessAccountObjectId string Azure AD object ID of the user account that ran the process responsible for the event.
InitiatingProcessAccountSid string Security Identifier (SID) of the account that ran the process responsible for the event.
InitiatingProcessAccountUpn string User principal name (UPN) of the account that ran the process responsible for the event.
InitiatingProcessCommandLine string Command line used to run the process that initiated the event.
InitiatingProcessCreationTime datetime Date and time when the process that initiated the event was started.
InitiatingProcessFileName string Name of the process that initiated the event.
InitiatingProcessFileSize long Size in bytes of the process (image file) that initiated the event.
InitiatingProcessFolderPath string Folder containing the process (image file) that initiated the event.
InitiatingProcessId long Process ID (PID) of the process that initiated the event.
InitiatingProcessIntegrityLevel string Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.
InitiatingProcessMD5 string MD5 hash of the process (image file) that initiated the event.
InitiatingProcessParentCreationTime datetime Date and time when the parent of the process responsible for the event was started.
InitiatingProcessParentFileName string Name of the parent process that spawned the process responsible for the event.
InitiatingProcessParentId long Process ID (PID) of the parent process that spawned the process responsible for the event.
InitiatingProcessRemoteSessionDeviceName string Device name of the remote device from which the initiating process's RDP session was initiated.
InitiatingProcessRemoteSessionIP string IP address of the remote device from which the initiating process's RDP session was initiated.
InitiatingProcessSessionId long Windows session ID of the initiating process.
InitiatingProcessSHA1 string SHA-1 hash of the process (image file) that initiated the event.
InitiatingProcessSHA256 string SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available.
InitiatingProcessTokenElevation string Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event.
InitiatingProcessVersionInfoCompanyName string Company name from the version information of the process (image file) responsible for the event.
InitiatingProcessVersionInfoFileDescription string Description from the version information of the process (image file) responsible for the event.
InitiatingProcessVersionInfoInternalFileName string Internal file name from the version information of the process (image file) responsible for the event.
InitiatingProcessVersionInfoOriginalFileName string Original file name from the version information of the process (image file) responsible for the event.
InitiatingProcessVersionInfoProductName string Product name from the version information of the process (image file) responsible for the event.
InitiatingProcessVersionInfoProductVersion string Product version from the version information of the process (image file) responsible for the event.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
IsInitiatingProcessRemoteSession bool Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false).
MachineGroup string Machine group of the machine. This group is used by role-based access control to determine access to the machine.
MD5 string MD5 hash of the file that the recorded action was applied to.
ReportId long Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.
SHA1 string SHA-1 hash of the file that the recorded action was applied to.
SHA256 string SHA-256 of the file that the recorded action was applied to.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantId string The Log Analytics workspace ID
TimeGenerated datetime Date and time the event was recorded by the MDE agent on the endpoint.
Type string The name of the table