Editar

Compartilhar via


DeviceEvents

This table is part of Microsoft Defender for Endpoints with Azure Sentinel. This table contains Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection.

Table attributes

Attribute Value
Resource types -
Categories Security
Solutions SecurityInsights
Basic log No
Ingestion-time transformation Yes
Sample Queries -

Columns

Column Type Description
AccountDomain string Domain of the account.
AccountName string User name of the account.
AccountSid string Security identifier (SID) of the account.
ActionType string Type of activity that triggered the event.
AdditionalFields dynamic Additional information about the entity or event.
AppGuardContainerId string Identifier for the virtualized container used by Application Guard to isolate browser activity.
_BilledSize real The record size in bytes
CreatedProcessSessionId long Windows session ID of the created process.
DeviceId string Unique identifier for the device in the service.
DeviceName string Fully qualified domain name (FQDN) of the device.
FileName string Domain of the account.
FileOriginIP string IP address where the file was downloaded from.
FileOriginUrl string URL where the file was downloaded from.
FileSize long Size of the file in bytes.
FolderPath string Domain of the account.
InitiatingProcessAccountDomain string Domain of the account that ran the process responsible for the event.
InitiatingProcessAccountName string User name of the account that ran the process responsible for the event.
InitiatingProcessAccountObjectId string Azure AD object ID of the user account that ran the process responsible for the event.
InitiatingProcessAccountSid string Security Identifier (SID) of the account that ran the process responsible for the event.
InitiatingProcessAccountUpn string User principal name (UPN) of the account that ran the process responsible for the event.
InitiatingProcessCommandLine string Command line used to run the process that initiated the event.
InitiatingProcessCreationTime datetime Date and time when the process that initiated the event was started.
InitiatingProcessFileName string Name of the process that initiated the event.
InitiatingProcessFileSize long Size in bytes of the file that ran the process responsible for the event.
InitiatingProcessFolderPath string Folder containing the process (image file) that initiated the event.
InitiatingProcessId long Process ID (PID) of the process that initiated the event.
InitiatingProcessLogonId long Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts.
InitiatingProcessMD5 string MD5 hash of the process (image file) that initiated the event.
InitiatingProcessParentCreationTime datetime Date and time when the parent of the process responsible for the event was started.
InitiatingProcessParentFileName string Name of the parent process that spawned the process responsible for the event.
InitiatingProcessParentId long Process ID (PID) of the parent process that spawned the process responsible for the event.
InitiatingProcessRemoteSessionDeviceName string Device name of the remote device from which the initiating process's RDP session was initiated.
InitiatingProcessRemoteSessionIP string IP address of the remote device from which the initiating process's RDP session was initiated.
InitiatingProcessSessionId long Windows session ID of the initiating process.
InitiatingProcessSHA1 string SHA-1 hash of the process (image file) that initiated the event.
InitiatingProcessSHA256 string SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available.
InitiatingProcessVersionInfoCompanyName string Company name from the version information of the process (image file) responsible for the event.
InitiatingProcessVersionInfoFileDescription string Description from the version information of the process (image file) responsible for the event.
InitiatingProcessVersionInfoInternalFileName string Internal file name from the version information of the process (image file) responsible for the event.
InitiatingProcessVersionInfoOriginalFileName string Original file name from the version information of the process (image file) responsible for the event.
InitiatingProcessVersionInfoProductName string Product name from the version information of the process (image file) responsible for the event.
InitiatingProcessVersionInfoProductVersion string Product version from the version information of the process (image file) responsible for the event.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
IsInitiatingProcessRemoteSession bool Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false).
IsProcessRemoteSession bool Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false).
LocalIP string IP address assigned to the local machine used during communication.
LocalPort int TCP port on the local machine used during communication.
LogonId long Identifier for a logon session. This identifier is unique on the same machine only between restarts.
MachineGroup string Machine group of the machine. This group is used by role-based access control to determine access to the machine.
MD5 string MD5 hash of the file that the recorded action was applied to.
ProcessCommandLine string Command line used to create the new process.
ProcessCreationTime datetime Date and time the process was created.
ProcessId long Process ID (PID) of the newly created process.
ProcessRemoteSessionDeviceName string Device name of the remote device from which the created process's RDP session was initiated.
ProcessRemoteSessionIP string IP address of the remote device from which the created process's RDP session was initiated.
ProcessTokenElevation string Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process.
RegistryKey string Registry key that the recorded action was applied to.
RegistryValueData string Data of the registry value that the recorded action was applied to.
RegistryValueName string Name of the registry value that the recorded action was applied to.
RemoteDeviceName string Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information..
RemoteIP string IP address that was being connected to.
RemotePort int TCP port on the remote device that was being connected to.
RemoteUrl string URL or fully qualified domain name (FQDN) that was being connected to.
ReportId long Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.
SHA1 string SHA-1 hash of the file that the recorded action was applied to.
SHA256 string SHA-256 of the file that the recorded action was applied to.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantId string The Log Analytics workspace ID
TimeGenerated datetime Date and time the event was recorded by the MDE agent on the endpoint.
Type string The name of the table