| AccountDomain |
string |
Domain of the account. |
| AccountName |
string |
User name of the account. |
| AccountSid |
string |
Security identifier (SID) of the account. |
| ActionType |
string |
Type of activity that triggered the event. |
| AdditionalFields |
dynamic |
Additional information about the entity or event. |
| AppGuardContainerId |
string |
Identifier for the virtualized container used by Application Guard to isolate browser activity. |
| _BilledSize |
real |
The record size in bytes |
| CreatedProcessSessionId |
long |
Windows session ID of the created process. |
| DeviceId |
string |
Unique identifier for the device in the service. |
| DeviceName |
string |
Fully qualified domain name (FQDN) of the device. |
| FileName |
string |
Domain of the account. |
| FileOriginIP |
string |
IP address where the file was downloaded from. |
| FileOriginUrl |
string |
URL where the file was downloaded from. |
| FileSize |
long |
Size of the file in bytes. |
| FolderPath |
string |
Domain of the account. |
| InitiatingProcessAccountDomain |
string |
Domain of the account that ran the process responsible for the event. |
| InitiatingProcessAccountName |
string |
User name of the account that ran the process responsible for the event. |
| InitiatingProcessAccountObjectId |
string |
Azure AD object ID of the user account that ran the process responsible for the event. |
| InitiatingProcessAccountSid |
string |
Security Identifier (SID) of the account that ran the process responsible for the event. |
| InitiatingProcessAccountUpn |
string |
User principal name (UPN) of the account that ran the process responsible for the event. |
| InitiatingProcessCommandLine |
string |
Command line used to run the process that initiated the event. |
| InitiatingProcessCreationTime |
datetime |
Date and time when the process that initiated the event was started. |
| InitiatingProcessFileName |
string |
Name of the process that initiated the event. |
| InitiatingProcessFileSize |
long |
Size in bytes of the file that ran the process responsible for the event. |
| InitiatingProcessFolderPath |
string |
Folder containing the process (image file) that initiated the event. |
| InitiatingProcessId |
long |
Process ID (PID) of the process that initiated the event. |
| InitiatingProcessLogonId |
long |
Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| InitiatingProcessMD5 |
string |
MD5 hash of the process (image file) that initiated the event. |
| InitiatingProcessParentCreationTime |
datetime |
Date and time when the parent of the process responsible for the event was started. |
| InitiatingProcessParentFileName |
string |
Name of the parent process that spawned the process responsible for the event. |
| InitiatingProcessParentId |
long |
Process ID (PID) of the parent process that spawned the process responsible for the event. |
| InitiatingProcessRemoteSessionDeviceName |
string |
Device name of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessRemoteSessionIP |
string |
IP address of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessSessionId |
long |
Windows session ID of the initiating process. |
| InitiatingProcessSHA1 |
string |
SHA-1 hash of the process (image file) that initiated the event. |
| InitiatingProcessSHA256 |
string |
SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available. |
| InitiatingProcessVersionInfoCompanyName |
string |
Company name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoFileDescription |
string |
Description from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoInternalFileName |
string |
Internal file name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoOriginalFileName |
string |
Original file name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductName |
string |
Product name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductVersion |
string |
Product version from the version information of the process (image file) responsible for the event. |
| _IsBillable |
string |
Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| IsInitiatingProcessRemoteSession |
bool |
Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false). |
| IsProcessRemoteSession |
bool |
Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false). |
| LocalIP |
string |
IP address assigned to the local machine used during communication. |
| LocalPort |
int |
TCP port on the local machine used during communication. |
| LogonId |
long |
Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
| MachineGroup |
string |
Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
| MD5 |
string |
MD5 hash of the file that the recorded action was applied to. |
| ProcessCommandLine |
string |
Command line used to create the new process. |
| ProcessCreationTime |
datetime |
Date and time the process was created. |
| ProcessId |
long |
Process ID (PID) of the newly created process. |
| ProcessRemoteSessionDeviceName |
string |
Device name of the remote device from which the created process's RDP session was initiated. |
| ProcessRemoteSessionIP |
string |
IP address of the remote device from which the created process's RDP session was initiated. |
| ProcessTokenElevation |
string |
Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. |
| RegistryKey |
string |
Registry key that the recorded action was applied to. |
| RegistryValueData |
string |
Data of the registry value that the recorded action was applied to. |
| RegistryValueName |
string |
Name of the registry value that the recorded action was applied to. |
| RemoteDeviceName |
string |
Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information.. |
| RemoteIP |
string |
IP address that was being connected to. |
| RemotePort |
int |
TCP port on the remote device that was being connected to. |
| RemoteUrl |
string |
URL or fully qualified domain name (FQDN) that was being connected to. |
| ReportId |
long |
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
| SHA1 |
string |
SHA-1 hash of the file that the recorded action was applied to. |
| SHA256 |
string |
SHA-256 of the file that the recorded action was applied to. |
| SourceSystem |
string |
The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId |
string |
The Log Analytics workspace ID |
| TimeGenerated |
datetime |
Date and time the event was recorded by the MDE agent on the endpoint. |
| Type |
string |
The name of the table |