BehaviorEntities

Microsoft Defender for Endpoints (MDE) behaviors table. Contains information about entities (file, process, device, user, and others) that are involved in a behavior or observation, including detected threats.

Table attributes

Attribute	Value
Resource types	-
Categories	Security
Solutions	LogManagement
Basic log	Yes
Ingestion-time transformation	No
Sample Queries	-

Columns

Column	Type	Description
AccountDomain	string	Domain of the account.
AccountName	string	User name of the account.
AccountObjectId	string	Unique identifier for the account in Azure AD.
AccountSid	string	Security Identifier (SID) of the account.
AccountUpn	string	User principal name (UPN) of the account.
ActionType	string	Type of activity that triggered the event. Associated with specific MITRE ATT&CK techniques.
AdditionalFields	string	Additional information about the entity or event.
Application	string	Application that performed the recorded action.
ApplicationId	string	Unique identifier for the application.
BehaviorId	string	Unique identifier for the behavior.
_BilledSize	real	The record size in bytes
Categories	string	Types of threat indicator or breach activity identified by the alert. Defined by the MITRE ATT&CK Matrix for Enterprise.
DataSources	string	Products or services that provided information for the behavior.
DetailedEntityRole	string	The role of the entity in the behavior
DetectionSource	string	Detection technology or sensor that identified the notable component or activity.
DeviceId	string	Unique identifier for the device in the service.
DeviceName	string	Fully qualified domain name (FQDN) of the device.
EmailClusterId	string	Identifier for the group of similar emails clustered based on heuristic analysis of their contents.
EmailSubject	string	Subject of the email.
EntityRole	string	Indicates whether the entity is impacted or merely related.
EntityType	string	Type of object, such as a file, a process, a device, or a user.
FileName	string	Name of the file involved in the alert. Empty unless EntityType is "File" or "Process".
FileSize	long	Size of the file in bytes. Empty unless EntityType is "File" or "Process"
FolderPath	string	Folder containing the file. Empty unless EntityType is "File" or "Process".
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
LocalIP	string	IP address assigned to the local machine used during communication.
NetworkMessageId	string	Unique identifier for the email in UUID format, generated by Office 365.
OAuthApplicationId	string	Unique identifier of the third-party OAuth application in UUID format.
ProcessCommandLine	string	Command line used to create the new process.
RegistryKey	string	Registry key that the recorded action was applied to.
RegistryValueData	string	Data of the registry value that the recorded action was applied to.
RegistryValueName	string	Name of the registry value that the recorded action was applied to.
RemoteIP	string	IP address that was being connected to.
RemoteUrl	string	URL or fully qualified domain name (FQDN) that was being connected to.
ServiceSource	string	Product or service that provided the alert information.
SHA1	string	SHA-1 hash of the file. Empty unless EntityType is "File" or "Process".
SHA256	string	SHA-256 of the file. Empty unless EntityType is "File" or "Process".
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantId	string	The Log Analytics workspace ID
ThreatFamily	string	Malware family that the suspicious or malicious file or process has been classified under.
TimeGenerated	datetime	Date and time when the record was generated.
Type	string	The name of the table