Microsoft Sentinel entity types reference

This document contains two sets of information regarding entities and entity types in Microsoft Sentinel and the Microsoft unified security operations platform.

  • The Entity types and identifiers table shows the different types of entities that can be identified in alerts and incidents, allowing you to track and investigate them. The table also shows, for each entity type, the different identifiers that can be used to identify an entity.
  • The Entity schema section shows the data structure and schema for entities in general and for each entity type in particular.


Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

Entity types and identifiers

The following table shows the entity types that can be recognized by Microsoft Sentinel, and the attributes that can be used as identifiers for each entity type.

Microsoft Sentinel recognizes entities in alerts and incidents that are created by entity mapping in analytics rules. It also recognizes entities already identified in alerts ingested from other sources.

You can currently use up to three identifiers for a given entity when creating an entity mapping in Microsoft Sentinel. Strong identifiers alone are sufficient to uniquely identify an entity, whereas weak identifiers can do so only in combination with other identifiers. Learn more about strong and weak identifiers. Most but not all identifiers in this table can be used when creating entity mappings in Microsoft Sentinel (see footnotes).

Entity type Identifiers Strong identifiers Weak identifiers
Account Name
FullName *
DisplayName *
Sid **
Sid+Host **
Name+Host+NTDomain **
Name+NTDomain **
Host DnsDomain
FullName *
IP Address
Address **
Address+AddressScope **
URL Url Url (if absolute URL) ** Url (if relative URL) **
Azure resource
ResourceId ResourceId
Cloud application
DNS resolution
DomainName DomainName+DnsServerIp+HostIpAddress DomainName+HostIpAddress
File Directory
File hash
Malware Name
Process ProcessId
   CommandLine (no Host)
   ImageFile (no Host)
Registry key
Registry value
Key+Name Name (no Key)
Security group
Mailbox MailboxPrimaryAddress
Mail cluster
ClusterSourceIdentifier *
ClusterSourceType *
ClusterQueryStartTime *
ClusterQueryEndTime *
ClusterGroup *
Mail message
P1Sender *
P1SenderDisplayName *
P1SenderDomain *
P2Sender *
P2SenderDisplayName *
P2SenderDomain *
BodyFingerprintBin1 *
BodyFingerprintBin2 *
BodyFingerprintBin3 *
BodyFingerprintBin4 *
BodyFingerprintBin5 *
Language *
ThreatDetectionMethods *
Submission mail
Table footnotes:

  • * These identifiers appear in the list of identifiers that can be used in entity mapping, but strictly speaking they are not part of the entity schema.
  • ** These identifiers are considered strong only under certain conditions. Follow the asterisks' links to see the conditions that apply, under the relevant entity's listing in the entity schemas section below.
  • Italicized identifier names (without an asterisk) represent internal entities, which means that one entity type can have other entity types as attributes (see the entity schemas section below). Follow the identifier's link to see the internal entity's own schema.

Entity type schemas

The following section contains a more in-depth look at the full schemas of each entity type. You'll notice that many of these schemas include links to other entity types. For example, the Account schema includes a link to the Host entity type, since one attribute of a user account is the host it's defined on. These entities-as-attributes are known as "internal entities", and they can't be used as identifiers for entity mapping, but they are very useful in giving a complete picture of entities on entity pages and the investigation graph.


A question mark following the value in the Type column indicates the field is nullable.

List of entity type schemas


Entity name: Account

Field Type Description
Type String 'account'
Name String The name of the account. This field should hold only the name without any domain added to it.
FullName -- Not part of schema, included for backward compatibility with old version of entity mapping.
NTDomain String The NETBIOS domain name as it appears in the alert format—domain\username. Examples: Finance, NT AUTHORITY
DnsDomain String The fully qualified domain DNS name. Examples: finance.contoso.com
UPNSuffix String The user principal name suffix for the account. In many cases the UPN Suffix is also the domain name. Examples: contoso.com
Host Entity (Host) The host that contains the account, if it's a local account.
Sid String The account's security identifier.
AadTenantId Guid? The Microsoft Entra tenant ID, if known.
AadUserId Guid? The Microsoft Entra account object ID, if known.
PUID Guid? The Microsoft Entra Passport User ID, if known.
IsDomainJoined Bool? Indicates whether the account is a domain account.
DisplayName -- Not part of schema, included for backward compatibility with old version of entity mapping.
ObjectGuid Guid? The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by Active Directory.
CloudAppAccountId String The AccountID in alerts from the CloudApp provider. Refers to account IDs in third-party apps that are not supported in other Microsoft products.
IsAnonymized Bool? Indicates whether the user name is anonymized. Optional. Default value: false.
Stream Stream The source of discovery logs related to the specific account. Optional.

Strong identifiers of an account entity

  • Name + UPNSuffix
  • AadUserId
  • Sid
    ** This identifier is strong as long as the account is not one of the built-in accounts listed in the Note below.
  • Sid + Host
    ** When the account is one of the built-in accounts listed in the Note below, the Host component is required to make this identifier a strong one.
  • Name + NTDomain
    ** This combination is a strong identifier when the account is a domain account, since NTDomain is not a built-in domain/workgroup and is different from the host name. In this case, this is a strong identifier even without the Host component.
  • Name + NTDomain + Host
    ** The Host component is necessary to create a strong identifier when the account is a local account, meaning that the NTDomain is a built-in domain/workgroup.
  • Name + DnsDomain
  • PUID
  • ObjectGuid

Weak identifiers of an account entity

  • Name


If the Account entity is defined using the Name identifier, and the Name value of a particular entity is one of the following generic, commonly built-in account names, then that entity will be dropped from its alert.

  • ROOT
  • NULL

Back to list of entity type schemas | Back to entity identifiers table


Entity name: Host

Field Type Description
Type String 'host'
IpInterfaces List<Entity (Ip)> List of all IP interfaces on the host machine.
DnsDomain String The DNS domain that this host belongs to. Should contain the complete DNS suffix for the domain, if known.
NTDomain String The NT domain that this host belongs to.
HostName String The hostname without the domain suffix.
NetBiosName String The host name (pre-Windows 2000).
IoTDevice Entity (IoT Device) The IoT Device entity (if this host represents an IoT Device).
AzureID String The Azure resource ID of the VM, if known.
OMSAgentID String The OMS agent ID, if the host has OMS agent installed.
OSFamily Enum? One of the following values:
  • Linux
  • Windows
  • Android
  • IOS
  • Mac
  • OSVersion String A free-text representation of the operating system.
    This field is meant to hold specific versions the are more fine-grained than OSFamily, or future values not supported by OSFamily enumeration.
    IsDomainJoined Bool Indicates whether this host belongs to a domain.

    Strong identifiers of a host entity

    • HostName + NTDomain
    • HostName + DnsDomain
    • NetBiosName + NTDomain
    • NetBiosName + DnsDomain
    • AzureID
    • OMSAgentID
    • IoTDevice

    Weak identifiers of a host entity

    • HostName
    • NetBiosName

    Back to list of entity type schemas | Back to entity identifiers table


    Entity name: IP

    Field Type Description
    Type String 'ip'
    Address String The IP address as string, for example. (either in IPv4 or IPv6).
    AddressScope String Name of the host, subnet, or private network for private, non-global IP addresses. Null or empty for global IP addresses (default).
    Location GeoLocation The geo-location context attached to the IP entity.

    For more information, see also Enrich entities in Microsoft Sentinel with geolocation data via REST API (Public preview).
    Stream Stream The source of discovery logs related to the specific IP. Optional.

    Strong identifiers of an IP entity

    • Address
      ** Address alone is a unique, strong identifier when the IP address is a global address.
    • Address + AddressScope
      ** For private/internal, non-global IP addresses, the AddressScope component is required to make this a strong identifer.

    Back to list of entity type schemas | Back to entity identifiers table


    Entity name: Malware

    Field Type Description
    Type String 'malware'
    Name String The malware name assigned by the (detection?) vendor, such as Win32/Toga!rfn.
    Category String The malware category assigned by the (detection?) vendor, for example. Trojan.
    Files List<Entity (File)> List of linked file entities on which the malware was found. Can contain the File entities inline or as reference.
    See the File entity for more details on structure.
    Processes List<Entity (Process)> List of linked process entities on which the malware was found. This would often be used when the alert triggered on fileless activity.
    See the Process entity for more details on structure.

    Strong identifiers of a malware entity

    • Name + Category

    Back to list of entity type schemas | Back to entity identifiers table


    Entity name: File

    Field Type Description
    Type String 'file'
    Directory String The full path to the file.
    Name String The file name without the path (some alerts might not include path).
    AlternateDataStreamName String The file stream name in NTFS filesystem (null for the main stream).
    Host Entity (Host) The host on which the file was stored.
    HostUrl Entity (URL) URL where the file was downloaded from
    (Mark of the Web).
    WindowsSecurityZoneType WindowsSecurityZone Windows Security Zone to which the URL belongs
    (Mark of the Web).
    ReferrerUrl Entity (URL) Referrer URL of the file download HTTP request
    (Mark of the Web).
    SizeInBytes Long? The size of the file in bytes.
    FileHashes List<Entity (FileHash)> The file hashes associated with this file.

    Strong identifiers of a file entity

    • Name + Directory
    • Name + FileHash
    • Name + Directory + FileHash

    Back to list of entity type schemas | Back to entity identifiers table


    Entity name: Process

    Field Type Description
    Type String 'process'
    ProcessId String The process ID.
    CommandLine String The command line used to create the process.
    ElevationToken Enum? The elevation token associated with the process.
    Possible values:
  • TokenElevationTypeDefault
  • TokenElevationTypeFull
  • TokenElevationTypeLimited
  • CreationTimeUtc DateTime? The time when the process started to run.
    ImageFile Entity (File) Can contain the File entity inline or as reference.
    See the File entity for more details on structure.
    Account Entity (Account) The account running the processes.
    Can contain the Account entity inline or as reference.
    See the Account entity for more details on structure.
    ParentProcess Entity (Process) The parent process entity.
    Can contain partial data, for example, only the PID.
    Host Entity (Host) The host on which the process was running.
    LogonSession Entity (HostLogonSession) The session in which the process was running.

    Strong identifiers of a process entity

    • Host + ProcessId + CreationTimeUtc
    • Host + ParentProcessId + CreationTimeUtc + CommandLine
    • Host + ProcessId + CreationTimeUtc + ImageFile
    • Host + ProcessId + CreationTimeUtc + ImageFile.FileHash

    Weak identifiers of a process entity

    • ProcessId + CreationTimeUtc + CommandLine (and no Host)
    • ProcessId + CreationTimeUtc + ImageFile (and no Host)

    Back to list of entity type schemas | Back to entity identifiers table

    Cloud application

    Entity name: CloudApplication

    Field Type Description
    Type String 'cloud-application'
    AppId Int Deprecated; use SaasId field instead. The technical identifier of the application. Possible values are those defined in the list of cloud application identifiers. Value optional. Should not contain InstanceId.
    SaasId Int Replaces deprecated AppId field. The technical identifier of the application. Possible values are those defined in the list of cloud application identifiers. Value optional. Should not contain InstanceId.
    Name String The name of the related cloud application. Value optional.
    InstanceName String The user-defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has.
    InstanceId Int The identifier of the specific session of the application. This is a zero-based running number. Value optional.
    Risk AppRisk? Lets you filter apps by risk score so that you can focus on, for example, reviewing only highly risky apps. Possible values like Low, Medium, High or Unknown.
    Stream Stream The source of discovery logs related to the specific cloud app. Optional.

    Strong identifiers of a cloud application entity

    • AppId (without InstanceName)
    • Name (without InstanceName)
    • AppId + InstanceName
    • Name + InstanceName

    List of cloud application identifiers

    Back to list of entity type schemas | Back to entity identifiers table

    DNS resolution

    Entity name: DNS

    Field Type Description
    Type String 'dns'
    DomainName String The name of the DNS record associated with the alert.
    IpAddress List<Entity (IP)> Entities corresponding to the resolved IP addresses.
    DnsServerIp Entity (IP) An entity representing the DNS server resolving the request.
    HostIpAddress Entity (IP) An entity representing the DNS request client.

    Strong identifiers of a DNS entity

    • DomainName + DnsServerIp + HostIpAddress

    Weak identifiers of a DNS entity

    • DomainName + HostIpAddress

    Back to list of entity type schemas | Back to entity identifiers table

    Azure resource

    Entity name: AzureResource

    Field Type Description
    Type String 'azure-resource'
    ResourceId String The Azure resource ID of the resource. Mandatory.
    SubscriptionId String The subscription ID of the resource.
    ActiveContacts List<ActiveContact> Active contacts associated with the resource.
    ResourceType String The type of the resource.
    ResourceName String The name of the resource.

    Strong identifiers of an Azure resource entity

    • ResourceId

    Back to list of entity type schemas | Back to entity identifiers table

    File hash

    Entity name: FileHash

    Field Type Description
    Type String 'filehash'
    Algorithm Enum The hash algorithm type. Mandatory. Possible values:
  • Unknown
  • MD5
  • SHA1
  • SHA256
  • SHA256AC
  • Value String The hash value. Mandatory.

    Strong identifiers of a file hash entity

    • Algorithm + Value

    Back to list of entity type schemas | Back to entity identifiers table

    Registry key

    Entity name: RegistryKey

    Field Type Description
    Type String 'registry-key'
    Hive Enum? One of the following values:
  • HKEY_A
  • Key String The registry key path.

    Strong identifiers of a registry key entity

    • Hive + Key

    Back to list of entity type schemas | Back to entity identifiers table

    Registry value

    Entity name: RegistryValue

    Field Type Description
    Type String 'registry-value'
    Host Entity (Host) The host that the registry belongs to.
    Key Entity (RegistryKey) The registry key entity.
    Name String The registry value name.
    Value String String-formatted representation of the value data.
    ValueType Enum? One of the following values:
  • String
  • Binary
  • DWord
  • Qword
  • MultiString
  • ExpandString
  • None
  • Unknown
    Values should conform to Microsoft.Win32.RegistryValueKind enumeration.
  • Strong identifiers of a registry value entity

    • Key + Name

    Weak identifiers of a registry value entity

    • Name (without Key)

    Back to list of entity type schemas | Back to entity identifiers table

    Security group

    Entity name: SecurityGroup

    Field Type Description
    Type String 'security-group'
    DistinguishedName String The group distinguished name.
    SID String A single-value attribute that specifies the security identifier (SID) of the group.
    ObjectGuid Guid? A single-value attribute that is the unique identifier for the object, assigned by Active Directory.

    Strong identifiers of a security group entity

    • DistinguishedName
    • SID
    • ObjectGuid

    Back to list of entity type schemas | Back to entity identifiers table


    Entity name: Url

    Field Type Description
    Type String 'url'
    Url Uri A full URL the entity points to. Mandatory.

    Strong identifiers of a URL entity

    • Url (** This identifier is strong when the URL is an absolute URL.)

    Weak identifiers of a URL entity

    • Url (** This identifier is weak when the URL is a relative URL.)

    Back to list of entity type schemas | Back to entity identifiers table

    IoT device

    Entity name: IoTDevice

    Field Type Description
    Type String 'iotdevice'
    IoTHub Entity (AzureResource) The AzureResource entity representing the IoT Hub the device belongs to.
    DeviceId String The ID of the device in the context of the IoT Hub. Mandatory.
    DeviceName String The friendly name of the device.
    Owners List<String> The owners for the device.
    IoTSecurityAgentId Guid? The ID of the Defender for IoT agent running on the device.
    DeviceType String The type of the device ('temperature sensor', 'freezer', 'wind turbine' etc.).
    DeviceTypeId String A unique ID to identify each device type according to the device type schema, as the device type itself is a display name and not reliable in comparisons.

    Possible values:
    Unclassified = 0
    Miscellaneous = 1
    Network Device = 2
    Printer = 3
    Audio and Video = 4
    Media and Surveillance = 5
    Communication = 7
    Smart Appliance = 9
    Workstation = 10
    Server = 11
    Mobile = 12
    Smart Facility = 13
    Industrial = 14
    Operational Equipment = 15
    Source String The source (Microsoft/Vendor) of the device entity.
    SourceRef Entity (Url) A URL reference to the source item where the device is managed.
    Manufacturer String The manufacturer of the device.
    Model String The model of the device.
    OperatingSystem String The operating system the device is running.
    IpAddress Entity (IP) The current IP address of the device.
    MacAddress String The MAC address of the device.
    Nics Entity (Nic) The current NICs on the device.
    Protocols List<String> A list of protocols that the device supports.
    SerialNumber String The serial number of the device.
    Site String The site location of the device.
    Zone String The zone location of the device within a site.
    Sensor String The sensor monitoring the device.
    Importance Enum? One of the following values:
  • Low
  • Normal
  • High
  • PurdueLayer String The Purdue Layer of the device.
    IsProgramming Bool? Indicates whether the device classified as programming device.
    IsAuthorized Bool? Indicates whether the device classified as authorized device.
    IsScanner Bool? Indicates whether the device classified as a scanner device.
    DevicePageLink Entity (Url) A URL to the device page in Defender for IoT portal.
    DeviceSubType String The name of the device subtype.

    Strong identifiers of an IoT device entity

    • IoTHub + DeviceId

    Weak identifiers of an IoT device entity

    • DeviceId (without IoTHub)

    Back to list of entity type schemas | Back to entity identifiers table


    Entity name: Mailbox

    Field Type Description
    Type String 'mailbox'
    MailboxPrimaryAddress String The mailbox's primary address.
    DisplayName String The mailbox's display name.
    Upn String The mailbox's UPN.
    AadId String The mailbox's Azure AD identifier of the user.
    RiskLevel RiskLevel? The risk level of this mailbox. Possible values:
  • None
  • Low
  • Medium
  • High
  • ExternalDirectoryObjectId Guid? The AzureAD identifier of mailbox. Similar to AadUserId in the Account entity, but this property is specific to mailbox object on the Office side.

    Strong identifiers of a mailbox entity

    • MailboxPrimaryAddress

    Back to list of entity type schemas | Back to entity identifiers table

    Mail cluster

    Entity name: MailCluster

    Field Type Description
    Type String 'mail-cluster'
    NetworkMessageIds IList<String> The mail message IDs that are part of the mail cluster.
    CountByDeliveryStatus IDictionary<String,Int> Count of mail messages by DeliveryStatus string representation.
    CountByThreatType IDictionary<String,Int> Count of mail messages by ThreatType string representation.
    CountByProtectionStatus IDictionary<String,long> Count of mail messages by Protection status string representation.
    CountByDeliveryLocation IDictionary<String,long> Count of mail messages by Delivery location string representation.
    Threats IList<String> The threats of mail messages that are part of the mail cluster.
    Query String The query that was used to identify the messages of the mail cluster.
    QueryTime DateTime? The query time.
    MailCount Int? The number of mail messages that are part of the mail cluster.
    IsVolumeAnomaly Bool? Indicates whether the mail cluster is a volume anomaly mail cluster.
    Source String The source of the mail cluster (default is O365 ATP).

    Strong identifiers of a mail cluster entity

    • Query + Source

    Back to list of entity type schemas | Back to entity identifiers table

    Mail message

    Entity name: MailMessage

    Field Type Description
    Type String 'mail-message'
    Files IList<Entity (File)> The File entities of this mail message's attachments.
    Recipient String The recipient of this mail message. In the case of multiple recipients, the mail message is copied, and each copy has one recipient.
    Urls IList<String> The URLs contained in this mail message.
    Threats IList<String> The threats contained in this mail message.
    Sender String The sender's email address.
    SenderIP String The sender's IP address.
    ReceivedDate DateTime The received date of this message.
    NetworkMessageId Guid? The network message ID of this mail message.
    InternetMessageId String The internet message ID of this mail message.
    Subject String The subject of this mail message.
    AntispamDirection Enum? The directionality of this mail message. Possible values:
  • Unknown
  • Inbound
  • Outbound
  • Intraorg (internal)
  • DeliveryAction Enum? The delivery action of this mail message. Possible values:
  • Unknown
  • DeliveredAsSpam
  • Delivered
  • Blocked
  • Replaced
  • DeliveryLocation Enum? The delivery location of this mail message. Possible values:
  • Unknown
  • Inbox
  • JunkFolder
  • DeletedFolder
  • Quarantine
  • External
  • Failed
  • Dropped
  • Forwarded
  • CampaignId String The identifier of the campaign in which this mail message is present.
    SuspiciousRecipients IList<String> The list of recipients who were detected as suspicious.
    ForwardedRecipients IList<String> The list of all recipients on the forwarded mail.
    ForwardingType IList<String> The forwarding type of the mail, such as SMTP, ETR, etc.

    Strong identifiers of a mail message entity

    • NetworkMessageId + Recipient

    Back to list of entity type schemas | Back to entity identifiers table

    Submission mail

    Entity name: SubmissionMail

    Field Type Description
    Type String 'SubmissionMail'
    SubmissionId Guid? The Submission ID.
    SubmissionDate DateTime? Reported Date time for this submission.
    Submitter String The submitter email address.
    NetworkMessageId Guid? The network message ID of email to which submission belongs.
    Timestamp DateTime? The Time stamp when the message is received (Mail).
    Recipient String The recipient of the mail.
    Sender String The sender of the mail.
    SenderIp String The sender's IP.
    Subject String The subject of submission mail.
    ReportType String The submission type for the given instance. Possible values are Junk, Phish, Malware, or NotJunk.

    Strong identifiers of a SubmissionMail entity

    • SubmissionId, Submitter, NetworkMessageId, Recipient

    Back to list of entity type schemas | Back to entity identifiers table

    Sentinel entities

    Field Type Description
    Entities String A list of the entities identified in the alert. This list is the entities column from the SecurityAlert schema (see documentation).

    Back to list of entity type schemas | Back to entity identifiers table

    Cloud application identifiers

    The following list defines identifiers for known cloud applications. The App ID value is used as a cloud application entity identifier.

