|
| 1 | +--- |
| 2 | +title: AlertEvidence table in the advanced hunting schema |
| 3 | +description: Learn about information associated with alerts in the AlertEvidence table of the advanced hunting schema |
| 4 | +search.appverid: met150 |
| 5 | +ms.service: defender-xdr |
| 6 | +ms.subservice: adv-hunting |
| 7 | +f1.keywords: |
| 8 | + - NOCSH |
| 9 | +ms.author: maccruz |
| 10 | +author: schmurky |
| 11 | +ms.localizationpriority: medium |
| 12 | +manager: dansimp |
| 13 | +audience: ITPro |
| 14 | +ms.collection: |
| 15 | +- m365-security |
| 16 | +- tier3 |
| 17 | +ms.custom: |
| 18 | +- cx-ti |
| 19 | +- cx-ah |
| 20 | +appliesto: |
| 21 | + - Microsoft Defender XDR |
| 22 | + - Microsoft Sentinel in the Microsoft Defender portal |
| 23 | +ms.topic: reference |
| 24 | +ms.date: 03/28/2025 |
| 25 | +--- |
| 26 | + |
| 27 | +# AlertEvidence |
| 28 | + |
| 29 | +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] |
| 30 | + |
| 31 | + |
| 32 | + |
| 33 | +The `AlertEvidence` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various entities—files, IP addresses, URLs, users, or devices—associated with alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Use this reference to construct queries that return information from this table. |
| 34 | + |
| 35 | +This advanced hunting table is populated by records from Microsoft Defender for Endpoint. If your organization hasn’t deployed the service in Microsoft Defender XDR, queries that use the table aren’t going to work or return any results. For more information about how to deploy Defender for Endpoint in Defender XDR, read [Deploy supported services](deploy-supported-services.md). |
| 36 | + |
| 37 | +For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md). |
| 38 | + |
| 39 | +| Column name | Data type | Description | |
| 40 | +|-------------|-----------|-------------| |
| 41 | +| `Timestamp` | `datetime` | Date and time when the event was recorded | |
| 42 | +| `AlertId` | `string` | Unique identifier for the alert | |
| 43 | +| `Title` | `string` | Title of the alert | |
| 44 | +| `Categories` | `string` | List of categories that the information belongs to, in JSON array format | |
| 45 | +| `AttackTechniques` | `string` | MITRE ATT&CK techniques associated with the activity that triggered the alert | |
| 46 | +| `ServiceSource` | `string` | Product or service that provided the alert information | |
| 47 | +| `DetectionSource` | `string` | Detection technology or sensor that identified the notable component or activity | |
| 48 | +| `EntityType` | `string` | Type of object, such as a file, a process, a device, or a user | |
| 49 | +| `EvidenceRole` | `string` | How the entity is involved in an alert, indicating whether it is impacted or is merely related | |
| 50 | +| `EvidenceDirection` | `string` | Indicates whether the entity is the source or the destination of a network connection | |
| 51 | +| `FileName` | `string` | Name of the file that the recorded action was applied to | |
| 52 | +| `FolderPath` | `string` | Folder containing the file that the recorded action was applied to | |
| 53 | +| `SHA1` | `string` | SHA-1 of the file that the recorded action was applied to | |
| 54 | +| `SHA256` | `string` | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | |
| 55 | +| `FileSize` | `long` | Size of the file in bytes | |
| 56 | +| `ThreatFamily` | `string` | Malware family that the suspicious or malicious file or process has been classified under | |
| 57 | +| `RemoteIP` | `string` | IP address that was being connected to | |
| 58 | +| `RemoteUrl` | `string` | URL or fully qualified domain name (FQDN) that was being connected to | |
| 59 | +| `AccountName` | `string` | User name of the account | |
| 60 | +| `AccountDomain` | `string` | Domain of the account | |
| 61 | +| `AccountSid` | `string` | Security Identifier (SID) of the account | |
| 62 | +| `AccountObjectId` | `string` | Unique identifier for the account in Microsoft Entra ID | |
| 63 | +| `AccountUpn` | `string` | User principal name (UPN) of the account | |
| 64 | +| `DeviceId` | `string` | Unique identifier for the device in the service | |
| 65 | +| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device | |
| 66 | +| `LocalIP` | `string` | IP address assigned to the local device used during communication | |
| 67 | +| `NetworkMessageId` | `string` | Unique identifier for the email, generated by Office 365 | |
| 68 | +| `EmailSubject` | `string` | Subject of the email | |
| 69 | +| `Application` | `string` | Application that performed the recorded action | |
| 70 | +| `ApplicationId` | `int` | Unique identifier for the application | |
| 71 | +| `OAuthApplicationId` | `string` | Unique identifier of the third-party OAuth application | |
| 72 | +| `ProcessCommandLine` | `string` | Command line used to create the new process | |
| 73 | +| `RegistryKey` |`string` | Registry key that the recorded action was applied to | |
| 74 | +| `RegistryValueName` |`string` | Name of the registry value that the recorded action was applied to | |
| 75 | +| `RegistryValueData` |`string` | Data of the registry value that the recorded action was applied to | |
| 76 | +| `AdditionalFields` | `string` | Additional information about the entity or event | |
| 77 | +| `Severity` | `string` | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | |
| 78 | +| `CloudResource` | `string` | Cloud resource name | |
| 79 | +| `CloudPlatform` | `string` | The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform | |
| 80 | +| `ResourceType` | `string` | Type of cloud resource | |
| 81 | +| `ResourceID` | `string` | Unique identifier of the cloud resource accessed | |
| 82 | +| `SubscriptionId` | `string` | Unique identifier of the cloud service subscription | |
| 83 | + |
| 84 | +## Related topics |
| 85 | +- [Advanced hunting overview](advanced-hunting-overview.md) |
| 86 | +- [Learn the query language](advanced-hunting-query-language.md) |
| 87 | +- [Use shared queries](advanced-hunting-shared-queries.md) |
| 88 | +- [Hunt across devices, emails, apps, and identities](advanced-hunting-query-emails-devices.md) |
| 89 | +- [Understand the schema](advanced-hunting-schema-tables.md) |
| 90 | +- [Apply query best practices](advanced-hunting-best-practices.md) |
| 91 | +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/defender-m3d-techcommunity.md)] |
0 commit comments