You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-cloudappevents-table.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,13 +39,13 @@ For information on other tables in the advanced hunting schema, [see the advance
39
39
|`ActionType`|`string`| Type of activity that triggered the event |
40
40
|`Application`|`string`| Application that performed the recorded action |
41
41
|`ApplicationId`|`int`| Unique identifier for the application |
42
-
|`AppInstanceId`|`int`| Unique identifier for the instance of an application. To convert this to Microsoft Defender for Cloud Apps App-connector-ID, use `CloudAppEvents| distinct ApplicationId,AppInstanceId,binary_or(binary_shift_left(AppInstanceId,20),ApplicationId|order by ApplicationId,AppInstanceId` |
42
+
|`AppInstanceId`|`int`| Unique identifier for the instance of an application. To convert this to Microsoft Defender for Cloud Apps App-connector-ID, use `CloudAppEvents| distinct ApplicationId,AppInstanceId,binary_or(binary_shift_left(AppInstanceId,20),Application|order by ApplicationId,AppInstanceId` |
43
43
|`AccountObjectId`|`string`| Unique identifier for the account in Microsoft Entra ID |
44
44
|`AccountId`|`string`| An identifier for the account as found by Microsoft Defender for Cloud Apps. Could be Microsoft Entra ID, user principal name, or other identifiers. |
45
45
|`AccountDisplayName`|`string`| Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user. |
46
46
|`IsAdminOperation`|`bool`| Indicates whether the activity was performed by an administrator |
47
47
|`DeviceType`|`string`| Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer |
48
-
|`OSPlatform`|`string`| Platform of the operating system running on the device. This column indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. |
48
+
|`OSPlatform`|`string`| Platform of the operating system running on the device. This column indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7. |
49
49
|`IPAddress`|`string`| IP address assigned to the device during communication |
50
50
|`IsAnonymousProxy`|`boolean`| Indicates whether the IP address belongs to a known anonymous proxy |
51
51
|`CountryCode`|`string`| Two-letter code indicating the country where the client IP address is geolocated |
@@ -67,10 +67,10 @@ For information on other tables in the advanced hunting schema, [see the advance
67
67
|`RawEventData`|`dynamic`| Raw event information from the source application or service in JSON format |
68
68
|`AdditionalFields`|`dynamic`| Additional information about the entity or event |
69
69
|`LastSeenForUser`|`dynamic`|Indicates the number of days since a specific attribute was last seen for the user. A value of 0 means the attribute was seen today, a negative value indicates the attribute is being seen for the first time, and a positive value represents the number of days since the attribute was last seen. For example: `{"ActionType":"0","OSPlatform":"4","ISP":"-1"}`|
70
-
|`UncommonForUser`|`dynamic`|Lists the attributes in the event that are considered uncommon for the user. Using this data can help rule out false positives and find anomalies. For example: `["ActivityType","ActionType"]`|
71
-
|`AuditSource`|`string`|Audit data source. Possible values are one of the following: <br>- Defender for Cloud Apps access control <br>- Defender for Cloud Apps session control <br>- Defender for Cloud Apps app connector |
70
+
|`UncommonForUser`|`dynamic`|Lists the attributes in the event that are uncommon for the user, helping to rule out false positives and find anomalies. For example: `["ActivityType","ActionType"].` To filter out nonanomalous results: events with low or insignificant security value won't go through enrichment processes and will have a value of "", while high-value events will go through enrichment processes and, if no anomalies are found, will have a value of "[]".|
71
+
|`AuditSource`|`string`|Audit data source. Possible values are one of the following: <br>- Defender for Cloud Apps access control <br>- Defender for Cloud Apps session control <br>- Defender for Cloud Apps app connector |
72
72
|`SessionData`|`dynamic`|The Defender for Cloud Apps session ID for access or session control. For example: `{InLineSessionId:"232342"}`|
73
-
|`OAuthAppId`|`string`|A unique identifier that is assigned to an application when it is registered to Microsoft Entra with OAuth 2.0 protocol.|
73
+
|`OAuthAppId`|`string`|A unique identifier that is assigned to an application when it's registered to Microsoft Entra with OAuth 2.0 protocol.|
0 commit comments