Merge pull request #2840 from MicrosoftDocs/maccruz-datasecip

Added columns based on task

Author: padmagit77

defender-xdr/advanced-hunting-datasecuritybehaviors-table.md

@@ -47,12 +47,12 @@ For information on other tables in the advanced hunting schema, [see the advance
 |-------------|-----------|-------------|
 |`Timestamp` | `datetime`	| Date and time when the record was generated or updated |
 |`BehaviorId` | `string` | Unique identifier for the behavior |
-|`ActionType`|	`string`|Type of behavior. Refer to the catalog of behaviors detected by Microsoft Purview Insider Risk Management |
+|`ActionType`|	`string`|Type of behavior. Refer to the catalog of behaviors detected by Microsoft Purview Insider Risk Management. |
 |`StartTime`|	`datetime`	|Date and time of the first activity related to the behavior|
 |`EndTime`|	`datetime`|	Date and time of the last activity related to the behavior|
 |`AttackTechniques`|	`string`|	MITRE ATT&CK techniques associated with the activity that triggered the behavior. Refer to subtechniques in the insider risk management behavior catalog.|
 |`Categories`|	`string`|	Type of threat indicator or breach activity identified by the behavior|
-|`ActivityType`|	`enum`|	Activity category based on categories in Microsoft Purview Insider Risk Management|
+|`ActionCategory`|	`enum`|	Category of action that triggered the event |
 |`Description`|	`string`|	Description of the behavior|
 |`ServiceSource`|	`string`|	Product or service that identified the behavior|
 |`DetectionSource`|	`string`|	Detection technology or sensor that identified the notable component or activity|

defender-xdr/advanced-hunting-datasecurityevents-table.md

@@ -50,7 +50,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`DlpPolicyMatchInfo`|	`string`|	Information around the list of data loss prevention (DLP) policies matching this event|
 |`DlpPolicyEnforcementMode`|	`int`|	Indicates the Data Loss Prevention policy that was enforced; value can be: 0 (None), 1 (Audit), 2 (Warn), 3 (Warn and bypass), 4 (Block), 5 (Allow)|
 |`DlpPolicyRuleMatchInfo`|	`dynamic`|	Details of the data loss prevention (DLP)  rules that matched with this event; in JSON array format|
-|`FileRenameInfo`|`string`|	Details of the file (file name and extension) prior to this event|
+|`FileRenameInfo`|`string`|	Details of the file (file name and extension) before this event|
 |`PhysicalAccessPointId`|	`string`|	Unique identifier for the physical access point|
 |`PhysicalAccessPointName`|	`string`|	Name of the physical access point|
 |`PhysicalAccessStatus`	|`string`|	Status of physical access, whether it succeeded or failed|
@@ -67,7 +67,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`Department`|`string`|	Name of the department that the account user belongs to|
 |`SourceCodeInfo`|	`string`|	Details of the source code repository involved in the event|
 |`CcPolicyMatchInfo`|	`dynamic` | Details of the Communications Compliance policy matches for this event; in JSON array format |
-|`IPAddress`|	`string`|	IP addresses of the clients on which the activity was performed; can contain multiple Ips if related to Microsoft Defender for Cloud Apps alerts|
+|`IPAddress`|	`string`|	IP addresses of the clients on which the activity was performed; can contain multiple IPs if related to Microsoft Defender for Cloud Apps alerts|
 |`Timestamp`|	`datetime`|	Date and time when the event was recorded|
 |`DeviceSourceLocationType`|	`int`|	Indicates the type of location where the endpoint signals originated from; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
 |`DeviceDestinationLocationType`|	`int`|	Indicates the type of location where the endpoint signals connected to; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
@@ -82,8 +82,8 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`InternetMessageId`|`string`	|Public-facing identifier for the email or Teams message that is set by the sending email system |
 |`NetworkMessageId`|	`guid`|	Unique identifier for the email, generated by Microsoft 365 |
 |`EmailSubject`|	`string`|	Subject of the email|
-|`ObjectId`|	`string`	|Unique identifier of the object that the recorded action was applied to, in case of files it includes the extension|
-|`ObjectName`|	`string`|	Name of the object that the recorded action was applied to, in case of files it includes the extension|
+|`ObjectId`|	`string`	|Unique identifier of the object that the recorded action was applied to, in case of files, it includes the extension|
+|`ObjectName`|	`string`|	Name of the object that the recorded action was applied to, in case of files, it includes the extension|
 |`ObjectType`|	`string`|	Type of object, such as a file or a folder, that the recorded action was applied to|
 |`ObjectSize`|	`int`|	Size of the object in bytes|
 |`IsHidden`|	`bool`|	Indicates whether the user has marked the content as hidden (True) or not (False) |
@@ -102,6 +102,7 @@ For information on other tables in the advanced hunting schema, [see the advance
 |`Workload`|`string`|	The Microsoft 365 service where the event occurred|
 |`IrmActionCategory`|	`enum`|	A unique enumeration value indicating the activity category in Microsoft Purview Insider Risk Management|
 |`SequenceCorrelationId`|`string`	|Details of the sequence activity|
+|`CloudAppAlertId`|`string`	| Unique identifier for the alert in Microsoft Defender for Cloud Apps |
 
 
 ## Related articles