You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-datasecuritybehaviors-table.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -62,15 +62,15 @@ For information on other tables in the advanced hunting schema, [see the advance
62
62
|`AccountUpn`|`string`| User principal name (UPN) of the account|
63
63
|`AccountEmail`|`string`| Email address of the account|
64
64
|`Application`|`string`|Application that performed the recorded action|
65
-
|`DeviceInfo`|`string`| List of device information for the device involved in this behavior, including device ID, device name, and the number of events in which the device is involved; displayed in JSON array format|
66
-
|`SensitivityLabelInfo`|`string`| List of sensitivity labels assigned to content involved in this behavior, including the unique identifier for the Microsoft Information Protection sensitivity label assigned to the related content, the name of the sensitivity label, and the number of events in the behavior involving this label; displayed in JSON array format|
67
-
|`SensitiveInfoTypesInfo`|`string`|List of sensitive info types detected in the content involved in this behavior, including the unique identifier for the sensitive info type, the name of the sensitive info type, and the number of events in the behavior involving this sensitive info type; displayed in JSON array format|
68
-
|`UrlDomainInfo`|`string`| List of websites or service URLs involved in the behavior, including the name of the URL domain, the direction of data (sent or received from domain), type of URL domain (customer-configured or based on watchlists), and the number of events in the behavior involving the specific domain; displayed in JSON array format|
69
-
|`SharepointSiteInfo`|`string`| List of SharePoint sites involved in this behavior, including the unique identifier for the SharePoint site, the name of the SharePoint site, and the number of events in the behavior involving the SharePoint site; displayed in JSON array format|
70
-
|`RecipientEmailInfo`|`string`| List of information about the recipient involved in the behavior, including the email address of the recipient and the number of events in the behavior involving the recipient; displayed in JSON array format|
71
-
|`RemovableMediaInfo`|`string`| List of any removable media involved in the behavior, including the serial number of the removable media device, the manufacturer of the removable media device, and the model of the removable device; displayed in JSON array format|
72
-
|`PrinterName`|`string`|List of printers involved in the behavior; displayed in array format|
73
-
|`PriorityContentMatchInfo`|`string`| List of priority content matches identified within this behavior and thier associated details. Priority content definitions are done by the admins for each Insider risk management policy.|
65
+
|`DeviceInfo`|`dynamic`| List of device information for the device involved in this behavior, including device ID, device name, and the number of events in which the device is involved; in JSON array format|
66
+
|`SensitivityLabelInfo`|`dynamic`| List of sensitivity labels assigned to content involved in this behavior, including the unique identifier for the Microsoft Information Protection sensitivity label assigned to the related content, the name of the sensitivity label, and the number of events in the behavior involving this label; in JSON array format|
67
+
|`SensitiveInfoTypesInfo`|`dynamic`|List of sensitive info types detected in the content involved in this behavior, including the unique identifier for the sensitive info type, the name of the sensitive info type, and the number of events in the behavior involving this sensitive info type; in JSON array format|
68
+
|`UrlDomainInfo`|`dynamic`| List of websites or service URLs involved in the behavior, including the name of the URL domain, the direction of data (sent or received from domain), type of URL domain (customer-configured or based on watchlists), and the number of events in the behavior involving the specific domain; in JSON array format|
69
+
|`SharepointSiteInfo`|`dynamic`| List of SharePoint sites involved in this behavior, including the unique identifier for the SharePoint site, the name of the SharePoint site, and the number of events in the behavior involving the SharePoint site; in JSON array format|
70
+
|`RecipientEmailInfo`|`dynamic`| List of information about the recipient involved in the behavior, including the email address of the recipient and the number of events in the behavior involving the recipient; in JSON array format|
71
+
|`RemovableMediaInfo`|`dynamic`| List of any removable media involved in the behavior, including the serial number of the removable media device, the manufacturer of the removable media device, and the model of the removable device; in JSON array format|
72
+
|`PrinterName`|`dynamic`|List of printers involved in the behavior; in array format|
73
+
|`PriorityContentMatchInfo`|`dynamic`| List of priority content matches identified within this behavior and thier associated details. Priority content definitions are done by the admins for each Insider risk management policy. Displayed in JSON array format.|
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-datasecurityevents-table.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,7 +49,7 @@ For information on other tables in the advanced hunting schema, [see the advance
49
49
|`IsManagedDevice`|`bool`| Indicates if the device is managed by the organization (True) or not (False)|
50
50
|`DlpPolicyMatchInfo`|`string`| Information around the list of data loss prevention (DLP) policies matching this event|
51
51
|`DlpPolicyEnforcementMode`|`int`| Indicates the Data Loss Prevention policy that was enforced; value can be: 0 (None), 1 (Audit), 2 (Warn), 3 (Warn and bypass), 4 (Block), 5 (Allow)|
52
-
|`DlpPolicyRuleMatchInfo`|`string`| Details of the data loss prevention (DLP) rules that matched with this event; displayed in JSON array format|
52
+
|`DlpPolicyRuleMatchInfo`|`dynamic`| Details of the data loss prevention (DLP) rules that matched with this event; in JSON array format|
53
53
|`FileRenameInfo`|`string`| Details of the file (file name and extension) prior to this event|
54
54
|`PhysicalAccessPointId`|`string`| Unique identifier for the physical access point|
55
55
|`PhysicalAccessPointName`|`string`| Name of the physical access point|
@@ -66,19 +66,19 @@ For information on other tables in the advanced hunting schema, [see the advance
66
66
|`AccountObjectId`|`string`| Unique identifier for the account in Microsoft Entra ID|
67
67
|`Department`|`string`| Name of the department that the account user belongs to|
68
68
|`SourceCodeInfo`|`string`| Details of the source code repository involved in the event|
69
-
|`CcPolicyMatchInfo`|`JSON object`| Details of the Communications Compliance policy matches for this event |
69
+
|`CcPolicyMatchInfo`|`dynamic`| Details of the Communications Compliance policy matches for this event; in JSON array format|
70
70
|`IPAddress`|`string`| IP addresses of the clients on which the activity was performed; can contain multiple Ips if related to Microsoft Defender for Cloud Apps alerts|
71
71
|`Timestamp`|`datetime`| Date and time when the event was recorded|
72
72
|`DeviceSourceLocationType`|`int`| Indicates the type of location where the endpoint signals originated from; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
73
73
|`DeviceDestinationLocationType`| Int| Indicates the type of location where the endpoint signals connected to; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
74
-
|`IrmPolicyMatchInfo`|`JSON Object`| Details of Insider Risk Management policy matches for the content involved in the event |
74
+
|`IrmPolicyMatchInfo`|`dynamic`| Details of Insider Risk Management policy matches for the content involved in the event; in JSON array format|
75
75
|`UnallowedUrlDomains`|`string`| Websites or service URLs involved in this event that are configured as Unallowed in Insider Risk Management global settings|
76
76
|`ExternalUrlDomains`|`string`| Websites or service URLs involved in this event that are classified as External in Insider Risk Management global settings|
77
77
|`UrlDomainInfo`|`string`| Details about the websites or service URLs involved in the event|
78
78
|`SourceUrlDomain`|`string`| Domain where the device and email signals originated|
79
79
|`TargetUrlDomain`|`string`| Domain where the content was shared with or the user has browsed to|
80
80
|`EmailAttachmentCount`|`int`| Number of email attachments |
81
-
|`EmailAttachmentInfo`|Array<JSONObject>| Details of email attachments|
81
+
|`EmailAttachmentInfo`|`dynamic`| Details of email attachments; in JSON array format|
82
82
|`InternetMessageId`|`string`|Public-facing identifier for the email or Teams message that is set by the sending email system |
83
83
|`NetworkMessageId`|`guid`| Unique identifier for the email, generated by Microsoft 365 |
84
84
|`EmailSubject`|`string`| Subject of the email|
@@ -89,14 +89,14 @@ For information on other tables in the advanced hunting schema, [see the advance
89
89
|`IsHidden`|`bool`| Indicates whether the user has marked the content as hidden (True) or not (False) |
90
90
|`ActivityId`|`guid`| Unique identifier of the activity log|
91
91
|`ActionType`|`string`| Type of activity that triggered the event|
92
-
|`SensitiveInfoTypeInfo`|Array<JSONObject>| Details of Data Loss Prevention sensitive info types detected in the impacted asset|
92
+
|`SensitiveInfoTypeInfo`|`dynamic`| Details of Data Loss Prevention sensitive info types detected in the impacted asset|
93
93
|`SensitivityLabelId`|`string`|The current Microsoft Information Protection sensitivity label ID associated with the item|
94
94
|`SharepointSiteSensitivityLabelIds`|`string`| The current Microsoft Information Protection sensitivity label ID assigned to the parent site of the item related to SharePoint activities |
95
95
|`PreviousSensitivityLabelId`|`string`|The previous Microsoft Information Protection sensitivity label ID associated with the item in case of activities where the sensitivity label was changed|
96
96
|`Operation`|`string`| Name of the admin activity|
97
97
|`RecipientEmailAddress`|`string`| Email address of the recipient, or email address of the recipient after distribution list expansion|
98
-
|`SiteUrl`|`string`|xxx|
99
-
|`SourceRelativeUrl`|`string`|xxx|
98
+
|`SiteUrl`|`string`|The URL of the site where the file or folder accessed by the user is located|
99
+
|`SourceRelativeUrl`|`string`|The URL of the folder that contains the file accessed by the user|
100
100
|`TargetFilePath`|`string`| Target file path of endpoint activities|
101
101
|`PrinterName`|`string`| List of printers involved in the behavior|
102
102
|`Workload`|`string`| The Microsoft 365 service where the event occurred|
0 commit comments