You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/advanced-hunting-datasecurityevents-table.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,7 +34,7 @@ ms.date: 02/11/2025
34
34
> [!IMPORTANT]
35
35
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
36
36
37
-
The `DataSecurityEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user activities that violate user-defined or default policies in the Microsoft Purview suite of solutions. Each log represents a single user activity enriched with proprietory Microsoft detections (like sensitive info types) and user-defined enrichment labels like domain categories, sensitivity labels, and others.
37
+
The `DataSecurityEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user activities that violate user-defined or default policies in the Microsoft Purview suite of solutions. Each log represents a single user activity enriched with proprietary Microsoft detections (like sensitive info types) and user-defined enrichment labels like domain categories, sensitivity labels, and others.
38
38
39
39
Use this reference to construct queries that return information from this table.
40
40
@@ -72,8 +72,8 @@ For information on other tables in the advanced hunting schema, [see the advance
72
72
|`DeviceSourceLocationType`|`int`| Indicates the type of location where the endpoint signals originated from; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
73
73
|`DeviceDestinationLocationType`|`int`| Indicates the type of location where the endpoint signals connected to; values can be: 0 (Unknown), 1 (Local), 2 (Remote), 3 (Removable), 4 (Cloud), 5 (File share)|
74
74
|`IrmPolicyMatchInfo`|`dynamic`| Details of Insider Risk Management policy matches for the content involved in the event; in JSON array format |
75
-
|`UnallowedUrlDomains`|`string`| Websites or service URLs involved in this event that are configured as Unallowed in Insider Risk Management global settings|
76
-
|`ExternalUrlDomains`|`string`| Websites or service URLs involved in this event that are classified as External in Insider Risk Management global settings|
75
+
|`UnallowedUrlDomains`|`string`| Websites or service URLs involved in this event that is configured as Unallowed in Insider Risk Management global settings|
76
+
|`ExternalUrlDomains`|`string`| Websites or service URLs involved in this event that is classified as External in Insider Risk Management global settings|
77
77
|`UrlDomainInfo`|`string`| Details about the websites or service URLs involved in the event|
78
78
|`SourceUrlDomain`|`string`| Domain where the device and email signals originated|
79
79
|`TargetUrlDomain`|`string`| Domain where the content was shared with or the user has browsed to|
0 commit comments