AlertEvidence
Includes files, IP addresses, URLs, users, or devices associated with alerts.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | No |
| Ingestion-time transformation | Yes |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AccountDomain | string | Domain of the account. |
| AccountName | string | User name of the account. |
| AccountObjectId | string | Unique identifier for the account in Azure Active Directory. |
| AccountSid | string | Security Identifier (SID) of the account. |
| AccountUpn | string | User principal name (UPN) of the account. |
| AdditionalFields | dynamic | Additional information about the event in JSON array format. |
| AlertId | string | Unique identifier for the alert. |
| Application | string | Application that performed the recorded action. |
| ApplicationId | int | Unique identifier for the application. |
| AttackTechniques | string | MITRE ATT&CK techniques associated with the activity that triggered the alert. |
| _BilledSize | real | The record size in bytes |
| Categories | string | List of categories that the information belongs to, in JSON array format. |
| DetectionSource | string | Detection technology or sensor that identified the notable component or activity. |
| DeviceId | string | Unique identifier for the device in the service. |
| DeviceName | string | Fully qualified domain name (FQDN) of the machine. |
| EmailSubject | string | Subject of the email. |
| EntityType | string | Type of object, such as a file, a process, a device, or a user. |
| EvidenceDirection | string | Indicates whether the entity is the source or the destination of a network connection. |
| EvidenceRole | string | How the entity is involved in an alert, indicating whether it is impacted or is merely related. |
| FileName | string | Name of the file that the recorded action was applied to. |
| FileSize | long | Size of the file in bytes. |
| FolderPath | string | Folder containing the file that the recorded action was applied to. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| LocalIP | string | IP address assigned to the local device used during communication. |
| NetworkMessageId | string | Unique identifier for the email, generated by Office 365. |
| OAuthApplicationId | string | Unique identifier of the third-party OAuth application. |
| ProcessCommandLine | string | Command line used to create the new process. |
| RegistryKey | string | Registry key that the recorded action was applied to. |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
| RemoteIP | string | IP address that was being connected to. |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
| ServiceSource | string | Product or service that provided the alert information. |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to. |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| ThreatFamily | string | Malware family that the suspicious or malicious file or process has been classified under. |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated. |
| Title | string | Title of the alert. |
| Type | string | The name of the table |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for