AlertEvidence

Files, IP addresses, URLs, users, or devices associated with alerts.

Categories

  • Security

Solutions

  • Microsoft Sentinel

Columns

Column Type Description
AccountDomain string Domain of the account
AccountName string User name of the account
AccountObjectId string Unique identifier for the account in Azure Active Directory
AccountSid string Security Identifier (SID) of the account
AccountUpn string User principal name (UPN) of the account
AdditionalFields dynamic Additional information about the event in JSON array format
AlertId string Unique identifier for the alert
Application string Application that performed the recorded action
ApplicationId int Unique identifier for the application
DeviceId string Unique identifier for the device in the service
DeviceName string Fully qualified domain name (FQDN) of the machine
EmailSubject string Subject of the email
EntityType string Type of object, such as a file, a process, a device, or a user
EvidenceDirection string Indicates whether the entity is the source or the destination of a network connection
EvidenceRole string How the entity is involved in an alert, indicating whether it is impacted or is merely related
FileName string Name of the file that the recorded action was applied to
FileSize long Size of the file in bytes
FolderPath string Folder containing the file that the recorded action was applied to
LocalIP string IP address assigned to the local device used during communication
NetworkMessageId string Unique identifier for the email, generated by Office 365
OAuthApplicationId string Unique identifier of the third-party OAuth application
ProcessCommandLine string Command line used to create the new process
RegistryKey string Registry key that the recorded action was applied to
RegistryValueData string Data of the registry value that the recorded action was applied to
RegistryValueName string Name of the registry value that the recorded action was applied to
RemoteIP string IP address that was being connected to
RemoteUrl string URL or fully qualified domain name (FQDN) that was being connected to
ServiceSource string Product or service that provided the alert information
SHA1 string SHA-1 of the file that the recorded action was applied to
SHA256 string SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available
SourceSystem string
TenantId string
ThreatFamily string Malware family that the suspicious or malicious file or process has been classified under
TimeGenerated datetime Date and time (UTC) when the record was generated
Type string The name of the table