AlertEvidence
Files, IP addresses, URLs, users, or devices associated with alerts.
Categories
- Security
Solutions
- Microsoft Sentinel
Columns
| Column | Type | Description |
|---|---|---|
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountObjectId | string | Unique identifier for the account in Azure Active Directory |
| AccountSid | string | Security Identifier (SID) of the account |
| AccountUpn | string | User principal name (UPN) of the account |
| AdditionalFields | dynamic | Additional information about the event in JSON array format |
| AlertId | string | Unique identifier for the alert |
| Application | string | Application that performed the recorded action |
| ApplicationId | int | Unique identifier for the application |
| DeviceId | string | Unique identifier for the device in the service |
| DeviceName | string | Fully qualified domain name (FQDN) of the machine |
| EmailSubject | string | Subject of the email |
| EntityType | string | Type of object, such as a file, a process, a device, or a user |
| EvidenceDirection | string | Indicates whether the entity is the source or the destination of a network connection |
| EvidenceRole | string | How the entity is involved in an alert, indicating whether it is impacted or is merely related |
| FileName | string | Name of the file that the recorded action was applied to |
| FileSize | long | Size of the file in bytes |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| LocalIP | string | IP address assigned to the local device used during communication |
| NetworkMessageId | string | Unique identifier for the email, generated by Office 365 |
| OAuthApplicationId | string | Unique identifier of the third-party OAuth application |
| ProcessCommandLine | string | Command line used to create the new process |
| RegistryKey | string | Registry key that the recorded action was applied to |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
| RemoteIP | string | IP address that was being connected to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| ServiceSource | string | Product or service that provided the alert information |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
| SourceSystem | string | |
| TenantId | string | |
| ThreatFamily | string | Malware family that the suspicious or malicious file or process has been classified under |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated |
| Type | string | The name of the table |