The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to:

  • Microsoft 365 Defender

The AppFileEvents table in the advanced hunting schema contains information about file-related activities in cloud apps and services monitored by Microsoft Cloud App Security. Use this reference to construct queries that return information from this table.


This table will be retired soon. As of March 7, 2021, the AppFileEvents table is no longer logging records. Users hunting through file-related activities in cloud services on and beyond the said date should use the CloudAppEvents table instead.

Make sure to search for queries and custom detection rules that still use the AppFileEvents table and edit them to use the CloudAppEvents table. More guidance about converting affected queries can be found in Hunt across cloud app activities with Microsoft 365 Defender advanced hunting.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
Timestamp datetime Date and time when the event was recorded
ActionType string Type of activity that triggered the event. See the in-portal schema reference for details
Application string Application that performed the recorded action
FileName string Name of the file that the recorded action was applied to
FolderPath string Folder containing the file that the recorded action was applied to
PreviousFileName string Original name of the file that was renamed as a result of the action
PreviousFolderPath string Original folder containing the file before the recorded action was applied
Protocol string Network protocol used
AccountName string User name of the account
AccountDomain string Domain of the account
AccountSid string Security Identifier (SID) of the account
AccountUpn string User principal name (UPN) of the account
AccountObjectId string Unique identifier for the account in Azure AD
AccountDisplayName string Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname.
DeviceName string Fully qualified domain name (FQDN) of the device
DeviceType string Type of device
OSPlatform string Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.
IPAddress string IP address assigned to the endpoint and used during related network communications
Port string TCP port used during communication
DestinationDeviceName string Name of the device running the server application that processed the recorded action
DestinationIPAddress string IP address of the device running the server application that processed the recorded action
DestinationPort string Destination port of related network communications
Location string City, country, or other geographic location associated with the event
Isp string Internet service provider (ISP) associated with the endpoint IP address
ReportId long Unique identifier for the event
AdditionalFields string Additional information about the entity or event


For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.