AppFileEvents
Important
The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
Applies to:
- Microsoft 365 Defender
The AppFileEvents table in the advanced hunting schema contains information about file-related activities in cloud apps and services monitored by Microsoft Cloud App Security. Use this reference to construct queries that return information from this table.
Warning
This table will be retired soon. As of March 7, 2021, the AppFileEvents table is no longer logging records. Users hunting through file-related activities in cloud services on and beyond the said date should use the CloudAppEvents table instead.
Make sure to search for queries and custom detection rules that still use the AppFileEvents table and edit them to use the CloudAppEvents table. More guidance about converting affected queries can be found in Hunt across cloud app activities with Microsoft 365 Defender advanced hunting.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime | Date and time when the event was recorded |
ActionType |
string | Type of activity that triggered the event. See the in-portal schema reference for details |
Application |
string | Application that performed the recorded action |
FileName |
string | Name of the file that the recorded action was applied to |
FolderPath |
string | Folder containing the file that the recorded action was applied to |
PreviousFileName |
string | Original name of the file that was renamed as a result of the action |
PreviousFolderPath |
string | Original folder containing the file before the recorded action was applied |
Protocol |
string | Network protocol used |
AccountName |
string | User name of the account |
AccountDomain |
string | Domain of the account |
AccountSid |
string | Security Identifier (SID) of the account |
AccountUpn |
string | User principal name (UPN) of the account |
AccountObjectId |
string | Unique identifier for the account in Azure AD |
AccountDisplayName |
string | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. |
DeviceName |
string | Fully qualified domain name (FQDN) of the device |
DeviceType |
string | Type of device |
OSPlatform |
string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
IPAddress |
string | IP address assigned to the endpoint and used during related network communications |
Port |
string | TCP port used during communication |
DestinationDeviceName |
string | Name of the device running the server application that processed the recorded action |
DestinationIPAddress |
string | IP address of the device running the server application that processed the recorded action |
DestinationPort |
string | Destination port of related network communications |
Location |
string | City, country, or other geographic location associated with the event |
Isp |
string | Internet service provider (ISP) associated with the endpoint IP address |
ReportId |
long | Unique identifier for the event |
AdditionalFields |
string | Additional information about the entity or event |
Tip
For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.