AppFileEventsAppFileEvents

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

高级 AppFileEvents 搜寻 架构中的 表包含有关 Microsoft Cloud App Security 监视的云应用和服务中与文件相关的活动的信息。The AppFileEvents table in the advanced hunting schema contains information about file-related activities in cloud apps and services monitored by Microsoft Cloud App Security. 使用此参考来构建从此表返回信息的查询。Use this reference to construct queries that return information from this table.

警告

此表将很快停用。This table will be retired soon. 截至 2021 年 3 月 7 日 AppFileEvents ,该表不再记录记录。As of March 7, 2021, the AppFileEvents table is no longer logging records. 在超过该日期的云服务中搜寻与文件相关的活动的用户应改为使用 CloudAppEvents 表。Users hunting through file-related activities in cloud services on and beyond the said date should use the CloudAppEvents table instead.

请确保搜索仍使用表的查询和自定义检测规则,并 AppFileEvents 编辑它们以使用 CloudAppEvents 该表。Make sure to search for queries and custom detection rules that still use the AppFileEvents table and edit them to use the CloudAppEvents table. 有关转换受影响查询的更多指南,可在 使用 Microsoft 365 Defender高级搜寻的云应用活动中找到。More guidance about converting affected queries can be found in Hunt across cloud app activities with Microsoft 365 Defender advanced hunting.

有关高级搜寻架构中其他表的信息,请参阅高级搜寻参考For information on other tables in the advanced hunting schema, see the advanced hunting reference.

列名称Column name 数据类型Data type 说明Description
Timestamp datetimedatetime 记录事件的日期和时间Date and time when the event was recorded
ActionType stringstring 触发事件的活动类型。Type of activity that triggered the event. 有关详细信息 ,请参阅门户内架构 参考See the in-portal schema reference for details
Application stringstring 执行录制的操作的应用程序Application that performed the recorded action
FileName stringstring 录制操作所应用到的文件的名称Name of the file that the recorded action was applied to
FolderPath stringstring 包含已记录操作所应用到的文件的文件夹Folder containing the file that the recorded action was applied to
PreviousFileName stringstring 作为操作结果重命名的文件的原始名称Original name of the file that was renamed as a result of the action
PreviousFolderPath stringstring 应用录制的操作之前包含文件的原始文件夹Original folder containing the file before the recorded action was applied
Protocol stringstring 使用的网络协议Network protocol used
AccountName stringstring 帐户的用户名User name of the account
AccountDomain stringstring 帐户的域Domain of the account
AccountSid stringstring 帐户 (SID) 安全标识符Security Identifier (SID) of the account
AccountUpn stringstring 帐户 (UPN) 用户主体名称User principal name (UPN) of the account
AccountObjectId stringstring Azure AD 中帐户的唯一标识符Unique identifier for the account in Azure AD
AccountDisplayName stringstring 通讯簿中显示的帐户用户的名称。Name of the account user displayed in the address book. 通常是给定或名字、中间启动和姓氏或姓氏的组合。Typically a combination of a given or first name, a middle initiation, and a last name or surname.
DeviceName stringstring 设备的完全限定 (FQDN) FQDNFully qualified domain name (FQDN) of the device
DeviceType stringstring 设备类型Type of device
OSPlatform stringstring 在设备上运行的操作系统的平台。Platform of the operating system running on the device. 这表示特定操作系统,包括同一系列中的变体,如 Windows 10 和 Windows 7。This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.
IPAddress stringstring 分配给终结点的 IP 地址,在相关的网络通信期间使用IP address assigned to the endpoint and used during related network communications
Port stringstring 通信期间使用的 TCP 端口TCP port used during communication
DestinationDeviceName stringstring 运行处理所记录操作的服务器应用程序的设备的名称Name of the device running the server application that processed the recorded action
DestinationIPAddress stringstring 运行处理所记录操作的服务器应用程序的设备的 IP 地址IP address of the device running the server application that processed the recorded action
DestinationPort stringstring 相关网络通信的目标端口Destination port of related network communications
Location stringstring 与事件关联的城市、国家/地区或其他地理位置City, country, or other geographic location associated with the event
Isp stringstring Internet 服务提供商 (ISP) 与终结点 IP 地址关联Internet service provider (ISP) associated with the endpoint IP address
ReportId longlong 事件的唯一标识符Unique identifier for the event
AdditionalFields stringstring 有关实体或事件的其他信息Additional information about the entity or event

提示

有关表支持的事件类型 () ,请使用安全中心中提供的内置架构 ActionType 参考。For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.