DeviceImageLoadEventsDeviceImageLoadEvents

重要

改进的 Microsoft 365 安全中心现已提供公共预览版。The improved Microsoft 365 security center is now available in public preview. 此新体验将 Defender for Endpoint、Defender for Office 365、Microsoft 365 Defender 等引入 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全团队现可管理所有终结点、电子邮件和跨产品调查、配置和修正,而无需导航到单独的产品门户。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 了解有关更改的详细信息Learn more about what's changed.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

高级 DeviceImageLoadEvents 搜寻 架构中的 表包含有关 DLL 加载事件的信息。The DeviceImageLoadEvents table in the advanced hunting schema contains information about DLL loading events. 使用此参考来构建从此表返回信息的查询。Use this reference to construct queries that return information from this table.

提示

有关表支持的事件类型 () ,请使用安全中心中提供的内置架构 ActionType 参考。For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.

有关高级搜寻架构中其他表的信息,请参阅高级搜寻参考For information on other tables in the advanced hunting schema, see the advanced hunting reference.

列名称Column name 数据类型Data type 说明Description
Timestamp datetimedatetime 记录事件的日期和时间Date and time when the event was recorded
DeviceId stringstring 服务中的计算机的唯一标识符Unique identifier for the machine in the service
DeviceName stringstring 计算机的完全限定域名 (FQDN)Fully qualified domain name (FQDN) of the machine
ActionType stringstring 触发事件的活动类型。Type of activity that triggered the event. 有关详细信息 ,请参阅门户内架构 参考See the in-portal schema reference for details
FileName stringstring 录制操作所应用到的文件的名称Name of the file that the recorded action was applied to
FolderPath stringstring 包含已记录操作所应用到的文件的文件夹Folder containing the file that the recorded action was applied to
SHA1 stringstring 录制操作所应用到的文件的 SHA-1SHA-1 of the file that the recorded action was applied to
SHA256 stringstring 录制操作所应用到的文件的 SHA-256。SHA-256 of the file that the recorded action was applied to. 通常不会填充此字段 — 可用时使用 SHA1 列。This field is usually not populated — use the SHA1 column when available.
MD5 stringstring 已记录操作所应用到的文件的 MD5 哈希MD5 hash of the file that the recorded action was applied to
FileSize longlong 文件大小(以字节为单位)Size of the file in bytes
InitiatingProcessAccountDomain stringstring 运行负责事件的进程的帐户的域Domain of the account that ran the process responsible for the event
InitiatingProcessAccountName stringstring 运行负责事件的进程的帐户的用户名User name of the account that ran the process responsible for the event
InitiatingProcessAccountSid stringstring 安全 (SID) 运行负责事件的进程的帐户的 SID 标识符Security Identifier (SID) of the account that ran the process responsible for the event
InitiatingProcessAccountUpn stringstring 用户主体 (UPN) 运行负责事件的进程的帐户的名称User principal name (UPN) of the account that ran the process responsible for the event
InitiatingProcessAccountObjectId stringstring 运行负责事件的进程的用户帐户的 Azure AD 对象 IDAzure AD object ID of the user account that ran the process responsible for the event
InitiatingProcessIntegrityLevel stringstring 启动事件的过程的完整性级别。Integrity level of the process that initiated the event. Windows 根据某些特征(例如是否从 Internet 下载启动)将完整性级别分配给进程。Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. 这些完整性级别影响对资源的权限These integrity levels influence permissions to resources
InitiatingProcessTokenElevation stringstring 指示是否存在用户访问控制的令牌类型 (UAC) 启动事件的进程应用的特权提升Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event
InitiatingProcessSHA1 stringstring 启动事件 (映像) 的 SHA-1SHA-1 of the process (image file) that initiated the event
InitiatingProcessSHA256 stringstring 启动事件 (映像文件) SHA-256。SHA-256 of the process (image file) that initiated the event. 通常不会填充此字段 — 可用时使用 SHA1 列。This field is usually not populated — use the SHA1 column when available.
InitiatingProcessMD5 stringstring 启动事件的进程 (MD5) 文件哈希MD5 hash of the process (image file) that initiated the event
InitiatingProcessFileName stringstring 启动事件的进程的名称Name of the process that initiated the event
InitiatingProcessFileSize longlong 运行负责事件的进程的文件的大小Size of the file that ran the process responsible for the event
InitiatingProcessVersionInfoCompanyName stringstring 进程版本信息中的公司名称 (负责) 文件Company name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoProductName stringstring 负责事件的进程版本信息中的 (名称) 映像文件Product name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoProductVersion stringstring 进程版本信息中的产品版本 (负责) 文件Product version from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoInternalFileName stringstring 负责事件的进程版本信息 (文件) 文件的内部文件名Internal file name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoOriginalFileName stringstring 进程版本信息的原始文件名 (负责) 文件Original file name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoFileDescription stringstring 负责事件的进程版本信息 (映像) 说明Description from the version information of the process (image file) responsible for the event
InitiatingProcessId intint 进程 ID (PID) 启动事件的过程的 PIDProcess ID (PID) of the process that initiated the event
InitiatingProcessCommandLine stringstring 用于运行启动事件的进程的命令行Command line used to run the process that initiated the event
InitiatingProcessCreationTime datetimedatetime 启动事件的过程的日期和时间Date and time when the process that initiated the event was started
InitiatingProcessFolderPath stringstring 包含启动事件 (进程) 文件的文件夹Folder containing the process (image file) that initiated the event
InitiatingProcessParentId intint 进程 ID (PID) 生成负责事件的进程的父进程的 PIDProcess ID (PID) of the parent process that spawned the process responsible for the event
InitiatingProcessParentFileName stringstring 生成负责事件的进程的父进程的名称Name of the parent process that spawned the process responsible for the event
InitiatingProcessParentCreationTime datetimedatetime 启动负责事件的进程的父级的日期和时间Date and time when the parent of the process responsible for the event was started
ReportId longlong 基于重复计数器的事件标识符。Event identifier based on a repeating counter. 若要标识唯一事件,此列必须与 DeviceName 和 Timestamp 列一起使用To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns
AppGuardContainerId stringstring 应用程序防护用于隔离浏览器活动的虚拟化容器的标识符Identifier for the virtualized container used by Application Guard to isolate browser activity