DeviceProcessEventsDeviceProcessEvents

重要

改进的 Microsoft 365 安全中心现在可用。The improved Microsoft 365 security center is now available. 此新体验将 Defender for Endpoint、Defender for Office、365 Microsoft 365 Defender 等引入了 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新增功能Learn what's new.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

高级 DeviceProcessEvents 搜寻 架构中的 表包含有关进程创建和相关事件的信息。The DeviceProcessEvents table in the advanced hunting schema contains information about process creation and related events. 使用此参考来构建从此表返回信息的查询。Use this reference to construct queries that return information from this table.

提示

有关表支持的事件类型 () ,请使用安全中心中提供的内置架构 ActionType 参考。For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.

有关高级搜寻架构中其他表的信息,请参阅高级搜寻参考For information on other tables in the advanced hunting schema, see the advanced hunting reference.

列名称Column name 数据类型Data type 说明Description
Timestamp datetimedatetime 记录事件的日期和时间Date and time when the event was recorded
DeviceId stringstring 服务中的计算机的唯一标识符Unique identifier for the machine in the service
DeviceName stringstring 计算机的完全限定域名 (FQDN)Fully qualified domain name (FQDN) of the machine
ActionType stringstring 触发事件的活动类型。Type of activity that triggered the event. 有关详细信息 ,请参阅门户内架构 参考See the in-portal schema reference for details
FileName stringstring 录制操作所应用到的文件的名称Name of the file that the recorded action was applied to
FolderPath stringstring 包含已记录操作所应用到的文件的文件夹Folder containing the file that the recorded action was applied to
SHA1 stringstring 录制操作所应用到的文件的 SHA-1SHA-1 of the file that the recorded action was applied to
SHA256 stringstring 录制操作所应用到的文件的 SHA-256。SHA-256 of the file that the recorded action was applied to. 通常不会填充此字段 — 可用时使用 SHA1 列。This field is usually not populated — use the SHA1 column when available.
MD5 stringstring 已记录操作所应用到的文件的 MD5 哈希MD5 hash of the file that the recorded action was applied to
FileSize longlong 文件大小(以字节为单位)Size of the file in bytes
ProcessVersionInfoCompanyName stringstring 新创建的过程的版本信息中的公司名称Company name from the version information of the newly created process
ProcessVersionInfoProductName stringstring 新创建的过程的版本信息中的产品名称Product name from the version information of the newly created process
ProcessVersionInfoProductVersion stringstring 新创建的过程的版本信息中的产品版本Product version from the version information of the newly created process
ProcessVersionInfoInternalFileName stringstring 新创建的过程的版本信息中的内部文件名Internal file name from the version information of the newly created process
ProcessVersionInfoOriginalFileName stringstring 新创建的进程的版本信息中的原始文件名Original file name from the version information of the newly created process
ProcessVersionInfoFileDescription stringstring 新创建的过程的版本信息中的说明Description from the version information of the newly created process
ProcessId intint 新 (的进程) PID 进程 IDProcess ID (PID) of the newly created process
ProcessCommandLine stringstring 用于创建新过程的命令行Command line used to create the new process
ProcessIntegrityLevel stringstring 新创建的过程的完整性级别。Integrity level of the newly created process. Windows 根据某些特征(例如是否从下载的 Internet 启动)将完整性级别分配给进程。Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. 这些完整性级别影响对资源的权限These integrity levels influence permissions to resources
ProcessTokenElevation stringstring 指示应用于新创建进程的令牌提升的类型。Indicates the type of token elevation applied to the newly created process. 可能的值:TokenElevationTypeLimited (restricted) 、TokenElevationTypeDefault (standard) 和 TokenElevationTypeFull (提升) Possible values: TokenElevationTypeLimited (restricted), TokenElevationTypeDefault (standard), and TokenElevationTypeFull (elevated)
ProcessCreationTime datetimedatetime 创建过程的日期和时间Date and time the process was created
AccountDomain stringstring 帐户的域Domain of the account
AccountName stringstring 帐户的用户名User name of the account
AccountSid stringstring 帐户 (SID) 安全标识符Security Identifier (SID) of the account
AccountUpn stringstring 帐户 (UPN) 用户主体名称User principal name (UPN) of the account
AccountObjectId stringstring Azure AD 中帐户的唯一标识符Unique identifier for the account in Azure AD
LogonId stringstring 登录会话的标识符。Identifier for a logon session. 此标识符仅在重新启动之间的同一计算机上是唯一的This identifier is unique on the same machine only between restarts
InitiatingProcessAccountDomain stringstring 运行负责事件的进程的帐户的域Domain of the account that ran the process responsible for the event
InitiatingProcessAccountName stringstring 运行负责事件的进程的帐户的用户名User name of the account that ran the process responsible for the event
InitiatingProcessAccountSid stringstring 安全 (SID) 运行负责事件的进程的帐户的 SID 标识符Security Identifier (SID) of the account that ran the process responsible for the event
InitiatingProcessAccountUpn stringstring 用户主体 (UPN) 运行负责事件的进程的帐户的名称User principal name (UPN) of the account that ran the process responsible for the event
InitiatingProcessAccountObjectId stringstring 运行负责事件的进程的用户帐户的 Azure AD 对象 IDAzure AD object ID of the user account that ran the process responsible for the event
InitiatingProcessLogonId stringstring 启动事件的进程的登录会话的标识符。Identifier for a logon session of the process that initiated the event. 此标识符仅在重新启动之间在同一计算机上是唯一的。This identifier is unique on the same machine only between restarts.
InitiatingProcessIntegrityLevel stringstring 启动事件的过程的完整性级别。Integrity level of the process that initiated the event. Windows 根据某些特征(例如是否从 Internet 下载启动)将完整性级别分配给进程。Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. 这些完整性级别影响对资源的权限These integrity levels influence permissions to resources
InitiatingProcessTokenElevation stringstring 指示是否存在用户访问控制的令牌类型 (UAC) 启动事件的进程应用的特权提升Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event
InitiatingProcessSHA1 stringstring 启动事件 (映像) 的 SHA-1SHA-1 of the process (image file) that initiated the event
InitiatingProcessSHA256 stringstring 启动事件 (映像文件) SHA-256。SHA-256 of the process (image file) that initiated the event. 通常不会填充此字段 — 可用时使用 SHA1 列。This field is usually not populated — use the SHA1 column when available.
InitiatingProcessMD5 stringstring 启动事件的进程 (MD5) 文件哈希MD5 hash of the process (image file) that initiated the event
InitiatingProcessFileName stringstring 启动事件的进程的名称Name of the process that initiated the event
InitiatingProcessFileSize longlong 运行负责事件的进程的文件的大小Size of the file that ran the process responsible for the event
InitiatingProcessVersionInfoCompanyName stringstring 进程版本信息中的公司名称 (负责) 文件Company name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoProductName stringstring 负责事件的进程版本信息中的 (名称) 映像文件Product name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoProductVersion stringstring 进程版本信息中的产品版本 (负责) 文件Product version from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoInternalFileName stringstring 负责事件的进程版本信息 (文件) 文件的内部文件名Internal file name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoOriginalFileName stringstring 进程版本信息的原始文件名 (负责) 文件Original file name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoFileDescription stringstring 负责事件的进程版本信息 (映像) 说明Description from the version information of the process (image file) responsible for the event
InitiatingProcessId intint 进程 ID (PID) 启动事件的过程的 PIDProcess ID (PID) of the process that initiated the event
InitiatingProcessCommandLine stringstring 用于运行启动事件的进程的命令行Command line used to run the process that initiated the event
InitiatingProcessCreationTime datetimedatetime 启动事件的过程的日期和时间Date and time when the process that initiated the event was started
InitiatingProcessFolderPath stringstring 包含启动事件 (进程) 文件的文件夹Folder containing the process (image file) that initiated the event
InitiatingProcessParentId intint 进程 ID (PID) 生成负责事件的进程的父进程的 PIDProcess ID (PID) of the parent process that spawned the process responsible for the event
InitiatingProcessParentFileName stringstring 生成负责事件的进程的父进程的名称Name of the parent process that spawned the process responsible for the event
InitiatingProcessParentCreationTime datetimedatetime 启动负责事件的进程的父级的日期和时间Date and time when the parent of the process responsible for the event was started
InitiatingProcessSignerType stringstring 启动事件的进程 (文件) 签名者的类型Type of file signer of the process (image file) that initiated the event
InitiatingProcessSignatureStatus stringstring 有关启动事件的进程 (文件) 状态的信息Information about the signature status of the process (image file) that initiated the event
ReportId longlong 基于重复计数器的事件标识符。Event identifier based on a repeating counter. 若要标识唯一事件,此列必须与 DeviceName 和 Timestamp 列一起使用To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns
AppGuardContainerId stringstring 应用程序防护用于隔离浏览器活动的虚拟化容器的标识符Identifier for the virtualized container used by Application Guard to isolate browser activity
AdditionalFields stringstring 有关 JSON 数组格式的事件的其他信息Additional information about the event in JSON array format