AppFileEventsAppFileEvents

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

[!附注] AppFileEvents 高級搜尋 架構中的表格包含雲端 app 和服務中由 Microsoft cloud App Security 監控之檔案相關活動的相關資訊。The AppFileEvents table in the advanced hunting schema contains information about file-related activities in cloud apps and services monitored by Microsoft Cloud App Security. 使用這個參考來建立從此表格取回之資訊的查詢。Use this reference to construct queries that return information from this table.

警告

此表格即將停用。This table will be retired soon. 從2021年3月7日直到 AppFileEvents 資料表不再記錄記錄。As of March 7, 2021, the AppFileEvents table is no longer logging records. 使用者在所說的日期以外的雲端服務中搜尋與檔案相關的活動,應改為使用 CloudAppEvents 表格。Users hunting through file-related activities in cloud services on and beyond the said date should use the CloudAppEvents table instead.

請務必搜尋查詢和自訂偵測規則,該規則仍會使用 AppFileEvents 該表,並進行編輯,以使用 CloudAppEvents 該表。Make sure to search for queries and custom detection rules that still use the AppFileEvents table and edit them to use the CloudAppEvents table. 若要瞭解轉換受影響查詢的相關指引,請參閱 使用 Microsoft 365 Defender advanced 搜尋跨 cloud app Activity 搜尋More guidance about converting affected queries can be found in Hunt across cloud app activities with Microsoft 365 Defender advanced hunting.

如需進階搜捕結構描述中其他表格的資訊,請參閱進階搜捕參考 (部分內容為機器翻譯)。For information on other tables in the advanced hunting schema, see the advanced hunting reference.

欄名稱Column name 資料類型Data type 描述Description
Timestamp datetimedatetime 事件記錄的日期和時間Date and time when the event was recorded
ActionType stringstring 觸發事件的活動類型。Type of activity that triggered the event. 如需詳細資訊,請參閱入口網站內架構參考See the in-portal schema reference for details
Application stringstring 執行錄製動作的應用程式Application that performed the recorded action
FileName 字串string 記錄動作已套用的檔案名稱Name of the file that the recorded action was applied to
FolderPath 字串string 包含錄製的動作所套用之檔案的資料夾Folder containing the file that the recorded action was applied to
PreviousFileName stringstring 重新命名為動作結果之檔案的原始名稱Original name of the file that was renamed as a result of the action
PreviousFolderPath stringstring 在套用錄製的動作之前包含檔的原始檔案夾Original folder containing the file before the recorded action was applied
Protocol stringstring 使用的網路通訊協定Network protocol used
AccountName stringstring 帳戶的使用者名稱User name of the account
AccountDomain stringstring 帳戶的網域Domain of the account
AccountSid stringstring 帳戶的安全性識別碼 (SID) Security Identifier (SID) of the account
AccountUpn stringstring 帳戶的使用者主要名稱 (UPN) User principal name (UPN) of the account
AccountObjectId stringstring Azure AD 中帳戶的唯一識別碼Unique identifier for the account in Azure AD
AccountDisplayName stringstring 顯示在通訊錄中之帳戶使用者的名稱。Name of the account user displayed in the address book. 通常是指定的名稱或名字、中間初始名稱或姓氏的組合。Typically a combination of a given or first name, a middle initiation, and a last name or surname.
DeviceName stringstring 裝置的完整功能變數名稱 (FQDN) Fully qualified domain name (FQDN) of the device
DeviceType stringstring 裝置類型Type of device
OSPlatform stringstring 裝置上所執行作業系統的平臺。Platform of the operating system running on the device. 這表示特定作業系統,包括相同家族內的變化,例如 Windows 10 和 Windows 7。This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.
IPAddress 字串string 指派給端點的 IP 位址,並在相關的網路通訊期間使用IP address assigned to the endpoint and used during related network communications
Port stringstring 通訊期間使用的 TCP 埠TCP port used during communication
DestinationDeviceName stringstring 執行伺服器應用程式(處理錄製的動作)的裝置名稱Name of the device running the server application that processed the recorded action
DestinationIPAddress stringstring 執行伺服器應用程式(處理錄製的動作)的裝置的 IP 位址IP address of the device running the server application that processed the recorded action
DestinationPort stringstring 相關網路通訊的目的地埠Destination port of related network communications
Location stringstring 與事件關聯的城市、國家或其他地理位置City, country, or other geographic location associated with the event
Isp stringstring 網際網路服務提供者 (與端點 IP 位址相關聯的 ISP) Internet service provider (ISP) associated with the endpoint IP address
ReportId longlong 事件的唯一識別碼Unique identifier for the event
AdditionalFields stringstring 實體或事件的其他資訊Additional information about the entity or event

提示

如需有關資料表所支援之事件種類 () 值的詳細資訊 ActionType ,請使用安全性中心內的內建架構參照。For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.