DeviceFileEventsDeviceFileEvents

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender
  • 適用於端點的 Microsoft DefenderMicrosoft Defender for Endpoint

[!附注] DeviceFileEvents 高級搜尋 架構中的表格包含檔建立、修改及其他檔案系統事件的相關資訊。The DeviceFileEvents table in the advanced hunting schema contains information about file creation, modification, and other file system events. 使用這個參考來建立從此表格取回之資訊的查詢。Use this reference to construct queries that return information from this table.

提示

如需有關資料表所支援之事件種類 () 值的詳細資訊 ActionType ,請使用安全性中心內的內建架構參照。For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.

如需進階搜捕結構描述中其他表格的資訊,請參閱進階搜捕參考 (部分內容為機器翻譯)。For information on other tables in the advanced hunting schema, see the advanced hunting reference.

欄名稱Column name 資料類型Data type 描述Description
Timestamp datetimedatetime 事件記錄的日期和時間Date and time when the event was recorded
DeviceId stringstring 服務中電腦的唯一識別碼Unique identifier for the machine in the service
DeviceName stringstring 電腦的完整網域名稱 (FQDN)Fully qualified domain name (FQDN) of the machine
ActionType stringstring 觸發事件的活動類型。Type of activity that triggered the event. 如需詳細資訊,請參閱入口網站內架構參考See the in-portal schema reference for details
FileName 字串string 記錄動作已套用的檔案名稱Name of the file that the recorded action was applied to
FolderPath 字串string 包含錄製的動作所套用之檔案的資料夾Folder containing the file that the recorded action was applied to
SHA1 字串string 記錄動作已套用的檔案 SHA-1SHA-1 of the file that the recorded action was applied to
SHA256 字串string 記錄動作已套用的檔案 SHA-256。SHA-256 of the file that the recorded action was applied to. 此欄位通常未填入,可取得時請使用 SHA1 欄。This field is usually not populated — use the SHA1 column when available.
MD5 字串string 錄製的動作所套用的檔案 MD5 雜湊MD5 hash of the file that the recorded action was applied to
FileOriginUrl stringstring 下載檔案所在的 URLURL where the file was downloaded from
FileOriginReferrerUrl stringstring 連結至已下載檔案的網頁 URLURL of the web page that links to the downloaded file
FileOriginIP stringstring 從中下載檔案的 IP 位址IP address where the file was downloaded from
PreviousFolderPath stringstring 在套用錄製的動作之前包含檔的原始檔案夾Original folder containing the file before the recorded action was applied
PreviousFileName stringstring 重新命名為動作結果之檔案的原始名稱Original name of the file that was renamed as a result of the action
FileSize longlong 檔案大小(以位元組為單位)Size of the file in bytes
InitiatingProcessAccountDomain stringstring 執行負責事件之處理常式之帳戶的網域Domain of the account that ran the process responsible for the event
InitiatingProcessAccountName stringstring 負責事件之處理常式的帳戶使用者名稱User name of the account that ran the process responsible for the event
InitiatingProcessAccountSid stringstring 執行事件負責處理之帳戶的安全性識別碼 (SID) Security Identifier (SID) of the account that ran the process responsible for the event
InitiatingProcessAccountUpn stringstring 執行事件負責之帳戶的使用者主要名稱 (UPN) User principal name (UPN) of the account that ran the process responsible for the event
InitiatingProcessAccountObjectId stringstring 執行負責事件之處理常式之使用者帳戶的 Azure AD 物件識別碼Azure AD object ID of the user account that ran the process responsible for the event
InitiatingProcessMD5 stringstring 啟動事件之程式 (映射檔) 的 MD5 雜湊MD5 hash of the process (image file) that initiated the event
InitiatingProcessSHA1 stringstring 啟動事件) 的處理常式 (映射檔 SHA-1SHA-1 of the process (image file) that initiated the event
InitiatingProcessSHA256 stringstring 啟動事件) 的處理常式 (映射檔 SHA-256。SHA-256 of the process (image file) that initiated the event. 此欄位通常未填入,可取得時請使用 SHA1 欄。This field is usually not populated — use the SHA1 column when available.
InitiatingProcessFolderPath 字串string 包含初始化事件之處理 (映射檔) 程式的資料夾Folder containing the process (image file) that initiated the event
InitiatingProcessFileName stringstring 啟動事件的進程名稱Name of the process that initiated the event
InitiatingProcessFileSize longlong 初始化事件之處理 (映射檔) 的大小Size of the process (image file) that initiated the event
InitiatingProcessVersionInfoCompanyName stringstring 處理常式 (映射檔的版本資訊中) 負責事件的公司名稱Company name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoProductName stringstring 處理常式 (映射檔的版本資訊中的產品名稱) 該事件的負責人Product name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoProductVersion stringstring (映射檔的版本資訊中的產品版本) 負責事件的處理常式Product version from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoInternalFileName stringstring 處理常式 (映射檔的版本資訊中的內部檔案名) 負責事件Internal file name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoOriginalFileName stringstring 處理常式 (映射檔的版本資訊中的原始檔案名) 負責事件。Original file name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoFileDescription stringstring 處理常式 (映射檔的版本資訊的描述) 該事件的負責人Description from the version information of the process (image file) responsible for the event
InitiatingProcessId intint 啟動事件之程式的進程識別碼 (PID) Process ID (PID) of the process that initiated the event
InitiatingProcessCommandLine stringstring 用來執行啟動事件之處理常式的命令列Command line used to run the process that initiated the event
InitiatingProcessCreationTime datetimedatetime 啟動事件處理常式的日期和時間Date and time when the process that initiated the event was started
InitiatingProcessIntegrityLevel stringstring 啟動事件之處理常式的完整性層級。Integrity level of the process that initiated the event. Windows 會根據某些特性(例如從網際網路下載)將完整性層級指派給處理常式。Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. 這些完整性層級會影響資源的許可權These integrity levels influence permissions to resources
InitiatingProcessTokenElevation stringstring 指出是否存在使用者存取控制的 Token 類型 (UAC) 許可權提升會套用至啟動事件的程式。Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event
InitiatingProcessParentId intint 產生負責事件之處理常式之父進程的進程識別碼 (PID) Process ID (PID) of the parent process that spawned the process responsible for the event
InitiatingProcessParentFileName stringstring 產生負責事件之處理常式的父進程名稱Name of the parent process that spawned the process responsible for the event
InitiatingProcessParentCreationTime datetimedatetime 啟動事件之處理常式的父項時的日期和時間Date and time when the parent of the process responsible for the event was started
RequestProtocol stringstring 用於啟動活動的網路通訊協定(如果適用):未知、本機、SMB 或 NFSNetwork protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS
RequestSourceIP stringstring 啟動活動之遠端裝置的 IPv4 或 IPv6 位址IPv4 or IPv6 address of the remote device that initiated the activity
RequestSourcePort stringstring 啟動活動的遠端裝置上的來源埠Source port on the remote device that initiated the activity
RequestAccountName stringstring 遠端啟動活動所用的帳戶使用者名稱User name of account used to remotely initiate the activity
RequestAccountDomain stringstring 用於遠端啟動活動之帳戶的網域Domain of the account used to remotely initiate the activity
RequestAccountSid stringstring 遠端啟動活動所使用之帳戶的安全性識別碼 (SID) Security Identifier (SID) of the account used to remotely initiate the activity
ShareName stringstring 包含檔案的共用資料夾名稱Name of shared folder containing the file
InitiatingProcessFileSize longlong 執行事件處理常式的檔案大小Size of the file that ran the process responsible for the event
SensitivityLabel stringstring 套用至電子郵件、檔案或其他內容的標籤,以分類資訊保護Label applied to an email, file, or other content to classify it for information protection
SensitivitySubLabel stringstring 套用至電子郵件、檔案或其他內容的 Sublabel,以分類資訊保護;敏感度分組是以靈敏度標籤群組,但是會個別處理Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently
IsAzureInfoProtectionApplied 布林值boolean 指出檔案是否由 Azure 資訊保護所加密Indicates whether the file is encrypted by Azure Information Protection
ReportId longlong 以重複計數器為基礎的事件識別碼。Event identifier based on a repeating counter. 若要識別唯一的事件,此資料行必須與 DeviceName 及 Timestamp 資料行一起使用。To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns.
AppGuardContainerId stringstring Application Guard 用來隔離瀏覽器活動的虛擬容器識別碼Identifier for the virtualized container used by Application Guard to isolate browser activity
AdditionalFields stringstring 實體或事件的其他資訊Additional information about the entity or event

注意

檔案雜湊資訊會在可用時永遠顯示。File hash information will always be shown when it is available. 不過,有數個可能的原因是無法計算 SHA1、SHA256 或 MD5。However, there are several possible reasons why a SHA1, SHA256, or MD5 cannot be calculated. 例如,檔案可能位於遠端存放區、已壓縮或已標記為虛擬的另一個處理常式鎖定。For instance, the file might be located in remote storage, locked by another process, compressed, or marked as virtual. 在這些情況下,檔雜湊資訊會顯示空白。In these scenarios, the file hash information appears empty.