AlertEvidenceAlertEvidence

重要

已改善的 Microsoft 365 安全性中心 現在已提供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這種新的經驗會將 Defender、Office 365 的 Defender、Microsoft 365 Defender 等,帶入 Microsoft 365 的安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全小組現在可以管理所有端點、電子郵件及跨產品調查、設定和修正,而不需要流覽個別的產品入口網站。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 深入瞭解已變更的專案。Learn more about what's changed.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

[!附注] AlertEvidence 高級搜尋 架構中的表格包含各種實體(檔案、IP 位址、URLs、使用者或裝置)相關資訊,這些資訊與 Microsoft defender For Endpoint、Microsoft defender for Office 365、Microsoft Cloud App Security 和 Microsoft defender for Identity 相關聯。The AlertEvidence table in the advanced hunting schema contains information about various entities—files, IP addresses, URLs, users, or devices—associated with alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. 使用這個參考來建立從此表格取回之資訊的查詢。Use this reference to construct queries that return information from this table.

如需進階搜捕結構描述中其他表格的資訊,請參閱進階搜捕參考 (部分內容為機器翻譯)。For information on other tables in the advanced hunting schema, see the advanced hunting reference.

欄名稱Column name 資料類型Data type 描述Description
Timestamp datetimedatetime 事件記錄的日期和時間Date and time when the event was recorded
AlertId 字串string 警示的唯一識別碼。Unique identifier for the alert
ServiceSource stringstring 提供提醒資訊的產品或服務Product or service that provided the alert information
EntityType stringstring 物件的類型,例如檔案、進程、裝置或使用者Type of object, such as a file, a process, a device, or a user
EvidenceRole stringstring 如何將實體包含在警示中,指出它會受到影響或僅僅是相關的How the entity is involved in an alert, indicating whether it is impacted or is merely related
EvidenceDirection stringstring 指出實體是否為網路連線的來源或目的地Indicates whether the entity is the source or the destination of a network connection
FileName 字串string 記錄動作已套用的檔案名稱Name of the file that the recorded action was applied to
FolderPath 字串string 包含錄製的動作所套用之檔案的資料夾Folder containing the file that the recorded action was applied to
SHA1 字串string 記錄動作已套用的檔案 SHA-1SHA-1 of the file that the recorded action was applied to
SHA256 字串string 記錄動作已套用的檔案 SHA-256。SHA-256 of the file that the recorded action was applied to. 通常不會填入此欄位,可用時使用 SHA1] 欄位。This field is usually not populated—use the SHA1 column when available.
FileSize intint 檔案大小(以位元組為單位)Size of the file in bytes
ThreatFamily stringstring 已分類的可疑或惡意檔或程式的惡意程式碼系列Malware family that the suspicious or malicious file or process has been classified under
RemoteIP 字串string 連線到的 IP 位址IP address that was being connected to
RemoteUrl 字串string 已連線到的 URL 或完整網域名稱 (FQDN)URL or fully qualified domain name (FQDN) that was being connected to
AccountName 字串string 帳戶的使用者名稱User name of the account
AccountDomain stringstring 帳戶的網域Domain of the account
AccountSid stringstring 帳戶的安全性識別碼 (SID) Security Identifier (SID) of the account
AccountObjectId stringstring Azure Active Directory 中帳戶的唯一識別碼Unique identifier for the account in Azure Active Directory
AccountUpn stringstring 帳戶的使用者主要名稱 (UPN) User principal name (UPN) of the account
DeviceId stringstring 服務中裝置的唯一識別碼Unique identifier for the device in the service
DeviceName stringstring 電腦的完整網域名稱 (FQDN)Fully qualified domain name (FQDN) of the machine
LocalIP stringstring 指派給通訊期間所使用之本機裝置的 IP 位址IP address assigned to the local device used during communication
NetworkMessageId stringstring Office 365 產生的電子郵件唯一識別碼Unique identifier for the email, generated by Office 365
EmailSubject 字串string 電子郵件的主旨Subject of the email
ApplicationId 字串string 應用程式的唯一識別碼Unique identifier for the application
Application stringstring 執行錄製動作的應用程式Application that performed the recorded action
ProcessCommandLine stringstring 用來建立新程式的命令列Command line used to create the new process
AdditionalFields stringstring 有關 JSON 陣列格式之事件的其他資訊Additional information about the event in JSON array format
RegistryKey stringstring 套用錄製的動作所用的登錄機碼Registry key that the recorded action was applied to
RegistryValueName stringstring 已錄製動作套用至之登錄值的名稱Name of the registry value that the recorded action was applied to
RegistryValueData stringstring 已錄製動作套用至之登錄值的資料Data of the registry value that the recorded action was applied to