AlertEvidenceAlertEvidence
重要
已改善的 Microsoft 365 安全性中心 現在已提供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這種新的經驗會將 Defender、Office 365 的 Defender、Microsoft 365 Defender 等,帶入 Microsoft 365 的安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全小組現在可以管理所有端點、電子郵件及跨產品調查、設定和修正,而不需要流覽個別的產品入口網站。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 深入瞭解已變更的專案。Learn more about what's changed.
適用於:Applies to:
- Microsoft 365 DefenderMicrosoft 365 Defender
[!附注] AlertEvidence 高級搜尋 架構中的表格包含各種實體(檔案、IP 位址、URLs、使用者或裝置)相關資訊,這些資訊與 Microsoft defender For Endpoint、Microsoft defender for Office 365、Microsoft Cloud App Security 和 Microsoft defender for Identity 相關聯。The AlertEvidence table in the advanced hunting schema contains information about various entities—files, IP addresses, URLs, users, or devices—associated with alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. 使用這個參考來建立從此表格取回之資訊的查詢。Use this reference to construct queries that return information from this table.
如需進階搜捕結構描述中其他表格的資訊,請參閱進階搜捕參考 (部分內容為機器翻譯)。For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| 欄名稱Column name | 資料類型Data type | 描述Description |
|---|---|---|
Timestamp |
datetimedatetime | 事件記錄的日期和時間Date and time when the event was recorded |
AlertId |
字串string | 警示的唯一識別碼。Unique identifier for the alert |
ServiceSource |
stringstring | 提供提醒資訊的產品或服務Product or service that provided the alert information |
EntityType |
stringstring | 物件的類型,例如檔案、進程、裝置或使用者Type of object, such as a file, a process, a device, or a user |
EvidenceRole |
stringstring | 如何將實體包含在警示中,指出它會受到影響或僅僅是相關的How the entity is involved in an alert, indicating whether it is impacted or is merely related |
EvidenceDirection |
stringstring | 指出實體是否為網路連線的來源或目的地Indicates whether the entity is the source or the destination of a network connection |
FileName |
字串string | 記錄動作已套用的檔案名稱Name of the file that the recorded action was applied to |
FolderPath |
字串string | 包含錄製的動作所套用之檔案的資料夾Folder containing the file that the recorded action was applied to |
SHA1 |
字串string | 記錄動作已套用的檔案 SHA-1SHA-1 of the file that the recorded action was applied to |
SHA256 |
字串string | 記錄動作已套用的檔案 SHA-256。SHA-256 of the file that the recorded action was applied to. 通常不會填入此欄位,可用時使用 SHA1] 欄位。This field is usually not populated—use the SHA1 column when available. |
FileSize |
intint | 檔案大小(以位元組為單位)Size of the file in bytes |
ThreatFamily |
stringstring | 已分類的可疑或惡意檔或程式的惡意程式碼系列Malware family that the suspicious or malicious file or process has been classified under |
RemoteIP |
字串string | 連線到的 IP 位址IP address that was being connected to |
RemoteUrl |
字串string | 已連線到的 URL 或完整網域名稱 (FQDN)URL or fully qualified domain name (FQDN) that was being connected to |
AccountName |
字串string | 帳戶的使用者名稱User name of the account |
AccountDomain |
stringstring | 帳戶的網域Domain of the account |
AccountSid |
stringstring | 帳戶的安全性識別碼 (SID) Security Identifier (SID) of the account |
AccountObjectId |
stringstring | Azure Active Directory 中帳戶的唯一識別碼Unique identifier for the account in Azure Active Directory |
AccountUpn |
stringstring | 帳戶的使用者主要名稱 (UPN) User principal name (UPN) of the account |
DeviceId |
stringstring | 服務中裝置的唯一識別碼Unique identifier for the device in the service |
DeviceName |
stringstring | 電腦的完整網域名稱 (FQDN)Fully qualified domain name (FQDN) of the machine |
LocalIP |
stringstring | 指派給通訊期間所使用之本機裝置的 IP 位址IP address assigned to the local device used during communication |
NetworkMessageId |
stringstring | Office 365 產生的電子郵件唯一識別碼Unique identifier for the email, generated by Office 365 |
EmailSubject |
字串string | 電子郵件的主旨Subject of the email |
ApplicationId |
字串string | 應用程式的唯一識別碼Unique identifier for the application |
Application |
stringstring | 執行錄製動作的應用程式Application that performed the recorded action |
ProcessCommandLine |
stringstring | 用來建立新程式的命令列Command line used to create the new process |
AdditionalFields |
stringstring | 有關 JSON 陣列格式之事件的其他資訊Additional information about the event in JSON array format |
RegistryKey |
stringstring | 套用錄製的動作所用的登錄機碼Registry key that the recorded action was applied to |
RegistryValueName |
stringstring | 已錄製動作套用至之登錄值的名稱Name of the registry value that the recorded action was applied to |
RegistryValueData |
stringstring | 已錄製動作套用至之登錄值的資料Data of the registry value that the recorded action was applied to |