DeviceLogonEventsDeviceLogonEvents

重要

已改善的 Microsoft 365 安全性中心 現在已提供公開預覽。The improved Microsoft 365 security center is now available in public preview. 這種新的經驗會將 Defender、Office 365 的 Defender、Microsoft 365 Defender 等,帶入 Microsoft 365 的安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全小組現在可以管理所有端點、電子郵件及跨產品調查、設定和修正,而不需要流覽個別的產品入口網站。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 深入瞭解已變更的專案。Learn more about what's changed.

適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

[!附注] DeviceLogonEvents 高級搜尋 架構中的表格包含有關裝置上使用者登入和其他驗證事件的資訊。The DeviceLogonEvents table in the advanced hunting schema contains information about user logons and other authentication events on devices. 使用這個參考來建立從此表格取回之資訊的查詢。Use this reference to construct queries that return information from this table.

提示

如需有關資料表所支援之事件種類 () 值的詳細資訊 ActionType ,請使用安全性中心內的 內建架構參照For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in the security center.

如需進階搜捕結構描述中其他表格的資訊,請參閱進階搜捕參考 (部分內容為機器翻譯)。For information on other tables in the advanced hunting schema, see the advanced hunting reference.

欄名稱Column name 資料類型Data type 描述Description
Timestamp datetimedatetime 事件記錄的日期和時間Date and time when the event was recorded
DeviceId stringstring 服務中電腦的唯一識別碼Unique identifier for the machine in the service
DeviceName stringstring 電腦的完整網域名稱 (FQDN)Fully qualified domain name (FQDN) of the machine
ActionType stringstring 觸發事件的活動類型Type of activity that triggered the event
AccountDomain stringstring 帳戶的網域Domain of the account
AccountName stringstring 帳戶的使用者名稱User name of the account
AccountSid stringstring 帳戶的安全性識別碼 (SID) Security Identifier (SID) of the account
Protocol stringstring 通訊期間使用的通訊協定Protocol used during the communication
FailureReason stringstring 說明錄製的動作失敗原因的資訊Information explaining why the recorded action failed
LogonType stringstring 登入會話的類型,特別:Type of logon session, specifically:

- 互動式 使用者會使用本機鍵盤和畫面,以實際方式與機器互動- Interactive - User physically interacts with the machine using the local keyboard and screen

- 遠端互動 (RDP) 登入-使用者利用遠端桌面、終端機服務、遠端協助或其他 RDP 用戶端從遠端與機器互動- Remote interactive (RDP) logons - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- 使用 PsExec 存取機器時,或在機器上共用資源(如印表機和共用資料夾)存取時,所啟動的 網路 會話- Network - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

- 由排程任務所啟動的 批次 會話- Batch - Session initiated by scheduled tasks

- 服務 -啟動時由服務啟動的會話- Service - Session initiated by services as they start
LogonId stringstring 登入會話的識別碼。Identifier for a logon session. 只有在重新開機時,此識別碼在同一部電腦上是唯一的This identifier is unique on the same machine only between restarts
RemoteDeviceName stringstring 在受影響的機器上執行遠端作業的機器名稱。Name of the machine that performed a remote operation on the affected machine. 根據所報告的事件,此名稱可以是完整功能變數名稱 (FQDN) 、NetBIOS 名稱或沒有網域資訊的主機名稱。Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information
RemoteIP 字串string 連線到的 IP 位址IP address that was being connected to
RemoteIPType stringstring IP 位址的類型,例如 Public、Private、Reserved、環回、Teredo、FourToSixMapping 及廣播Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast
RemotePort intint 連線的遠端裝置上的 TCP 埠TCP port on the remote device that was being connected to
AdditionalFields stringstring 有關 JSON 陣列格式之事件的其他資訊Additional information about the event in JSON array format
InitiatingProcessFileSize longlong 執行事件處理常式的檔案大小Size of the file that ran the process responsible for the event
InitiatingProcessAccountDomain stringstring 執行負責事件之處理常式之帳戶的網域Domain of the account that ran the process responsible for the event
InitiatingProcessAccountName stringstring 負責事件之處理常式的帳戶使用者名稱User name of the account that ran the process responsible for the event
InitiatingProcessAccountSid stringstring 執行事件負責處理之帳戶的安全性識別碼 (SID) Security Identifier (SID) of the account that ran the process responsible for the event
InitiatingProcessAccountUpn stringstring 執行事件負責之帳戶的使用者主要名稱 (UPN) User principal name (UPN) of the account that ran the process responsible for the event
InitiatingProcessAccountObjectId stringstring 執行負責事件之處理常式之使用者帳戶的 Azure AD 物件識別碼Azure AD object ID of the user account that ran the process responsible for the event
InitiatingProcessIntegrityLevel stringstring 啟動事件之處理常式的完整性層級。Integrity level of the process that initiated the event. Windows 會根據特定的特性,例如從網際網路下載啟動,將完整性層級指派給處理常式。Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. 這些完整性層級會影響資源的許可權These integrity levels influence permissions to resources
InitiatingProcessTokenElevation stringstring 指出是否存在使用者存取控制的 Token 類型 (UAC) 許可權提升會套用至啟動事件的程式。Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event
InitiatingProcessSHA1 stringstring 啟動事件) 的處理常式 (映射檔 SHA-1SHA-1 of the process (image file) that initiated the event
InitiatingProcessSHA256 stringstring 啟動事件) 的處理常式 (映射檔 SHA-256。SHA-256 of the process (image file) that initiated the event. 通常不會填入此欄位,可使用 SHA1] 欄位This field is usually not populated—use the SHA1 column when available
InitiatingProcessMD5 stringstring 啟動事件之程式 (映射檔) 的 MD5 雜湊MD5 hash of the process (image file) that initiated the event
InitiatingProcessFileName stringstring 啟動事件的進程名稱Name of the process that initiated the event
InitiatingProcessId intint 啟動事件之程式的進程識別碼 (PID) Process ID (PID) of the process that initiated the event
InitiatingProcessCommandLine stringstring 用來執行啟動事件之處理常式的命令列Command line used to run the process that initiated the event
InitiatingProcessCreationTime datetimedatetime 啟動事件處理常式的日期和時間Date and time when the process that initiated the event was started
InitiatingProcessFolderPath stringstring 包含初始化事件之處理 (映射檔) 程式的資料夾Folder containing the process (image file) that initiated the event
InitiatingProcessParentId intint 產生負責事件之處理常式之父進程的進程識別碼 (PID) Process ID (PID) of the parent process that spawned the process responsible for the event
InitiatingProcessParentFileName stringstring 產生負責事件之處理常式的父進程名稱Name of the parent process that spawned the process responsible for the event
InitiatingProcessParentCreationTime datetimedatetime 啟動事件之處理常式的父項時的日期和時間Date and time when the parent of the process responsible for the event was started
ReportId longlong 以重複計數器為基礎的事件識別碼。Event identifier based on a repeating counter. 若要識別唯一的事件,此資料行必須與 DeviceName 及 Timestamp 資料行一起使用To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns
AppGuardContainerId stringstring Application Guard 用來隔離瀏覽器活動的虛擬容器識別碼Identifier for the virtualized container used by Application Guard to isolate browser activity
IsLocalAdmin 布林值boolean 布林值指標,表示使用者是否為電腦上的本機系統管理員Boolean indicator of whether the user is a local administrator on the machine