Microsoft Sentinel entity types reference
This document contains two sets of information regarding entities and entity types in Microsoft Sentinel in the Azure portal and Microsoft Sentinel in the Defender portal.
- The Entity types and identifiers table shows the different types of entities that can be identified in alerts and incidents, allowing you to track and investigate them. The table also shows, for each entity type, the different identifiers that can be used to identify an entity.
- The Entity schema section shows the data structure and schema for entities in general and for each entity type in particular.
Important
Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
Entity types and identifiers
The following table shows the entity types that can be recognized by Microsoft Sentinel, and the attributes that can be used as identifiers for each entity type.
Microsoft Sentinel recognizes entities in alerts and incidents that are created by entity mapping in analytics rules. It also recognizes entities already identified in alerts ingested from other sources.
You can currently use up to three identifiers for a given entity when creating an entity mapping in Microsoft Sentinel. Strong identifiers alone are sufficient to uniquely identify an entity, whereas weak identifiers can do so only in combination with other identifiers. Learn more about strong and weak identifiers. Most but not all identifiers in this table can be used when creating entity mappings in Microsoft Sentinel (see footnotes).
Entity type | Identifiers | Strong identifiers | Weak identifiers |
---|---|---|---|
Account | Name FullName * NTDomain DnsDomain UPNSuffix Sid AadTenantId AadUserId PUID IsDomainJoined DisplayName * ObjectGuid |
Name+UPNSuffix AADUserId Sid ** Sid+Host ** Name+Host+NTDomain ** Name+NTDomain ** Name+DnsDomain PUID ObjectGuid |
Name |
Host | DnsDomain NTDomain HostName FullName * NetBiosName AzureID OMSAgentID OSFamily OSVersion IsDomainJoined |
HostName+NTDomain HostName+DnsDomain NetBiosName+NTDomain NetBiosName+DnsDomain AzureID OMSAgentID |
HostName NetBiosName |
IP | Address AddressScope |
Address ** Address+AddressScope ** |
|
URL | Url | Url (if absolute URL) ** | Url (if relative URL) ** |
Azure resource (AzureResource) |
ResourceId | ResourceId | |
Cloud application (CloudApplication) |
AppId Name InstanceName |
AppId Name AppId+InstanceName Name+InstanceName |
|
DNS resolution (DNS) |
DomainName | DomainName+DnsServerIp+HostIpAddress | DomainName+HostIpAddress |
File | Directory Name |
Directory+Name | |
File hash (FileHash) |
Algorithm Value |
Algorithm+Value | |
Malware | Name Category |
Name+Category | |
Process | ProcessId CommandLine ElevationToken CreationTimeUtc |
Host+ProcessID+CreationTimeUtc Host+ParentProcessId+ CreationTimeUtc+CommandLine Host+ProcessId+ CreationTimeUtc+ImageFile Host+ProcessId+ CreationTimeUtc+ImageFile+ FileHash |
ProcessId+CreationTimeUtc+ CommandLine (no Host) ProcessId+CreationTimeUtc+ ImageFile (no Host) |
Registry key (RegistryKey) |
Hive Key |
Hive+Key | |
Registry value (RegistryValue) |
Name Value ValueType |
Key+Name | Name (no Key) |
Security group (SecurityGroup) |
DistinguishedName SID ObjectGuid |
DistinguishedName SID ObjectGuid |
|
Mailbox | MailboxPrimaryAddress DisplayName Upn ExternalDirectoryObjectId RiskLevel |
MailboxPrimaryAddress | |
Mail cluster (MailCluster) |
NetworkMessageIds CountByDeliveryStatus CountByThreatType CountByProtectionStatus Threats Query QueryTime MailCount IsVolumeAnomaly Source ClusterSourceIdentifier * ClusterSourceType * ClusterQueryStartTime * ClusterQueryEndTime * ClusterGroup * |
Query+Source | |
Mail message (MailMessage) |
Recipient Urls Threats Sender P1Sender * P1SenderDisplayName * P1SenderDomain * SenderIP P2Sender * P2SenderDisplayName * P2SenderDomain * ReceivedDate NetworkMessageId InternetMessageId Subject BodyFingerprintBin1 * BodyFingerprintBin2 * BodyFingerprintBin3 * BodyFingerprintBin4 * BodyFingerprintBin5 * AntispamDirection DeliveryAction DeliveryLocation Language * ThreatDetectionMethods * |
NetworkMessageId+Recipient | |
Submission mail (SubmissionMail) |
NetworkMessageId Timestamp Recipient Sender SenderIp Subject ReportType SubmissionId SubmissionDate Submitter |
SubmissionId+NetworkMessageId+ Recipient+Submitter |
|
Sentinel entities | Entities | Entities |
Table footnotes:
- * These identifiers appear in the list of identifiers that can be used in entity mapping, but strictly speaking they are not part of the entity schema.
- ** These identifiers are considered strong only under certain conditions. Follow the asterisks' links to see the conditions that apply, under the relevant entity's listing in the entity schemas section below.
- Italicized identifier names (without an asterisk) represent internal entities, which means that one entity type can have other entity types as attributes (see the entity schemas section below). Follow the identifier's link to see the internal entity's own schema.
- Other entities may be present in the schema, which is a general schema that supports many things besides Microsoft Sentinel. Only those entities available in Microsoft Sentinel are listed in this article.
Entity type schemas
The following section contains a more in-depth look at the full schemas of each entity type. You'll notice that many of these schemas include links to other entity types. For example, the Account schema includes a link to the Host entity type, since one attribute of a user account is the host it's defined on. These entities-as-attributes are known as "internal entities", and they can't be used as identifiers for entity mapping, but they are very useful in giving a complete picture of entities on entity pages and the investigation graph.
Note
A question mark following the value in the Type column indicates the field is nullable.
List of entity type schemas
- Account
- Host
- IP
- Malware
- File
- Process
- Cloud application
- DNS resolution
- Azure resource
- File hash
- Registry key
- Registry value
- Security group
- URL
- IoT device
- Mailbox
- Mail cluster
- Mail message
- Submission mail
- Sentinel entities
Account
Entity name: Account
Field | Type | Description |
---|---|---|
Type | String | 'account' |
Name | String | The name of the account. This field should hold only the name without any domain added to it. |
FullName | -- | Not part of schema, included for backward compatibility with old version of entity mapping. |
NTDomain | String | The NETBIOS domain name as it appears in the alert format—domain\username. Examples: Finance, NT AUTHORITY |
DnsDomain | String | The fully qualified domain DNS name. Examples: finance.contoso.com |
UPNSuffix | String | The user principal name suffix for the account. In many cases the UPN Suffix is also the domain name. Examples: contoso.com |
Host | Entity (Host) | The host that contains the account, if it's a local account. |
Sid | String | The account's security identifier. |
AadTenantId | Guid? | The Microsoft Entra tenant ID, if known. |
AadUserId | Guid? | The Microsoft Entra account object ID, if known. |
PUID | Guid? | The Microsoft Entra Passport User ID, if known. |
IsDomainJoined | Bool? | Indicates whether the account is a domain account. |
DisplayName | -- | Not part of schema, included for backward compatibility with old version of entity mapping. |
ObjectGuid | Guid? | The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by Active Directory. |
CloudAppAccountId | String | The AccountID in alerts from the CloudApp provider. Refers to account IDs in third-party apps that are not supported in other Microsoft products. |
IsAnonymized | Bool? | Indicates whether the user name is anonymized. Optional. Default value: false . |
Stream | Stream | The source of discovery logs related to the specific account. Optional. |
Strong identifiers of an account entity
- Name + UPNSuffix
- AadUserId
- Sid
** This identifier is strong as long as the account is not one of the built-in accounts listed in the Note below. - Sid + Host
** When the account is one of the built-in accounts listed in the Note below, the Host component is required to make this identifier a strong one. - Name + NTDomain
** This combination is a strong identifier when the account is a domain account, since NTDomain is not a built-in domain/workgroup and is different from the host name. In this case, this is a strong identifier even without the Host component. - Name + NTDomain + Host
** The Host component is necessary to create a strong identifier when the account is a local account, meaning that the NTDomain is a built-in domain/workgroup. - Name + DnsDomain
- PUID
- ObjectGuid
Weak identifiers of an account entity
- Name
Note
If the Account entity is defined using the Name identifier, and the Name value of a particular entity is one of the following generic, commonly built-in account names, then that entity will be dropped from its alert.
- ADMIN
- ADMINISTRATOR
- SYSTEM
- ROOT
- ANONYMOUS
- AUTHENTICATED USER
- NETWORK
- NULL
- LOCAL SYSTEM
- LOCALSYSTEM
- NETWORK SERVICE
Back to list of entity type schemas | Back to entity identifiers table
Host
Entity name: Host
Field | Type | Description |
---|---|---|
Type | String | 'host' |
IpInterfaces | List<Entity (Ip)> | List of all IP interfaces on the host machine. |
DnsDomain | String | The DNS domain that this host belongs to. Should contain the complete DNS suffix for the domain, if known. |
NTDomain | String | The NT domain that this host belongs to. |
HostName | String | The hostname without the domain suffix. |
NetBiosName | String | The host name (pre-Windows 2000). |
IoTDevice | Entity (IoT Device) | The IoT Device entity (if this host represents an IoT Device). |
AzureID | String | The Azure resource ID of the VM, if known. |
OMSAgentID | String | The OMS agent ID, if the host has OMS agent installed. |
OSFamily | Enum? | One of the following values: |
OSVersion | String | A free-text representation of the operating system. This field is meant to hold specific versions the are more fine-grained than OSFamily, or future values not supported by OSFamily enumeration. |
IsDomainJoined | Bool | Indicates whether this host belongs to a domain. |
Strong identifiers of a host entity
- HostName + NTDomain
- HostName + DnsDomain
- NetBiosName + NTDomain
- NetBiosName + DnsDomain
- AzureID
- OMSAgentID
- IoTDevice
Weak identifiers of a host entity
- HostName
- NetBiosName
Back to list of entity type schemas | Back to entity identifiers table
IP
Entity name: IP
Field | Type | Description |
---|---|---|
Type | String | 'ip' |
Address | String | The IP address as string, for example. 127.0.0.1 (either in IPv4 or IPv6). |
AddressScope | String | Name of the host, subnet, or private network for private, non-global IP addresses. Null or empty for global IP addresses (default). |
Location | GeoLocation | The geo-location context attached to the IP entity. For more information, see also Enrich entities in Microsoft Sentinel with geolocation data via REST API (Public preview). |
Stream | Stream | The source of discovery logs related to the specific IP. Optional. |
Strong identifiers of an IP entity
- Address
** Address alone is a unique, strong identifier when the IP address is a global address. - Address + AddressScope
** For private/internal, non-global IP addresses, the AddressScope component is required to make this a strong identifier.
Back to list of entity type schemas | Back to entity identifiers table
Malware
Entity name: Malware
Field | Type | Description |
---|---|---|
Type | String | 'malware' |
Name | String | The malware name assigned by the (detection?) vendor, such as Win32/Toga!rfn . |
Category | String | The malware category assigned by the (detection?) vendor, for example. Trojan. |
Files | List<Entity (File)> | List of linked file entities on which the malware was found. Can contain the File entities inline or as reference. See the File entity for more details on structure. |
Processes | List<Entity (Process)> | List of linked process entities on which the malware was found. This would often be used when the alert triggered on fileless activity. See the Process entity for more details on structure. |
Strong identifiers of a malware entity
- Name + Category
Back to list of entity type schemas | Back to entity identifiers table
File
Entity name: File
Field | Type | Description |
---|---|---|
Type | String | 'file' |
Directory | String | The full path to the file. |
Name | String | The file name without the path (some alerts might not include path). |
AlternateDataStreamName | String | The file stream name in NTFS filesystem (null for the main stream). |
Host | Entity (Host) | The host on which the file was stored. |
HostUrl | Entity (URL) | URL where the file was downloaded from (Mark of the Web). |
WindowsSecurityZoneType | WindowsSecurityZone | Windows Security Zone to which the URL belongs (Mark of the Web). |
ReferrerUrl | Entity (URL) | Referrer URL of the file download HTTP request (Mark of the Web). |
SizeInBytes | Long? | The size of the file in bytes. |
FileHashes | List<Entity (FileHash)> | The file hashes associated with this file. |
Strong identifiers of a file entity
- Name + Directory
- Name + FileHash
- Name + Directory + FileHash
Back to list of entity type schemas | Back to entity identifiers table
Process
Entity name: Process
Field | Type | Description |
---|---|---|
Type | String | 'process' |
ProcessId | String | The process ID. |
CommandLine | String | The command line used to create the process. |
ElevationToken | Enum? | The elevation token associated with the process. Possible values: |
CreationTimeUtc | DateTime? | The time when the process started to run. |
ImageFile | Entity (File) | Can contain the File entity inline or as reference. See the File entity for more details on structure. |
Account | Entity (Account) | The account running the processes. Can contain the Account entity inline or as reference. See the Account entity for more details on structure. |
ParentProcess | Entity (Process) | The parent process entity. Can contain partial data, for example, only the PID. |
Host | Entity (Host) | The host on which the process was running. |
LogonSession | Entity (HostLogonSession) | The session in which the process was running. |
Strong identifiers of a process entity
- Host + ProcessId + CreationTimeUtc
- Host + ParentProcessId + CreationTimeUtc + CommandLine
- Host + ProcessId + CreationTimeUtc + ImageFile
- Host + ProcessId + CreationTimeUtc + ImageFile.FileHash
Weak identifiers of a process entity
- ProcessId + CreationTimeUtc + CommandLine (and no Host)
- ProcessId + CreationTimeUtc + ImageFile (and no Host)
Back to list of entity type schemas | Back to entity identifiers table
Cloud application
Entity name: CloudApplication
Field | Type | Description |
---|---|---|
Type | String | 'cloud-application' |
AppId | Int | Deprecated; use SaasId field instead. The technical identifier of the application. Possible values are those defined in the list of cloud application identifiers. Value optional. Should not contain InstanceId. |
SaasId | Int | Replaces deprecated AppId field. The technical identifier of the application. Possible values are those defined in the list of cloud application identifiers. Value optional. Should not contain InstanceId. |
Name | String | The name of the related cloud application. Value optional. |
InstanceName | String | The user-defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has. |
InstanceId | Int | The identifier of the specific session of the application. This is a zero-based running number. Value optional. |
Risk | AppRisk? | Lets you filter apps by risk score so that you can focus on, for example, reviewing only highly risky apps. Possible values like Low, Medium, High or Unknown. |
Stream | Stream | The source of discovery logs related to the specific cloud app. Optional. |
Strong identifiers of a cloud application entity
- AppId (without InstanceName)
- Name (without InstanceName)
- AppId + InstanceName
- Name + InstanceName
List of cloud application identifiers
Back to list of entity type schemas | Back to entity identifiers table
DNS resolution
Entity name: DNS
Field | Type | Description |
---|---|---|
Type | String | 'dns' |
DomainName | String | The name of the DNS record associated with the alert. |
IpAddress | List<Entity (IP)> | Entities corresponding to the resolved IP addresses. |
DnsServerIp | Entity (IP) | An entity representing the DNS server resolving the request. |
HostIpAddress | Entity (IP) | An entity representing the DNS request client. |
Strong identifiers of a DNS entity
- DomainName + DnsServerIp + HostIpAddress
Weak identifiers of a DNS entity
- DomainName + HostIpAddress
Back to list of entity type schemas | Back to entity identifiers table
Azure resource
Entity name: AzureResource
Field | Type | Description |
---|---|---|
Type | String | 'azure-resource' |
ResourceId | String | The Azure resource ID of the resource. Mandatory. |
SubscriptionId | String | The subscription ID of the resource. |
ActiveContacts | List<ActiveContact> | Active contacts associated with the resource. |
ResourceType | String | The type of the resource. |
ResourceName | String | The name of the resource. |
Strong identifiers of an Azure resource entity
- ResourceId
Back to list of entity type schemas | Back to entity identifiers table
File hash
Entity name: FileHash
Field | Type | Description |
---|---|---|
Type | String | 'filehash' |
Algorithm | Enum | The hash algorithm type. Mandatory. Possible values: |
Value | String | The hash value. Mandatory. |
Strong identifiers of a file hash entity
- Algorithm + Value
Back to list of entity type schemas | Back to entity identifiers table
Registry key
Entity name: RegistryKey
Field | Type | Description |
---|---|---|
Type | String | 'registry-key' |
Hive | Enum? | One of the following values: |
Key | String | The registry key path. |
Strong identifiers of a registry key entity
- Hive + Key
Back to list of entity type schemas | Back to entity identifiers table
Registry value
Entity name: RegistryValue
Field | Type | Description |
---|---|---|
Type | String | 'registry-value' |
Host | Entity (Host) | The host that the registry belongs to. |
Key | Entity (RegistryKey) | The registry key entity. |
Name | String | The registry value name. |
Value | String | String-formatted representation of the value data. |
ValueType | Enum? | One of the following values: Values should conform to Microsoft.Win32.RegistryValueKind enumeration. |
Strong identifiers of a registry value entity
- Key + Name
Weak identifiers of a registry value entity
- Name (without Key)
Back to list of entity type schemas | Back to entity identifiers table
Security group
Entity name: SecurityGroup
Field | Type | Description |
---|---|---|
Type | String | 'security-group' |
DistinguishedName | String | The group distinguished name. |
SID | String | A single-value attribute that specifies the security identifier (SID) of the group. |
ObjectGuid | Guid? | A single-value attribute that is the unique identifier for the object, assigned by Active Directory. |
Strong identifiers of a security group entity
- DistinguishedName
- SID
- ObjectGuid
Back to list of entity type schemas | Back to entity identifiers table
URL
Entity name: Url
Field | Type | Description |
---|---|---|
Type | String | 'url' |
Url | Uri | A full URL the entity points to. Mandatory. |
Strong identifiers of a URL entity
- Url (** This identifier is strong when the URL is an absolute URL.)
Weak identifiers of a URL entity
- Url (** This identifier is weak when the URL is a relative URL.)
Back to list of entity type schemas | Back to entity identifiers table
IoT device
Entity name: IoTDevice
Field | Type | Description |
---|---|---|
Type | String | 'iotdevice' |
IoTHub | Entity (AzureResource) | The AzureResource entity representing the IoT Hub the device belongs to. |
DeviceId | String | The ID of the device in the context of the IoT Hub. Mandatory. |
DeviceName | String | The friendly name of the device. |
Owners | List<String> | The owners for the device. |
IoTSecurityAgentId | Guid? | The ID of the Defender for IoT agent running on the device. |
DeviceType | String | The type of the device ('temperature sensor', 'freezer', 'wind turbine' etc.). |
DeviceTypeId | String | A unique ID to identify each device type according to the device type schema, as the device type itself is a display name and not reliable in comparisons. Possible values: Unclassified = 0 Miscellaneous = 1 Network Device = 2 Printer = 3 Audio and Video = 4 Media and Surveillance = 5 Communication = 7 Smart Appliance = 9 Workstation = 10 Server = 11 Mobile = 12 Smart Facility = 13 Industrial = 14 Operational Equipment = 15 |
Source | String | The source (Microsoft/Vendor) of the device entity. |
SourceRef | Entity (Url) | A URL reference to the source item where the device is managed. |
Manufacturer | String | The manufacturer of the device. |
Model | String | The model of the device. |
OperatingSystem | String | The operating system the device is running. |
IpAddress | Entity (IP) | The current IP address of the device. |
MacAddress | String | The MAC address of the device. |
Nics | Entity (Nic) | The current NICs on the device. |
Protocols | List<String> | A list of protocols that the device supports. |
SerialNumber | String | The serial number of the device. |
Site | String | The site location of the device. |
Zone | String | The zone location of the device within a site. |
Sensor | String | The sensor monitoring the device. |
Importance | Enum? | One of the following values: |
PurdueLayer | String | The Purdue Layer of the device. |
IsProgramming | Bool? | Indicates whether the device classified as programming device. |
IsAuthorized | Bool? | Indicates whether the device classified as authorized device. |
IsScanner | Bool? | Indicates whether the device classified as a scanner device. |
DevicePageLink | Entity (Url) | A URL to the device page in Defender for IoT portal. |
DeviceSubType | String | The name of the device subtype. |
Strong identifiers of an IoT device entity
- IoTHub + DeviceId
Weak identifiers of an IoT device entity
- DeviceId (without IoTHub)
Back to list of entity type schemas | Back to entity identifiers table
Mailbox
Entity name: Mailbox
Field | Type | Description |
---|---|---|
Type | String | 'mailbox' |
MailboxPrimaryAddress | String | The mailbox's primary address. |
DisplayName | String | The mailbox's display name. |
Upn | String | The mailbox's UPN. |
AadId | String | The mailbox's Azure AD identifier of the user. |
RiskLevel | RiskLevel? | The risk level of this mailbox. Possible values: |
ExternalDirectoryObjectId | Guid? | The AzureAD identifier of mailbox. Similar to AadUserId in the Account entity, but this property is specific to mailbox object on the Office side. |
Strong identifiers of a mailbox entity
- MailboxPrimaryAddress
Back to list of entity type schemas | Back to entity identifiers table
Mail cluster
Entity name: MailCluster
Field | Type | Description |
---|---|---|
Type | String | 'mail-cluster' |
NetworkMessageIds | IList<String> | The mail message IDs that are part of the mail cluster. |
CountByDeliveryStatus | IDictionary<String,Int> | Count of mail messages by DeliveryStatus string representation. |
CountByThreatType | IDictionary<String,Int> | Count of mail messages by ThreatType string representation. |
CountByProtectionStatus | IDictionary<String,long> | Count of mail messages by Protection status string representation. |
CountByDeliveryLocation | IDictionary<String,long> | Count of mail messages by Delivery location string representation. |
Threats | IList<String> | The threats of mail messages that are part of the mail cluster. |
Query | String | The query that was used to identify the messages of the mail cluster. |
QueryTime | DateTime? | The query time. |
MailCount | Int? | The number of mail messages that are part of the mail cluster. |
IsVolumeAnomaly | Bool? | Indicates whether the mail cluster is a volume anomaly mail cluster. |
Source | String | The source of the mail cluster (default is O365 ATP ). |
Strong identifiers of a mail cluster entity
- Query + Source
Back to list of entity type schemas | Back to entity identifiers table
Mail message
Entity name: MailMessage
Field | Type | Description |
---|---|---|
Type | String | 'mail-message' |
Files | IList<Entity (File)> | The File entities of this mail message's attachments. |
Recipient | String | The recipient of this mail message. In the case of multiple recipients, the mail message is copied, and each copy has one recipient. |
Urls | IList<String> | The URLs contained in this mail message. |
Threats | IList<String> | The threats contained in this mail message. |
Sender | String | The sender's email address. |
SenderIP | String | The sender's IP address. |
ReceivedDate | DateTime | The received date of this message. |
NetworkMessageId | Guid? | The network message ID of this mail message. |
InternetMessageId | String | The internet message ID of this mail message. |
Subject | String | The subject of this mail message. |
AntispamDirection | Enum? | The directionality of this mail message. Possible values: |
DeliveryAction | Enum? | The delivery action of this mail message. Possible values: |
DeliveryLocation | Enum? | The delivery location of this mail message. Possible values: |
CampaignId | String | The identifier of the campaign in which this mail message is present. |
SuspiciousRecipients | IList<String> | The list of recipients who were detected as suspicious. |
ForwardedRecipients | IList<String> | The list of all recipients on the forwarded mail. |
ForwardingType | IList<String> | The forwarding type of the mail, such as SMTP, ETR, etc. |
Strong identifiers of a mail message entity
- NetworkMessageId + Recipient
Back to list of entity type schemas | Back to entity identifiers table
Submission mail
Entity name: SubmissionMail
Field | Type | Description |
---|---|---|
Type | String | 'SubmissionMail' |
SubmissionId | Guid? | The Submission ID. |
SubmissionDate | DateTime? | Reported Date time for this submission. |
Submitter | String | The submitter email address. |
NetworkMessageId | Guid? | The network message ID of email to which submission belongs. |
Timestamp | DateTime? | The Time stamp when the message is received (Mail). |
Recipient | String | The recipient of the mail. |
Sender | String | The sender of the mail. |
SenderIp | String | The sender's IP. |
Subject | String | The subject of submission mail. |
ReportType | String | The submission type for the given instance. Possible values are Junk, Phish, Malware, or NotJunk. |
Strong identifiers of a SubmissionMail entity
- SubmissionId, Submitter, NetworkMessageId, Recipient
Back to list of entity type schemas | Back to entity identifiers table
Sentinel entities
Field | Type | Description |
---|---|---|
Entities | String | A list of the entities identified in the alert. This list is the entities column from the SecurityAlert schema (see documentation). |
Back to list of entity type schemas | Back to entity identifiers table
Cloud application identifiers
The following list defines identifiers for known cloud applications. The App ID value is used as a cloud application entity identifier.
App ID | Name |
---|---|
10026 | DocuSign |
10395 | Anaplan |
10489 | Box |
10549 | Cisco Webex |
10618 | Atlassian |
10915 | Cornerstone OnDemand |
10921 | Zendesk |
10980 | Okta |
11042 | Jive Software |
11114 | Salesforce |
11161 | Office 365 |
11162 | Microsoft OneNote Online |
11394 | Microsoft Online Services |
11522 | Yammer |
11599 | Amazon Web Services |
11627 | Dropbox |
11713 | Expensify |
11770 | G Suite |
12005 | SuccessFactors |
12260 | Microsoft Azure |
12275 | Workday |
13843 | LivePerson |
13979 | Concur |
14509 | ServiceNow |
15570 | Tableau |
15600 | Microsoft OneDrive for Business |
15782 | Citrix ShareFile |
17152 | Amazon |
17865 | Ariba Inc |
18432 | Zscaler |
19688 | Xactly |
20595 | Microsoft Defender for Cloud Apps |
20892 | Microsoft SharePoint Online |
20893 | Microsoft Exchange Online |
20940 | Active Directory |
20941 | Adallom CPanel |
22110 | Google Cloud Platform |
22930 | Gmail |
23004 | Autodesk Fusion Lifecycle |
23043 | Slack |
23233 | Microsoft Office Online |
25275 | Microsoft Skype for Business |
25988 | Google Docs |
26055 | Microsoft 365 admin center |
26060 | OPSWAT Gears |
26061 | Microsoft Word Online |
26062 | Microsoft PowerPoint Online |
26063 | Microsoft Excel Online |
26069 | Google Drive |
26206 | Workiva |
26311 | Microsoft Dynamics |
26318 | Microsoft Entra ID |
26320 | Microsoft Office Sway |
26321 | Microsoft Delve |
26324 | Microsoft Power BI |
27548 | Microsoft Forms |
27592 | Microsoft Flow |
27593 | Microsoft PowerApps |
28353 | Workplace by Facebook |
28373 | CAS Proxy Emulator |
28375 | Microsoft Teams |
32780 | Microsoft Dynamics 365 |
33626 | |
34127 | Microsoft AppSource |
34667 | HighQ |
35395 | Microsoft Dynamics Talent |
Next steps
In this document you learned about entity structure, identifiers, and schema in Microsoft Sentinel.
Learn more about entities and entity mapping.