AlertEvidence

Includes files, IP addresses, URLs, users, or devices associated with alerts.

Table attributes

Attribute Value
Resource types -
Categories Security
Solutions SecurityInsights
Basic log No
Ingestion-time transformation Yes
Sample Queries Yes

Columns

Column Type Description
AccountDomain string Domain of the account.
AccountName string User name of the account.
AccountObjectId string Unique identifier for the account in Azure Active Directory.
AccountSid string Security Identifier (SID) of the account.
AccountUpn string User principal name (UPN) of the account.
AdditionalFields dynamic Additional information about the event in JSON array format.
AlertId string Unique identifier for the alert.
Application string Application that performed the recorded action.
ApplicationId int Unique identifier for the application.
AttackTechniques string MITRE ATT&CK techniques associated with the activity that triggered the alert.
_BilledSize real The record size in bytes
Categories string List of categories that the information belongs to, in JSON array format.
DetectionSource string Detection technology or sensor that identified the notable component or activity.
DeviceId string Unique identifier for the device in the service.
DeviceName string Fully qualified domain name (FQDN) of the machine.
EmailSubject string Subject of the email.
EntityType string Type of object, such as a file, a process, a device, or a user.
EvidenceDirection string Indicates whether the entity is the source or the destination of a network connection.
EvidenceRole string How the entity is involved in an alert, indicating whether it is impacted or is merely related.
FileName string Name of the file that the recorded action was applied to.
FileSize long Size of the file in bytes.
FolderPath string Folder containing the file that the recorded action was applied to.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
LocalIP string IP address assigned to the local device used during communication.
NetworkMessageId string Unique identifier for the email, generated by Office 365.
OAuthApplicationId string Unique identifier of the third-party OAuth application.
ProcessCommandLine string Command line used to create the new process.
RegistryKey string Registry key that the recorded action was applied to.
RegistryValueData string Data of the registry value that the recorded action was applied to.
RegistryValueName string Name of the registry value that the recorded action was applied to.
RemoteIP string IP address that was being connected to.
RemoteUrl string URL or fully qualified domain name (FQDN) that was being connected to.
ServiceSource string Product or service that provided the alert information.
SHA1 string SHA-1 of the file that the recorded action was applied to.
SHA256 string SHA-256 of the file that the recorded action was applied to. This field is usually not populated-use the SHA1 column when available.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantId string The Log Analytics workspace ID
ThreatFamily string Malware family that the suspicious or malicious file or process has been classified under.
TimeGenerated datetime Date and time (UTC) when the record was generated.
Title string Title of the alert.
Type string The name of the table