DataSecurityBehaviors (Preview)
Applies to:
- Microsoft Defender XDR
- Microsoft Purview
Important
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The DataSecurityBehaviors table in the advanced hunting schema contains insights about potentially suspicious user behaviors that violate the user-defined or default policies configured in the Microsoft Purview suite of solutions.
Insights cover a range of data security related behaviors like behaviors involving exfiltration, obfuscation, risky interactions with AI applications, and others. Insights are generated by aggregating user behaviors over a calendar day and comparing them with previous activity, peer group activity, or other activities done by the user. Insights also capture summaries of various risk pivots like sensitive data, risky destinations, and the like.
Use this reference to construct queries that return information from this table.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the record was generated or updated |
BehaviorId |
string |
Unique identifier for the behavior |
ActionType |
string |
Type of behavior. Refer to the catalog of behaviors detected by Microsoft Purview Insider Risk Management. |
StartTime |
datetime |
Date and time of the first activity related to the behavior |
EndTime |
datetime |
Date and time of the last activity related to the behavior |
AttackTechniques |
string |
MITRE ATT&CK techniques associated with the activity that triggered the behavior. Refer to subtechniques in the insider risk management behavior catalog. |
Categories |
string |
Type of threat indicator or breach activity identified by the behavior |
ActionCategory |
enum |
Category of action that triggered the event |
Description |
string |
Description of the behavior |
ServiceSource |
string |
Product or service that identified the behavior |
DetectionSource |
string |
Detection technology or sensor that identified the notable component or activity |
ActivityCount |
int |
Total user activity events recorded under this behavior |
IsAnomalous |
bool |
Indicates if this user behavior is anomalous by itself or based on insider risk management global settings |
IsContentHidden |
bool |
Indicates if the behavior involves hidden content on a device |
AccountUpn |
string |
User principal name (UPN) of the account |
AccountEmail |
string |
Email address of the account |
Application |
string |
Application that performed the recorded action |
DeviceInfo |
dynamic |
List of device information for the device involved in this behavior, including device ID, device name, and the number of events in which the device is involved; in JSON array format |
SensitivityLabelInfo |
dynamic |
List of sensitivity labels assigned to content involved in this behavior, including the unique identifier for the Microsoft Information Protection sensitivity label assigned to the related content, the name of the sensitivity label, and the number of events in the behavior involving this label; in JSON array format |
SensitiveInfoTypesInfo |
dynamic |
List of sensitive info types detected in the content involved in this behavior, including the unique identifier for the sensitive info type, the name of the sensitive info type, and the number of events in the behavior involving this sensitive info type; in JSON array format |
UrlDomainInfo |
dynamic |
List of websites or service URLs involved in the behavior, including the name of the URL domain, the direction of data (sent or received from domain), type of URL domain (customer-configured or based on watchlists), and the number of events in the behavior involving the specific domain; in JSON array format |
SharepointSiteInfo |
dynamic |
List of SharePoint sites involved in this behavior, including the unique identifier for the SharePoint site, the name of the SharePoint site, and the number of events in the behavior involving the SharePoint site; in JSON array format |
RecipientEmailInfo |
dynamic |
List of information about the recipient involved in the behavior, including the email address of the recipient and the number of events in the behavior involving the recipient; in JSON array format |
RemovableMediaInfo |
dynamic |
List of any removable media involved in the behavior, including the serial number of the removable media device, the manufacturer of the removable media device, and the model of the removable device; in JSON array format |
PrinterName |
dynamic |
List of printers involved in the behavior; in array format |
PriorityContentMatchInfo |
dynamic |
List of priority content matches identified within this behavior and their associated details. Priority content definitions are done by the admins for each Insider risk management policy. Displayed in JSON array format. |
Related articles
- Advanced hunting overview
- Learn the query language
- Use shared queries
- Understand the schema
- Apply query best practices
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.