title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
BehaviorInfo table in the advanced hunting schema |
Learn about alert generation events in the BehaviorInfo table of the advanced hunting schema |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
reference |
12/29/2023 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
The BehaviorInfo
table in the advanced hunting schema contains information about alerts from Microsoft Defender for Cloud Apps. Use this reference to construct queries that return information from this table.
Important
The BehaviorInfo
table is in preview and is not available for GCC. The information here may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. Have feedback to share? Fill out our feedback form.
Behaviors are a type of data in Microsoft Defender XDR based on one or more raw events. Behaviors provide contextual insight into events and can, but not necessarily, indicate malicious activity. Read more about behaviors
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Column name | Data type | Description |
---|---|---|
Timestamp |
datetime |
Date and time when the record was generated |
BehaviorId |
string |
Unique identifier for the behavior |
ActionType |
string |
Type of behavior |
Description |
string |
Description of the behavior |
Categories |
string |
Type of threat indicator or breach activity identified by the behavior |
AttackTechniques |
string |
MITRE ATT&CK techniques associated with the activity that triggered the behavior |
ServiceSource |
string |
Product or service that identified the behavior |
DetectionSource |
string |
Detection technology or sensor that identified the notable component or activity |
DataSources |
string |
Products or services that provided information for the behavior |
DeviceId |
string |
Unique identifier for the device in the service |
AccountUpn |
string |
User principal name (UPN) of the account |
AccountObjectId |
string |
Unique identifier for the account in Microsoft Entra ID |
StartTime |
datetime |
Date and time of the first activity related to the behavior |
EndTime |
datetime |
Date and time of the last activity related to the behavior |
AdditionalFields |
string |
Additional information about the behavior |