Skip to content

Latest commit

 

History

History
71 lines (56 loc) · 3.41 KB

advanced-hunting-behaviorinfo-table.md

File metadata and controls

71 lines (56 loc) · 3.41 KB
title description search.appverid ms.service ms.subservice f1.keywords ms.author author ms.localizationpriority manager audience ms.collection ms.custom ms.topic ms.date
BehaviorInfo table in the advanced hunting schema
Learn about alert generation events in the BehaviorInfo table of the advanced hunting schema
met150
defender-xdr
adv-hunting
NOCSH
maccruz
schmurky
medium
dansimp
ITPro
m365-security
tier3
cx-ti
cx-ah
reference
12/29/2023

BehaviorInfo (Preview)

[!INCLUDE Microsoft Defender XDR rebranding]

Applies to:

  • Microsoft Defender XDR

The BehaviorInfo table in the advanced hunting schema contains information about alerts from Microsoft Defender for Cloud Apps. Use this reference to construct queries that return information from this table.

Important

The BehaviorInfo table is in preview and is not available for GCC. The information here may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. Have feedback to share? Fill out our feedback form.

Behaviors are a type of data in Microsoft Defender XDR based on one or more raw events. Behaviors provide contextual insight into events and can, but not necessarily, indicate malicious activity. Read more about behaviors

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
Timestamp datetime Date and time when the record was generated
BehaviorId string Unique identifier for the behavior
ActionType string Type of behavior
Description string Description of the behavior
Categories string Type of threat indicator or breach activity identified by the behavior
AttackTechniques string MITRE ATT&CK techniques associated with the activity that triggered the behavior
ServiceSource string Product or service that identified the behavior
DetectionSource string Detection technology or sensor that identified the notable component or activity
DataSources string Products or services that provided information for the behavior
DeviceId string Unique identifier for the device in the service
AccountUpn string User principal name (UPN) of the account
AccountObjectId string Unique identifier for the account in Microsoft Entra ID
StartTime datetime Date and time of the first activity related to the behavior
EndTime datetime Date and time of the last activity related to the behavior
AdditionalFields string Additional information about the behavior

Related topics