title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
DeviceFileEvents table in the advanced hunting schema |
Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
reference |
09/06/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
- Microsoft Defender for Endpoint
The DeviceFileEvents
table in the advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from this table.
Tip
For detailed information about the events types (ActionType
values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
Column name | Data type | Description |
---|---|---|
Timestamp |
datetime |
Date and time when the event was recorded |
DeviceId |
string |
Unique identifier for the device in the service |
DeviceName |
string |
Fully qualified domain name (FQDN) of the device |
ActionType |
string |
Type of activity that triggered the event. See the in-portal schema reference for details. |
FileName |
string |
Name of the file that the recorded action was applied to |
FolderPath |
string |
Folder containing the file that the recorded action was applied to |
SHA1 |
string |
SHA-1 of the file that the recorded action was applied to |
SHA256 |
string |
SHA-256 of the file that the recorded action was applied to. This field is usually not populated — use the SHA1 column when available. |
MD5 |
string |
MD5 hash of the file that the recorded action was applied to |
FileOriginUrl |
string |
URL where the file was downloaded from |
FileOriginReferrerUrl |
string |
URL of the web page that links to the downloaded file |
FileOriginIP |
string |
IP address where the file was downloaded from |
PreviousFolderPath |
string |
Original folder containing the file before the recorded action was applied |
PreviousFileName |
string |
Original name of the file that was renamed as a result of the action |
FileSize |
long |
Size of the file in bytes |
InitiatingProcessAccountDomain |
string |
Domain of the account that ran the process responsible for the event |
InitiatingProcessAccountName |
string |
User name of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID user name of the account that ran the process responsible for the event might be shown instead |
InitiatingProcessAccountSid |
string |
Security Identifier (SID) of the account that ran the process responsible for the event |
InitiatingProcessAccountUpn |
string |
User principal name (UPN) of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID UPN of the account that ran the process responsible for the event might be shown instead |
InitiatingProcessAccountObjectId |
string |
Microsoft Entra object ID of the user account that ran the process responsible for the event |
InitiatingProcessMD5 |
string |
MD5 hash of the process (image file) that initiated the event |
InitiatingProcessSHA1 |
string |
SHA-1 of the process (image file) that initiated the event |
InitiatingProcessSHA256 |
string |
SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available. |
InitiatingProcessFolderPath |
string |
Folder containing the process (image file) that initiated the event |
InitiatingProcessFileName |
string |
Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead |
InitiatingProcessFileSize |
long |
Size of the process (image file) that initiated the event |
InitiatingProcessVersionInfoCompanyName |
string |
Company name from the version information of the process (image file) responsible for the event |
InitiatingProcessVersionInfoProductName |
string |
Product name from the version information of the process (image file) responsible for the event |
InitiatingProcessVersionInfoProductVersion |
string |
Product version from the version information of the process (image file) responsible for the event |
InitiatingProcessVersionInfoInternalFileName |
string |
Internal file name from the version information of the process (image file) responsible for the event |
InitiatingProcessVersionInfoOriginalFileName |
string |
Original file name from the version information of the process (image file) responsible for the event |
InitiatingProcessVersionInfoFileDescription |
string |
Description from the version information of the process (image file) responsible for the event |
InitiatingProcessId |
long |
Process ID (PID) of the process that initiated the event |
InitiatingProcessCommandLine |
string |
Command line used to run the process that initiated the event |
InitiatingProcessCreationTime |
datetime |
Date and time when the process that initiated the event was started |
InitiatingProcessIntegrityLevel |
string |
Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
InitiatingProcessTokenElevation |
string |
Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
InitiatingProcessParentId |
long |
Process ID (PID) of the parent process that spawned the process responsible for the event |
InitiatingProcessParentFileName |
string |
Name of the parent process that spawned the process responsible for the event |
InitiatingProcessParentCreationTime |
datetime |
Date and time when the parent of the process responsible for the event was started |
RequestProtocol |
string |
Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
RequestSourceIP |
string |
IPv4 or IPv6 address of the remote device that initiated the activity |
RequestSourcePort |
int |
Source port on the remote device that initiated the activity |
RequestAccountName |
string |
User name of account used to remotely initiate the activity |
RequestAccountDomain |
string |
Domain of the account used to remotely initiate the activity |
RequestAccountSid |
string |
Security Identifier (SID) of the account used to remotely initiate the activity |
ShareName |
string |
Name of shared folder containing the file |
SensitivityLabel |
string |
Label applied to an email, file, or other content to classify it for information protection |
SensitivitySubLabel |
string |
Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
IsAzureInfoProtectionApplied |
boolean |
Indicates whether the file is encrypted by Azure Information Protection |
ReportId |
long |
Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
AppGuardContainerId |
string |
Identifier for the virtualized container used by Application Guard to isolate browser activity |
AdditionalFields |
string |
Additional information about the entity or event |
InitiatingProcessSessionId |
long |
Windows session ID of the initiating process |
IsInitiatingProcessRemoteSession |
bool |
Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false) |
InitiatingProcessRemoteSessionDeviceName |
string |
Device name of the remote device from which the initiating process’s RDP session was initiated |
InitiatingProcessRemoteSessionIP |
string |
IP address of the remote device from which the initiating process’s RDP session was initiated |
Note
File hash information will always be shown when it is available. However, there are several possible reasons why a SHA1, SHA256, or MD5 cannot be calculated. For instance, the file might be located in remote storage, locked by another process, compressed, or marked as virtual. In these scenarios, the file hash information appears empty.