Skip to content

Latest commit

 

History

History
111 lines (100 loc) · 9.51 KB

advanced-hunting-devicefileevents-table.md

File metadata and controls

111 lines (100 loc) · 9.51 KB
title description search.appverid ms.service ms.subservice f1.keywords ms.author author ms.localizationpriority manager audience ms.collection ms.custom ms.topic ms.date
DeviceFileEvents table in the advanced hunting schema
Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema
met150
defender-xdr
adv-hunting
NOCSH
maccruz
schmurky
medium
dansimp
ITPro
m365-security
tier3
cx-ti
cx-ah
reference
09/06/2024

DeviceFileEvents

[!INCLUDE Microsoft Defender XDR rebranding]

Applies to:

  • Microsoft Defender XDR
  • Microsoft Defender for Endpoint

The DeviceFileEvents table in the advanced hunting schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from this table.

Tip

For detailed information about the events types (ActionType values) supported by a table, use the built-in schema reference available in Microsoft Defender XDR.

For information on other tables in the advanced hunting schema, see the advanced hunting reference.

Column name Data type Description
Timestamp datetime Date and time when the event was recorded
DeviceId string Unique identifier for the device in the service
DeviceName string Fully qualified domain name (FQDN) of the device
ActionType string Type of activity that triggered the event. See the in-portal schema reference for details.
FileName string Name of the file that the recorded action was applied to
FolderPath string Folder containing the file that the recorded action was applied to
SHA1 string SHA-1 of the file that the recorded action was applied to
SHA256 string SHA-256 of the file that the recorded action was applied to. This field is usually not populated — use the SHA1 column when available.
MD5 string MD5 hash of the file that the recorded action was applied to
FileOriginUrl string URL where the file was downloaded from
FileOriginReferrerUrl string URL of the web page that links to the downloaded file
FileOriginIP string IP address where the file was downloaded from
PreviousFolderPath string Original folder containing the file before the recorded action was applied
PreviousFileName string Original name of the file that was renamed as a result of the action
FileSize long Size of the file in bytes
InitiatingProcessAccountDomain string Domain of the account that ran the process responsible for the event
InitiatingProcessAccountName string User name of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID user name of the account that ran the process responsible for the event might be shown instead
InitiatingProcessAccountSid string Security Identifier (SID) of the account that ran the process responsible for the event
InitiatingProcessAccountUpn string User principal name (UPN) of the account that ran the process responsible for the event; if the device is registered in Microsoft Entra ID, the Entra ID UPN of the account that ran the process responsible for the event might be shown instead
InitiatingProcessAccountObjectId string Microsoft Entra object ID of the user account that ran the process responsible for the event
InitiatingProcessMD5 string MD5 hash of the process (image file) that initiated the event
InitiatingProcessSHA1 string SHA-1 of the process (image file) that initiated the event
InitiatingProcessSHA256 string SHA-256 of the process (image file) that initiated the event. This field is usually not populated — use the SHA1 column when available.
InitiatingProcessFolderPath string Folder containing the process (image file) that initiated the event
InitiatingProcessFileName string Name of the process file that initiated the event; if unavailable, the name of the process that initiated the event might be shown instead
InitiatingProcessFileSize long Size of the process (image file) that initiated the event
InitiatingProcessVersionInfoCompanyName string Company name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoProductName string Product name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoProductVersion string Product version from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoInternalFileName string Internal file name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoOriginalFileName string Original file name from the version information of the process (image file) responsible for the event
InitiatingProcessVersionInfoFileDescription string Description from the version information of the process (image file) responsible for the event
InitiatingProcessId long Process ID (PID) of the process that initiated the event
InitiatingProcessCommandLine string Command line used to run the process that initiated the event
InitiatingProcessCreationTime datetime Date and time when the process that initiated the event was started
InitiatingProcessIntegrityLevel string Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.
InitiatingProcessTokenElevation string Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event
InitiatingProcessParentId long Process ID (PID) of the parent process that spawned the process responsible for the event
InitiatingProcessParentFileName string Name of the parent process that spawned the process responsible for the event
InitiatingProcessParentCreationTime datetime Date and time when the parent of the process responsible for the event was started
RequestProtocol string Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS
RequestSourceIP string IPv4 or IPv6 address of the remote device that initiated the activity
RequestSourcePort int Source port on the remote device that initiated the activity
RequestAccountName string User name of account used to remotely initiate the activity
RequestAccountDomain string Domain of the account used to remotely initiate the activity
RequestAccountSid string Security Identifier (SID) of the account used to remotely initiate the activity
ShareName string Name of shared folder containing the file
SensitivityLabel string Label applied to an email, file, or other content to classify it for information protection
SensitivitySubLabel string Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently
IsAzureInfoProtectionApplied boolean Indicates whether the file is encrypted by Azure Information Protection
ReportId long Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns.
AppGuardContainerId string Identifier for the virtualized container used by Application Guard to isolate browser activity
AdditionalFields string Additional information about the entity or event
InitiatingProcessSessionId long Windows session ID of the initiating process
IsInitiatingProcessRemoteSession bool Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false)
InitiatingProcessRemoteSessionDeviceName string Device name of the remote device from which the initiating process’s RDP session was initiated
InitiatingProcessRemoteSessionIP string IP address of the remote device from which the initiating process’s RDP session was initiated

Note

File hash information will always be shown when it is available. However, there are several possible reasons why a SHA1, SHA256, or MD5 cannot be calculated. For instance, the file might be located in remote storage, locked by another process, compressed, or marked as virtual. In these scenarios, the file hash information appears empty.

Related topics