Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (19)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.severity Normalized severity field across log sources. | microsoft365.defender.severity | strings |
gen.mail.sender Email address of the message sender. | microsoft365.defender.evidence.p1Sender.emailAddress microsoft365.defender.evidence.senderFromAddress | strings |
gen.mail.receiver Email address of the message recipient. | microsoft365.defender.evidence.recipientEmailAddress microsoft365.defender.evidence.recipients | strings |
gen.src.ip Source IP address. | microsoft365.defender.evidence.senderIp microsoft365.defender.evidence.senderIP | text_general |
gen.mail.subject Subject line of the email. | microsoft365.defender.evidence.subject | strings |
gen.proxy.endpoint Destination endpoint accessed through the proxy. | microsoft365.defender.evidence.url microsoft365.defender.evidence.blobContainer.url microsoft365.defender.evidence.image.registry.registry microsoft365.defender.evidence.userAccount.resourceAccessEvents.resourceIdentifier | string |
gen.username Username associated with the event. | microsoft365.defender.evidence.account.userAccount.userPrincipalName microsoft365.defender.evidence.loggedOnUsers.accountName microsoft365.defender.evidence.userAccount.accountName microsoft365.defender.evidence.userAccount.userPrincipalName | text_general |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | microsoft365.defender.evidence.protocol microsoft365.defender.evidence.protocols microsoft365.defender.evidence.servicePorts.protocol | strings |
gen.hostname Normalized hostname of the system generating the log. | microsoft365.defender.evidence.deviceName microsoft365.defender.evidence.deviceDnsName microsoft365.defender.evidence.hostName | text_general |
gen.dns.domain Queried DNS domain name. | microsoft365.defender.evidence.dnsDomain | strings |
gen.group User group associated with the event. | microsoft365.defender.evidence.rbacGroupName microsoft365.defender.evidence.securityGroupId | strings |
gen.file.name File name associated with the event. | microsoft365.defender.evidence.fileDetails.fileName microsoft365.defender.evidence.imageFile.fileName microsoft365.defender.evidence.files.fileDetails.fileName | strings |
gen.file.path Full file path associated with the event. | microsoft365.defender.evidence.fileDetails.filePath microsoft365.defender.evidence.imageFile.filePath microsoft365.defender.evidence.files.fileDetails.filePath | strings |
gen.dest.port Destination port number. | microsoft365.defender.evidence.servicePorts.nodePort microsoft365.defender.evidence.servicePorts.port | pint |
gen.vendor Vendor name of the product generating the log. | microsoft365.defender.evidence.imageFile.filePublisher microsoft365.defender.evidence.files.fileDetails.filePublisher | strings |
gen.process.parent.pid Process ID of the parent process. | microsoft365.defender.evidence.parentProcessId | pint |
gen.process.commandline Command line used to start the process. | microsoft365.defender.evidence.processCommandLine | string |
gen.process.pid Process ID of the running process. | microsoft365.defender.evidence.processId | pint |
gen.av.status Status of the antivirus event (e.g., success, failure). | microsoft365.defender.evidence.files.detectionStatus | strings |
Reference-Specific Fields (587)
| Field | Type |
|---|---|
microsoft365.defender.assignedTo Owner of the incident or alert; free-editable text; null if unassigned | string |
microsoft365.defender.classification Alert/incident classification indicating whether it represents a true threat | string |
microsoft365.defender.comments.comment Text of investigator comments | text_generals |
microsoft365.defender.comments.createdByDisplayName Display name of the person or app that submitted the comment | strings |
microsoft365.defender.comments.createdDateTime Timestamps when comments were submitted | pdates |
microsoft365.defender.createdDateTime Time when the incident or alert was created | pdate |
microsoft365.defender.customTags Custom tags associated with the incident | strings |
microsoft365.defender.description Free-text description of the alert or incident | text_general |
microsoft365.defender.determination Determination/outcome of investigation or incident nature | string |
microsoft365.defender.displayName Incident name | string |
microsoft365.defender.id Unique identifier of the incident or alert resource | string |
microsoft365.defender.incidentWebUrl URL to the incident page in Microsoft 365 Defender | string |
microsoft365.defender.lastModifiedBy Identity that last modified the incident | string |
microsoft365.defender.lastUpdateDateTime Time when the incident or alert was last updated | pdate |
microsoft365.defender.redirectIncidentId Identifier of the incident to which this incident was redirected | string |
microsoft365.defender.resolvingComment Free-text explanation of the resolution and classification choice | text_general |
microsoft365.defender.severity Severity indicating potential impact | string |
microsoft365.defender.status Lifecycle status of the alert or incident | string |
microsoft365.defender.summary High-level overview of the attack and impacted assets | text_general |
microsoft365.defender.systemTags System-generated tags associated with the incident or alert | strings |
microsoft365.defender.tenantId Microsoft Entra tenant identifier where the alert was created | string |
microsoft365.defender.actorDisplayName Adversary or activity group name associated with the alert | string |
microsoft365.defender.additionalData Dynamic dictionary of other alert properties, including user-defined content | text_general |
microsoft365.defender.alertPolicyId Identifier of the policy that generated the alert | string |
microsoft365.defender.alertWebUrl URL for the Microsoft 365 Defender alert page | string |
microsoft365.defender.category MITRE ATT&CK-aligned kill-chain category of the alert | string |
microsoft365.defender.customDetails User-defined custom fields with string values | text_general |
microsoft365.defender.detectionSource Detection technology or sensor that identified the activity | string |
microsoft365.defender.detectorId Identifier of the detector that triggered the alert | string |
microsoft365.defender.evidence.createdDateTime Times when evidence items were created and added to the alert | pdates |
microsoft365.defender.evidence.detailedRoles Free-form detailed descriptions of the entity roles within the alert | strings |
microsoft365.defender.evidence.remediationStatus Remediation status values for evidence entities | strings |
microsoft365.defender.evidence.remediationStatusDetails Details describing remediation status for evidence entities | strings |
microsoft365.defender.evidence.roles Roles that evidence entities represent in the alert | strings |
microsoft365.defender.evidence.tags Custom tags associated with an evidence instance | strings |
microsoft365.defender.evidence.verdict Automated investigation verdicts for evidence entities | strings |
microsoft365.defender.firstActivityDateTime Earliest activity time associated with the alert | pdate |
microsoft365.defender.incidentId Identifier of the incident associated with this alert resource | string |
microsoft365.defender.lastActivityDateTime Latest activity time associated with the alert | pdate |
microsoft365.defender.mitreTechniques Attack techniques aligned with the MITRE ATT&CK framework | strings |
microsoft365.defender.productName Name of the product that published the alert | string |
microsoft365.defender.providerAlertId Provider’s native alert identifier | string |
microsoft365.defender.recommendedActions Recommended response and remediation actions for this alert | text_general |
microsoft365.defender.resolvedDateTime Time when the alert was resolved | pdate |
microsoft365.defender.serviceSource Service or product that created the alert | string |
microsoft365.defender.threatDisplayName Threat name associated with this alert | string |
microsoft365.defender.threatFamilyName Threat family name associated with this alert | string |
microsoft365.defender.title Short identifying title of the alert | string |
microsoft365.defender.evidence.amazonAccountId Unique identifiers for Amazon accounts involved | strings |
microsoft365.defender.evidence.amazonResourceId Amazon Resource Names (ARNs) for cloud resources | strings |
microsoft365.defender.evidence.remediationStatus.createdDateTime Timestamps associated with remediation status entries for evidence | pdates |
microsoft365.defender.evidence.remediationStatus.detailedRoles Detailed role descriptions associated with remediation status entries | strings |
microsoft365.defender.evidence.remediationStatus.remediationStatus Remediation status values associated with remediation status entries | strings |
microsoft365.defender.evidence.remediationStatus.remediationStatusDetails Details about remediation status for remediation status entries | strings |
microsoft365.defender.evidence.remediationStatus.roles Roles associated with remediation status entries | strings |
microsoft365.defender.evidence.remediationStatus.tags Tags associated with remediation status entries | strings |
microsoft365.defender.evidence.remediationStatus.verdict Automated investigation verdicts associated with remediation status entries | strings |
microsoft365.defender.evidence.resourceName Names of cloud or container resources referenced by evidence | strings |
microsoft365.defender.evidence.resourceType Types of resources referenced by evidence | strings |
microsoft365.defender.evidence.roles.createdDateTime Timestamps for role entries attached to evidence | pdates |
microsoft365.defender.evidence.roles.detailedRoles Detailed descriptions of roles attached to evidence roles entries | strings |
microsoft365.defender.evidence.roles.remediationStatus Remediation status values attached to evidence roles entries | strings |
microsoft365.defender.evidence.roles.remediationStatusDetails Details about remediation status attached to evidence roles entries | strings |
microsoft365.defender.evidence.roles.roles Roles that the evidence entities represent within the alert context | strings |
microsoft365.defender.evidence.roles.tags Tags attached to evidence roles entries | strings |
microsoft365.defender.evidence.roles.verdict Automated investigation verdicts attached to evidence roles entries | strings |
microsoft365.defender.evidence.verdict.createdDateTime Timestamps for verdict entries attached to evidence | pdates |
microsoft365.defender.evidence.verdict.detailedRoles Detailed descriptions of roles attached to verdict entries | strings |
microsoft365.defender.evidence.verdict.remediationStatus Remediation status values attached to verdict entries | strings |
microsoft365.defender.evidence.verdict.remediationStatusDetails Details about remediation status attached to verdict entries | strings |
microsoft365.defender.evidence.verdict.roles Roles attached to verdict entries | strings |
microsoft365.defender.evidence.verdict.tags Tags attached to verdict entries | strings |
microsoft365.defender.evidence.verdict.verdict Automated investigation verdict values for verdict entries | strings |
microsoft365.defender.evidence.antiSpamDirection Direction of the email relative to the organization (inbound/outbound/intraorg) | strings |
microsoft365.defender.evidence.attachmentsCount Number of attachments in the email | plongs |
microsoft365.defender.evidence.deliveryAction Delivery action taken for the message | strings |
microsoft365.defender.evidence.deliveryLocation Location where the message was delivered | strings |
microsoft365.defender.evidence.internetMessageId Public-facing Message-ID for the email | strings |
microsoft365.defender.evidence.language Detected language of the email content | strings |
microsoft365.defender.evidence.networkMessageId Microsoft 365 generated unique identifier for the email | strings |
microsoft365.defender.evidence.p1Sender.displayName Display name of the sender | strings |
microsoft365.defender.evidence.p1Sender.domainName Sender’s domain name | strings |
microsoft365.defender.evidence.p1Sender.emailAddress Sender email address | strings |
microsoft365.defender.evidence.receivedDateTime Date and time when the email was received | pdates |
microsoft365.defender.evidence.recipientEmailAddress Recipient email address (post-DL expansion if applicable) | strings |
microsoft365.defender.evidence.senderIp IP address of the last detected mail server that relayed the message | strings |
microsoft365.defender.evidence.subject Subject of the email or Teams message | strings |
microsoft365.defender.evidence.threatDetectionMethods Methods used to detect threats in the message | strings |
microsoft365.defender.evidence.threats Detection names for malware or other threats found | strings |
microsoft365.defender.evidence.urlCount Number of embedded URLs in the email | plongs |
microsoft365.defender.evidence.urls URLs contained in the email | strings |
microsoft365.defender.evidence.urn Uniform resource name of the automated investigation associated with the evidence | strings |
microsoft365.defender.evidence.resourceId Unique identifiers for Azure resources referenced by evidence | strings |
microsoft365.defender.evidence.name Names of namespaces, controllers, service accounts, blobs, secrets, clusters, pods, containers, or services | strings |
microsoft365.defender.evidence.storageResource.createdDateTime Timestamps when storage-related evidence was created and added to the alert | pdates |
microsoft365.defender.evidence.storageResource.remediationStatusDetails Details about remediation status for storage-related evidence | strings |
microsoft365.defender.evidence.storageResource.resourceId Azure resource identifiers for storage-related evidence | strings |
microsoft365.defender.evidence.storageResource.resourceName Names of storage-related resources | strings |
microsoft365.defender.evidence.storageResource.resourceType Types of storage-related resources | strings |
microsoft365.defender.evidence.storageResource.tags Custom tags associated with storage-related evidence | strings |
microsoft365.defender.evidence.storageResource.verdict.createdDateTime Timestamp when the storage resource verdict evidence was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.storageResource.verdict.detailedRoles Free-form detailed description of the entity roles in the alert. | strings |
microsoft365.defender.evidence.storageResource.verdict.remediationStatus Remediation status assigned to the evidence by automated investigation. | strings |
microsoft365.defender.evidence.storageResource.verdict.remediationStatusDetails Details describing the remediation status for the storage resource verdict. | strings |
microsoft365.defender.evidence.storageResource.verdict.roles Roles that the evidence entity represents in the alert. | strings |
microsoft365.defender.evidence.storageResource.verdict.tags Custom tags associated with the storage resource verdict evidence. | strings |
microsoft365.defender.evidence.storageResource.verdict.verdict Decision reached by automated investigation for the storage resource (e.g., malicious, suspicious). | strings |
microsoft365.defender.evidence.url Full URL of the storage resource or blob. | strings |
microsoft365.defender.evidence.blobContainer.createdDateTime Timestamp when the blob container evidence was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.blobContainer.name Name of the blob container. | strings |
microsoft365.defender.evidence.blobContainer.remediationStatus.createdDateTime Timestamp when the remediation status evidence for the blob container was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.blobContainer.remediationStatus.detailedRoles Free-form details of the entity roles for the blob container remediation status. | strings |
microsoft365.defender.evidence.blobContainer.remediationStatus.remediationStatus Remediation status for the blob container evidence. | strings |
microsoft365.defender.evidence.blobContainer.remediationStatus.remediationStatusDetails Details about the remediation status for the blob container. | strings |
microsoft365.defender.evidence.blobContainer.remediationStatus.roles Entity roles related to the blob container remediation status. | strings |
microsoft365.defender.evidence.blobContainer.remediationStatus.tags Custom tags associated with the blob container remediation status evidence. | strings |
microsoft365.defender.evidence.blobContainer.remediationStatus.verdict Automated investigation decision for the blob container remediation status. | strings |
microsoft365.defender.evidence.blobContainer.remediationStatusDetails Details about the remediation status for the blob container evidence. | strings |
microsoft365.defender.evidence.blobContainer.roles.createdDateTime Timestamp when the blob container roles evidence was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.blobContainer.roles.detailedRoles Free-form details of entity roles for the blob container. | strings |
microsoft365.defender.evidence.blobContainer.roles.remediationStatus Remediation status associated with the blob container roles evidence. | strings |
microsoft365.defender.evidence.blobContainer.roles.remediationStatusDetails Details about remediation status for the blob container roles evidence. | strings |
microsoft365.defender.evidence.blobContainer.roles.roles Roles that the blob container evidence entity represents. | strings |
microsoft365.defender.evidence.blobContainer.roles.tags Custom tags associated with the blob container roles evidence. | strings |
microsoft365.defender.evidence.blobContainer.roles.verdict Automated investigation decision for the blob container roles evidence. | strings |
microsoft365.defender.evidence.blobContainer.storageResource.createdDateTime Timestamp when the storage resource evidence for the blob container was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.blobContainer.storageResource.remediationStatusDetails Details about the remediation status for the blob container storage resource. | strings |
microsoft365.defender.evidence.blobContainer.storageResource.resourceId Unique identifier for the Azure storage resource. | strings |
microsoft365.defender.evidence.blobContainer.storageResource.resourceName Name of the Azure storage resource. | strings |
microsoft365.defender.evidence.blobContainer.storageResource.resourceType Type of the Azure storage resource. | strings |
microsoft365.defender.evidence.blobContainer.storageResource.tags Custom tags associated with the blob container storage resource evidence. | strings |
microsoft365.defender.evidence.blobContainer.storageResource.verdict.createdDateTime Timestamp when the storage resource verdict evidence for the blob container was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.blobContainer.storageResource.verdict.detailedRoles Free-form details of roles for the blob container storage resource verdict. | strings |
microsoft365.defender.evidence.blobContainer.storageResource.verdict.remediationStatus Remediation status for the blob container storage resource verdict. | strings |
microsoft365.defender.evidence.blobContainer.storageResource.verdict.remediationStatusDetails Details about remediation status for the blob container storage resource verdict. | strings |
microsoft365.defender.evidence.blobContainer.storageResource.verdict.roles Entity roles for the blob container storage resource verdict. | strings |
microsoft365.defender.evidence.blobContainer.storageResource.verdict.tags Custom tags for the blob container storage resource verdict. | strings |
microsoft365.defender.evidence.blobContainer.storageResource.verdict.verdict Automated investigation decision for the blob container storage resource. | strings |
microsoft365.defender.evidence.blobContainer.tags Custom tags associated with the blob container evidence. | strings |
microsoft365.defender.evidence.blobContainer.url Full URL representation of the blob container. | strings |
microsoft365.defender.evidence.etag ETag associated with the blob. | strings |
microsoft365.defender.evidence.fileHashes.algorithm File hash algorithm used (e.g., md5, sha1, sha256). | strings |
microsoft365.defender.evidence.fileHashes.value File hash value associated with the evidence. | strings |
microsoft365.defender.evidence.appId Unique identifier of the application. | strings |
microsoft365.defender.evidence.displayName Display name associated with the entity (mailbox, security group, or application). | strings |
microsoft365.defender.evidence.instanceId Identifier of the SaaS application instance. | plongs |
microsoft365.defender.evidence.instanceName Name of the SaaS application instance. | strings |
microsoft365.defender.evidence.saasAppId Identifier of the SaaS application. | plongs |
microsoft365.defender.evidence.requestId Unique identifier for the sign-in request. | strings |
microsoft365.defender.evidence.sessionId Session identifier for the account reported in the alert. | strings |
microsoft365.defender.evidence.account.userAccount.accountName Displayed name of the user account. | strings |
microsoft365.defender.evidence.account.userAccount.azureAdUserId User object identifier in Microsoft Entra ID. | strings |
microsoft365.defender.evidence.account.userAccount.displayName User display name in Microsoft Entra ID. | strings |
microsoft365.defender.evidence.account.userAccount.domainName Active Directory domain name of which the user is a member. | strings |
microsoft365.defender.evidence.account.userAccount.resourceAccessEvents.accessDateTime Timestamp of the resource access event. | pdates |
microsoft365.defender.evidence.account.userAccount.resourceAccessEvents.accountId Identifier of the user account for the access event. | strings |
microsoft365.defender.evidence.account.userAccount.resourceAccessEvents.ipAddress IP address of the accessed resource. | strings |
microsoft365.defender.evidence.account.userAccount.resourceAccessEvents.resourceIdentifier Protocol and host name pairs describing the connection to the resource. | strings |
microsoft365.defender.evidence.account.userAccount.userPrincipalName User principal name of the account in Microsoft Entra ID. | strings |
microsoft365.defender.evidence.account.userAccount.userSid Local security identifier (SID) of the user account. | strings |
microsoft365.defender.evidence.protocol Authentication protocol used in the session, if known. | strings |
microsoft365.defender.evidence.deviceName Friendly name of the device, if known. | strings |
microsoft365.defender.evidence.operatingSystem Operating system the device is running, if known. | strings |
microsoft365.defender.evidence.browser Browser used for the sign-in, if known. | strings |
microsoft365.defender.evidence.userAgent User agent string used for the sign-in, if known. | strings |
microsoft365.defender.evidence.startUtcDateTime Session start time in UTC, if known. | pdates |
microsoft365.defender.evidence.previousLogonDateTime Previous sign-in time for this account, if known. | pdates |
microsoft365.defender.evidence.args List of command arguments associated with the evidence. | strings |
microsoft365.defender.evidence.command List of commands associated with the evidence. | strings |
microsoft365.defender.evidence.containerId Identifier of the container instance. | strings |
microsoft365.defender.evidence.image.createdDateTime Timestamp when the container image evidence was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.image.imageId Unique identifier for the container image entity. | strings |
microsoft365.defender.evidence.image.registry.createdDateTime Timestamp when the image registry evidence was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.image.registry.registry Container registry URI. | strings |
microsoft365.defender.evidence.image.registry.remediationStatus.createdDateTime Timestamp when the image registry remediation status evidence was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.image.registry.remediationStatus.detailedRoles Free-form details of roles related to the image registry remediation status. | strings |
microsoft365.defender.evidence.image.registry.remediationStatus.remediationStatus Remediation status for the image registry evidence. | strings |
microsoft365.defender.evidence.image.registry.remediationStatus.remediationStatusDetails Details about the remediation status for the image registry evidence. | strings |
microsoft365.defender.evidence.image.registry.remediationStatus.roles Entity roles for the image registry remediation status. | strings |
microsoft365.defender.evidence.image.registry.remediationStatus.tags Custom tags for the image registry remediation status evidence. | strings |
microsoft365.defender.evidence.image.registry.remediationStatus.verdict Automated investigation decision for the image registry remediation status. | strings |
microsoft365.defender.evidence.image.registry.remediationStatusDetails Remediation status details for the image registry evidence. | strings |
microsoft365.defender.evidence.image.registry.roles.createdDateTime Timestamp when the image registry roles evidence was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.image.registry.roles.detailedRoles Free-form details of entity roles for the image registry. | strings |
microsoft365.defender.evidence.image.registry.roles.remediationStatus Remediation status associated with the image registry roles evidence. | strings |
microsoft365.defender.evidence.image.registry.roles.remediationStatusDetails Details about remediation status for the image registry roles evidence. | strings |
microsoft365.defender.evidence.image.registry.roles.roles Roles that the image registry evidence entity represents. | strings |
microsoft365.defender.evidence.image.registry.roles.tags Custom tags associated with the image registry roles evidence. | strings |
microsoft365.defender.evidence.image.registry.roles.verdict Automated investigation decision for the image registry roles evidence. | strings |
microsoft365.defender.evidence.image.registry.tags Custom tags for the image registry evidence. | strings |
microsoft365.defender.evidence.image.registry.verdict.createdDateTime Timestamp when the image registry verdict evidence was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.image.registry.verdict.detailedRoles Free-form details of roles for the image registry verdict. | strings |
microsoft365.defender.evidence.image.registry.verdict.remediationStatus Remediation status for the image registry verdict. | strings |
microsoft365.defender.evidence.image.registry.verdict.remediationStatusDetails Details about remediation status for the image registry verdict. | strings |
microsoft365.defender.evidence.image.registry.verdict.roles Entity roles for the image registry verdict. | strings |
microsoft365.defender.evidence.image.registry.verdict.tags Custom tags for the image registry verdict evidence. | strings |
microsoft365.defender.evidence.image.registry.verdict.verdict Automated investigation decision for the image registry evidence. | strings |
microsoft365.defender.evidence.image.remediationStatusDetails Details about remediation status for the container image evidence. | strings |
microsoft365.defender.evidence.image.tags Custom tags associated with the container image evidence. | strings |
microsoft365.defender.evidence.isPrivileged Whether the entity has privileged status. | booleans |
microsoft365.defender.evidence.pod.controller.createdDateTime Timestamp when this controller evidence was created and added to the alert (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.pod.controller.name The controller name. | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.createdDateTime Timestamp when this cloud resource evidence was created and added to the alert (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.detailedRoles Free-form detailed description of the entity roles in the alert. | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.remediationStatus Remediation status for the cloud resource evidence (e.g., none, remediated, prevented, blocked, notFound, active, pendingApproval, declined, unremediated, running, partiallyRemediated, unknownFutureValue). | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.remediationStatusDetails Details about the remediation status for the cloud resource evidence. | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.roles The role(s) the cloud resource entity represents in the alert. | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.tags Custom tags associated with the cloud resource evidence instance. | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.verdict Automated investigation verdict for the cloud resource evidence (e.g., unknown, suspicious, malicious, noThreatsFound, unknownFutureValue). | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.createdDateTime Timestamp when this cluster evidence was created and added to the alert (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.pod.controller.namespace.cluster.distribution The distribution type of the Kubernetes cluster. | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.name The cluster name. | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.platform The platform the cluster runs on (e.g., unknown, aks, eks, gke, arc, unknownFutureValue). | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.remediationStatusDetails Details about the remediation status for the cluster evidence. | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.tags Custom tags associated with the cluster evidence instance. | strings |
microsoft365.defender.evidence.pod.controller.namespace.cluster.version The Kubernetes version of the cluster. | strings |
microsoft365.defender.evidence.pod.controller.namespace.createdDateTime Timestamp when this namespace evidence was created and added to the alert (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.pod.controller.namespace.name The Kubernetes namespace name. | strings |
microsoft365.defender.evidence.pod.controller.namespace.remediationStatusDetails Details about the remediation status for the namespace evidence. | strings |
microsoft365.defender.evidence.pod.controller.namespace.tags Custom tags associated with the namespace evidence instance. | strings |
microsoft365.defender.evidence.pod.controller.remediationStatusDetails Details about the remediation status for the controller evidence. | strings |
microsoft365.defender.evidence.pod.controller.tags Custom tags associated with the controller evidence instance. | strings |
microsoft365.defender.evidence.pod.controller.type The controller type. | strings |
microsoft365.defender.evidence.pod.createdDateTime Timestamp when this pod evidence was created and added to the alert (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.pod.name The pod name. | strings |
microsoft365.defender.evidence.pod.podIp.countryLetterCode Two-letter ISO 3166 country code associated with the pod IP. | strings |
microsoft365.defender.evidence.pod.podIp.ipAddress Pod IP address (IPv4 or IPv6). | strings |
microsoft365.defender.evidence.pod.remediationStatusDetails Details about the remediation status for the pod evidence. | strings |
microsoft365.defender.evidence.pod.serviceAccount.createdDateTime Timestamp when this service account evidence was created and added to the alert (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.pod.serviceAccount.name The service account name. | strings |
microsoft365.defender.evidence.pod.serviceAccount.remediationStatusDetails Details about the remediation status for the service account evidence. | strings |
microsoft365.defender.evidence.pod.serviceAccount.tags Custom tags associated with the service account evidence instance. | strings |
microsoft365.defender.evidence.pod.tags Custom tags associated with the pod evidence instance. | strings |
microsoft365.defender.evidence.imageId Unique identifier of the container image entity. | strings |
microsoft365.defender.evidence.registry.createdDateTime Timestamp when this registry evidence was created and added to the alert (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.registry.registry The registry URI. | strings |
microsoft365.defender.evidence.registry.remediationStatus.createdDateTime Timestamp when the remediation status evidence entry for the registry was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.registry.remediationStatus.detailedRoles Free-form detailed description of registry entity roles. | strings |
microsoft365.defender.evidence.registry.remediationStatus.remediationStatus Remediation status for the registry evidence. | strings |
microsoft365.defender.evidence.registry.remediationStatus.remediationStatusDetails Details about the remediation status for the registry evidence. | strings |
microsoft365.defender.evidence.registry.remediationStatus.roles The role(s) the registry entity represents in the alert. | strings |
microsoft365.defender.evidence.registry.remediationStatus.tags Custom tags associated with the registry remediation status evidence instance. | strings |
microsoft365.defender.evidence.registry.remediationStatus.verdict Automated investigation verdict for the registry evidence. | strings |
microsoft365.defender.evidence.registry.remediationStatusDetails Details about the remediation status for the registry evidence (inherited). | strings |
microsoft365.defender.evidence.registry.roles.createdDateTime Timestamp when registry roles evidence was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.registry.roles.detailedRoles Free-form detailed description of roles for the registry entity. | strings |
microsoft365.defender.evidence.registry.roles.remediationStatus Remediation status for the registry entity roles. | strings |
microsoft365.defender.evidence.registry.roles.remediationStatusDetails Details about the remediation status for registry roles evidence. | strings |
microsoft365.defender.evidence.registry.roles.roles The role(s) the registry entity represents in the alert. | strings |
microsoft365.defender.evidence.registry.roles.tags Custom tags associated with the registry roles evidence instance. | strings |
microsoft365.defender.evidence.registry.roles.verdict Automated investigation verdict for the registry roles evidence. | strings |
microsoft365.defender.evidence.registry.tags Custom tags associated with the registry evidence instance. | strings |
microsoft365.defender.evidence.registry.verdict.createdDateTime Timestamp when registry verdict evidence was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.registry.verdict.detailedRoles Free-form detailed description of roles for the registry verdict evidence. | strings |
microsoft365.defender.evidence.registry.verdict.remediationStatus Remediation status for the registry verdict evidence. | strings |
microsoft365.defender.evidence.registry.verdict.remediationStatusDetails Details about the remediation status for the registry verdict evidence. | strings |
microsoft365.defender.evidence.registry.verdict.roles The role(s) represented by the registry verdict evidence. | strings |
microsoft365.defender.evidence.registry.verdict.tags Custom tags associated with the registry verdict evidence instance. | strings |
microsoft365.defender.evidence.registry.verdict.verdict Automated investigation verdict value for the registry evidence. | strings |
microsoft365.defender.evidence.registry The registry URI. | strings |
microsoft365.defender.evidence.azureAdDeviceId Microsoft Entra (Azure AD) device ID assigned when the device is Entra joined. | strings |
microsoft365.defender.evidence.defenderAvStatus State of the Defender AntiMalware engine for the device. | strings |
microsoft365.defender.evidence.deviceDnsName Fully qualified domain name (FQDN) of the device. | strings |
microsoft365.defender.evidence.dnsDomain DNS domain the device belongs to (labels separated by dots). | strings |
microsoft365.defender.evidence.firstSeenDateTime Timestamp when the device was first seen. | pdates |
microsoft365.defender.evidence.healthStatus Health state of the device (e.g., active, inactive, impairedCommunication, noSensorData, unknown). | strings |
microsoft365.defender.evidence.hostName Hostname of the device without the domain suffix. | strings |
microsoft365.defender.evidence.ipInterfaces IP interfaces of the device during the alert timeframe. | strings |
microsoft365.defender.evidence.loggedOnUsers.accountName User account name of a logged-on user. | strings |
microsoft365.defender.evidence.loggedOnUsers.domainName Account domain of a logged-on user. | strings |
microsoft365.defender.evidence.mdeDeviceId Microsoft Defender for Endpoint device identifier. | strings |
microsoft365.defender.evidence.ntDomain Windows NT domain of the device. | strings |
microsoft365.defender.evidence.onboardingStatus Onboarding status to Microsoft Defender for Endpoint. | strings |
microsoft365.defender.evidence.osBuild Operating system build version number of the device. | plongs |
microsoft365.defender.evidence.osPlatform Operating system platform of the device. | strings |
microsoft365.defender.evidence.rbacGroupId RBAC device group numeric identifier. | pints |
microsoft365.defender.evidence.rbacGroupName Name of the RBAC device group. | strings |
microsoft365.defender.evidence.riskScore Device risk score as evaluated by Microsoft Defender for Endpoint. | strings |
microsoft365.defender.evidence.version Version | strings |
microsoft365.defender.evidence.vmMetadata.cloudProvider Cloud provider hosting the VM (e.g., unknown, azure, unknownFutureValue). | strings |
microsoft365.defender.evidence.vmMetadata.resourceId Azure resource unique identifier. | strings |
microsoft365.defender.evidence.vmMetadata.subscriptionId Azure subscription unique identifier for the tenant. | strings |
microsoft365.defender.evidence.vmMetadata.vmId Unique identifier of the virtual machine instance. | strings |
microsoft365.defender.evidence.detectionStatus Detection status (e.g., detected, blocked, prevented, unknownFutureValue). | strings |
microsoft365.defender.evidence.fileDetails.fileName File name. | strings |
microsoft365.defender.evidence.fileDetails.filePath File path (location) of the file instance. | strings |
microsoft365.defender.evidence.fileDetails.filePublisher Publisher of the file. | strings |
microsoft365.defender.evidence.fileDetails.fileSize Size of the file in bytes. | plongs |
microsoft365.defender.evidence.fileDetails.issuer Certificate authority that issued the file's certificate. | strings |
microsoft365.defender.evidence.fileDetails.md5 MD5 cryptographic hash of the file content. | strings |
microsoft365.defender.evidence.fileDetails.sha1 SHA-1 cryptographic hash of the file content. | strings |
microsoft365.defender.evidence.fileDetails.sha256 SHA-256 cryptographic hash of the file content. | strings |
microsoft365.defender.evidence.fileDetails.sha265Ac SHA-256Ac cryptographic hash of the file content. | strings |
microsoft365.defender.evidence.fileDetails.signer Signer of the signed file. | strings |
microsoft365.defender.evidence.location Zone or region where the resource is located. | strings |
microsoft365.defender.evidence.locationType Type of location (e.g., unknown, regional, zonal, global, unknownFutureValue). | strings |
microsoft365.defender.evidence.projectId Google project ID as defined by the user. | strings |
microsoft365.defender.evidence.projectNumber Google-assigned project number. | plongs |
microsoft365.defender.evidence.ioTHub.createdDateTime Timestamp when the IoT Hub evidence was created and added to the alert (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.ioTHub.remediationStatus.createdDateTime Timestamp when the IoT Hub remediation status evidence entry was created (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.ioTHub.remediationStatus.detailedRoles Free-form detailed descriptions of the entity roles within the alert. | strings |
microsoft365.defender.evidence.ioTHub.remediationStatus.remediationStatus Remediation status values for the evidence entity. | strings |
microsoft365.defender.evidence.ioTHub.remediationStatus.remediationStatusDetails Details about the remediation status. | strings |
microsoft365.defender.evidence.ioTHub.remediationStatus.roles Evidence roles represented by the entity in the alert. | strings |
microsoft365.defender.evidence.ioTHub.remediationStatus.tags Custom tags associated with the evidence instance. | strings |
microsoft365.defender.evidence.ioTHub.remediationStatus.verdict Automated investigation verdicts for the evidence entity. | strings |
microsoft365.defender.evidence.ioTHub.remediationStatusDetails Details about the remediation status. | strings |
microsoft365.defender.evidence.ioTHub.resourceId Unique identifier of the Azure resource related to the IoT Hub evidence. | strings |
microsoft365.defender.evidence.ioTHub.resourceName Name of the Azure resource related to the IoT Hub evidence. | strings |
microsoft365.defender.evidence.ioTHub.resourceType Type of the Azure resource related to the IoT Hub evidence. | strings |
microsoft365.defender.evidence.ioTHub.roles.createdDateTime Timestamps when the evidence roles were added to the alert (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.ioTHub.roles.detailedRoles Free-form detailed role descriptions for the entity within the alert. | strings |
microsoft365.defender.evidence.ioTHub.roles.remediationStatus Remediation status values associated with the evidence roles. | strings |
microsoft365.defender.evidence.ioTHub.roles.remediationStatusDetails Details about remediation status for the evidence roles. | strings |
microsoft365.defender.evidence.ioTHub.roles.roles Evidence roles represented by the entity. | strings |
microsoft365.defender.evidence.ioTHub.roles.tags Custom tags associated with the roles evidence. | strings |
microsoft365.defender.evidence.ioTHub.roles.verdict Automated investigation verdicts associated with the roles. | strings |
microsoft365.defender.evidence.ioTHub.tags Custom tags associated with the IoT Hub evidence instance. | strings |
microsoft365.defender.evidence.ioTHub.verdict.createdDateTime Timestamps when verdict evidence was added to the alert (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.ioTHub.verdict.detailedRoles Free-form detailed role descriptions in verdict context. | strings |
microsoft365.defender.evidence.ioTHub.verdict.remediationStatus Remediation status values in verdict context. | strings |
microsoft365.defender.evidence.ioTHub.verdict.remediationStatusDetails Details about remediation status in verdict context. | strings |
microsoft365.defender.evidence.ioTHub.verdict.roles Evidence roles represented in verdict context. | strings |
microsoft365.defender.evidence.ioTHub.verdict.tags Custom tags associated with the verdict evidence. | strings |
microsoft365.defender.evidence.ioTHub.verdict.verdict Automated investigation verdict values. | strings |
microsoft365.defender.evidence.deviceId Identifier of the device. | strings |
microsoft365.defender.evidence.owners Owners associated with the device. | strings |
microsoft365.defender.evidence.ioTSecurityAgentId Identifier of the Azure Security Center for IoT agent running on the device. | strings |
microsoft365.defender.evidence.deviceType Type classification of the device (for example, temperature sensor). | strings |
microsoft365.defender.evidence.source Source vendor for the device entity (microsoft or external vendor). | strings |
microsoft365.defender.evidence.sourceRef.url URL reference for the source entity. | strings |
microsoft365.defender.evidence.manufacturer Manufacturer of the device. | strings |
microsoft365.defender.evidence.model Model designation of the device. | strings |
microsoft365.defender.evidence.ipAddress.countryLetterCode ISO 3166 two-letter country code associated with the IP address. | strings |
microsoft365.defender.evidence.ipAddress.ipAddress IP address value (IPv4 or IPv6) associated with the evidence. | strings |
microsoft365.defender.evidence.macAddress MAC address associated with the device or NIC. | strings |
microsoft365.defender.evidence.nics.macAddress MAC address of the network interface card (NIC). | strings |
microsoft365.defender.evidence.nics.vlans Current VLAN identifiers associated with the NIC. | strings |
microsoft365.defender.evidence.protocols List of protocols supported by the device. | strings |
microsoft365.defender.evidence.serialNumber Serial number of the device. | strings |
microsoft365.defender.evidence.site Site location of the device. | strings |
microsoft365.defender.evidence.zone Zone location of the device within a site. | strings |
microsoft365.defender.evidence.sensor Sensor that monitors the device. | strings |
microsoft365.defender.evidence.importance Importance level classification for the IoT device. | strings |
microsoft365.defender.evidence.purdueLayer Purdue model layer classification for the device. | strings |
microsoft365.defender.evidence.isProgramming Indicates whether the device is classified as a programming device. | booleans |
microsoft365.defender.evidence.isAuthorized Indicates whether the device is classified as authorized. | booleans |
microsoft365.defender.evidence.isScanner Indicates whether the device is classified as a scanner. | booleans |
microsoft365.defender.evidence.devicePageLink URL to the device page within Defender for IoT portal. | strings |
microsoft365.defender.evidence.deviceSubType Subtype classification of the device. | strings |
microsoft365.defender.evidence.countryLetterCode ISO 3166 two-letter country code associated with the device. | strings |
microsoft365.defender.evidence.ipAddress IP address value (IPv4 or IPv6) associated with the device. | strings |
microsoft365.defender.evidence.cloudResource.createdDateTime Timestamps when cloud resource evidence was added to the alert (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.cloudResource.detailedRoles Free-form detailed descriptions of roles for the cloud resource evidence. | strings |
microsoft365.defender.evidence.cloudResource.remediationStatus Remediation status values for the cloud resource evidence. | strings |
microsoft365.defender.evidence.cloudResource.remediationStatusDetails Details about remediation status for the cloud resource evidence. | strings |
microsoft365.defender.evidence.cloudResource.roles Evidence roles represented by the cloud resource. | strings |
microsoft365.defender.evidence.cloudResource.tags Custom tags associated with the cloud resource evidence. | strings |
microsoft365.defender.evidence.cloudResource.verdict Automated investigation verdict values for the cloud resource evidence. | strings |
microsoft365.defender.evidence.distribution Distribution type of the Kubernetes cluster. | strings |
microsoft365.defender.evidence.platform Platform on which the Kubernetes cluster runs (for example, AKS/EKS/GKE). | strings |
microsoft365.defender.evidence.namespace.cluster.cloudResource.createdDateTime Timestamps when the cluster cloud resource evidence was added (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.namespace.cluster.cloudResource.detailedRoles Free-form role descriptions for the cluster cloud resource. | strings |
microsoft365.defender.evidence.namespace.cluster.cloudResource.remediationStatus Remediation status values for the cluster cloud resource. | strings |
microsoft365.defender.evidence.namespace.cluster.cloudResource.remediationStatusDetails Details about remediation status for the cluster cloud resource. | strings |
microsoft365.defender.evidence.namespace.cluster.cloudResource.roles Evidence roles for the cluster cloud resource. | strings |
microsoft365.defender.evidence.namespace.cluster.cloudResource.tags Custom tags for the cluster cloud resource evidence. | strings |
microsoft365.defender.evidence.namespace.cluster.cloudResource.verdict Automated investigation verdict values for the cluster cloud resource. | strings |
microsoft365.defender.evidence.namespace.cluster.createdDateTime Timestamps when cluster evidence was added (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.namespace.cluster.distribution Distribution type of the cluster. | strings |
microsoft365.defender.evidence.namespace.cluster.name Name of the Kubernetes cluster. | strings |
microsoft365.defender.evidence.namespace.cluster.platform Platform on which the cluster runs. | strings |
microsoft365.defender.evidence.namespace.cluster.remediationStatus.createdDateTime Timestamps when the remediation status evidence for the cluster was added (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.namespace.cluster.remediationStatus.detailedRoles Free-form detailed role descriptions in the cluster remediation status context. | strings |
microsoft365.defender.evidence.namespace.cluster.remediationStatus.remediationStatus Remediation status values in the cluster context. | strings |
microsoft365.defender.evidence.namespace.cluster.remediationStatus.remediationStatusDetails Details about the remediation status in the cluster context. | strings |
microsoft365.defender.evidence.namespace.cluster.remediationStatus.roles Roles represented in the cluster remediation status context. | strings |
microsoft365.defender.evidence.namespace.cluster.remediationStatus.tags Tags associated with the cluster remediation status evidence. | strings |
microsoft365.defender.evidence.namespace.cluster.remediationStatus.verdict Automated investigation verdict values in the cluster context. | strings |
microsoft365.defender.evidence.namespace.cluster.remediationStatusDetails Details about the remediation status for the cluster. | strings |
microsoft365.defender.evidence.namespace.cluster.roles.createdDateTime Timestamps when cluster role evidence was added (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.namespace.cluster.roles.detailedRoles Free-form detailed role descriptions for the cluster. | strings |
microsoft365.defender.evidence.namespace.cluster.roles.remediationStatus Remediation status values for the cluster roles. | strings |
microsoft365.defender.evidence.namespace.cluster.roles.remediationStatusDetails Details about remediation status for the cluster roles. | strings |
microsoft365.defender.evidence.namespace.cluster.roles.roles Evidence roles represented in the cluster. | strings |
microsoft365.defender.evidence.namespace.cluster.roles.tags Custom tags associated with the cluster roles evidence. | strings |
microsoft365.defender.evidence.namespace.cluster.roles.verdict Automated investigation verdict values for the cluster roles. | strings |
microsoft365.defender.evidence.namespace.cluster.tags Custom tags associated with the cluster evidence. | strings |
microsoft365.defender.evidence.namespace.cluster.verdict.createdDateTime Timestamps when cluster verdict evidence was added (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.namespace.cluster.verdict.detailedRoles Free-form detailed role descriptions for the cluster verdict context. | strings |
microsoft365.defender.evidence.namespace.cluster.verdict.remediationStatus Remediation status values for the cluster verdict context. | strings |
microsoft365.defender.evidence.namespace.cluster.verdict.remediationStatusDetails Details about remediation status in the cluster verdict context. | strings |
microsoft365.defender.evidence.namespace.cluster.verdict.roles Evidence roles represented in the cluster verdict context. | strings |
microsoft365.defender.evidence.namespace.cluster.verdict.tags Custom tags associated with the cluster verdict evidence. | strings |
microsoft365.defender.evidence.namespace.cluster.verdict.verdict Automated investigation verdict values for the cluster. | strings |
microsoft365.defender.evidence.namespace.cluster.version Kubernetes version of the cluster. | strings |
microsoft365.defender.evidence.namespace.createdDateTime Timestamps when namespace evidence was added (UTC, ISO 8601). | pdates |
microsoft365.defender.evidence.namespace.name Kubernetes namespace name. | strings |
microsoft365.defender.evidence.namespace.remediationStatusDetails Details about the remediation status for the namespace. | strings |
microsoft365.defender.evidence.namespace.tags Custom tags associated with the namespace evidence. | strings |
microsoft365.defender.evidence.type The controller type for the evidence entity. | strings |
microsoft365.defender.evidence.cluster.cloudResource.createdDateTime UTC time the cloud resource evidence was created and added to the alert (ISO 8601). | pdates |
microsoft365.defender.evidence.cluster.cloudResource.detailedRoles Free-form detailed descriptions of the entity's roles in the alert. | strings |
microsoft365.defender.evidence.cluster.cloudResource.remediationStatus Status of the remediation action taken for the cloud resource evidence. | strings |
microsoft365.defender.evidence.cluster.cloudResource.remediationStatusDetails Details about the remediation status for the cloud resource evidence. | strings |
microsoft365.defender.evidence.cluster.cloudResource.roles Roles the cloud resource evidence represents in the alert. | strings |
microsoft365.defender.evidence.cluster.cloudResource.tags Custom tags associated with the cloud resource evidence instance. | strings |
microsoft365.defender.evidence.cluster.cloudResource.verdict Automated investigation verdict for the cloud resource evidence. | strings |
microsoft365.defender.evidence.cluster.createdDateTime UTC time the cluster evidence was created and added to the alert (ISO 8601). | pdates |
microsoft365.defender.evidence.cluster.distribution Distribution type of the Kubernetes cluster. | strings |
microsoft365.defender.evidence.cluster.name The Kubernetes cluster name. | strings |
microsoft365.defender.evidence.cluster.platform Platform the cluster runs on (for example: aks, eks, gke, arc). | strings |
microsoft365.defender.evidence.cluster.remediationStatus.createdDateTime UTC time the remediation status evidence was created and added (ISO 8601). | pdates |
microsoft365.defender.evidence.cluster.remediationStatus.detailedRoles Free-form detailed roles associated with remediation status. | strings |
microsoft365.defender.evidence.cluster.remediationStatus.remediationStatus Remediation action status for the cluster evidence. | strings |
microsoft365.defender.evidence.cluster.remediationStatus.remediationStatusDetails Details about the remediation status for the cluster evidence. | strings |
microsoft365.defender.evidence.cluster.remediationStatus.roles Roles represented by the cluster evidence in the alert context. | strings |
microsoft365.defender.evidence.cluster.remediationStatus.tags Custom tags associated with the remediation status evidence. | strings |
microsoft365.defender.evidence.cluster.remediationStatus.verdict Automated investigation verdict for the remediation status evidence. | strings |
microsoft365.defender.evidence.cluster.remediationStatusDetails Details about the remediation status for the cluster evidence. | strings |
microsoft365.defender.evidence.cluster.roles.createdDateTime UTC time the roles evidence was created and added (ISO 8601). | pdates |
microsoft365.defender.evidence.cluster.roles.detailedRoles Free-form detailed roles for the cluster evidence. | strings |
microsoft365.defender.evidence.cluster.roles.remediationStatus Remediation status associated with the cluster roles. | strings |
microsoft365.defender.evidence.cluster.roles.remediationStatusDetails Details about the remediation status associated with cluster roles. | strings |
microsoft365.defender.evidence.cluster.roles.roles Roles represented by the cluster evidence. | strings |
microsoft365.defender.evidence.cluster.roles.tags Custom tags associated with the cluster roles evidence. | strings |
microsoft365.defender.evidence.cluster.roles.verdict Automated investigation verdict associated with cluster roles. | strings |
microsoft365.defender.evidence.cluster.tags Custom tags associated with the cluster evidence. | strings |
microsoft365.defender.evidence.cluster.verdict.createdDateTime UTC time the verdict evidence was created and added (ISO 8601). | pdates |
microsoft365.defender.evidence.cluster.verdict.detailedRoles Free-form detailed roles associated with the verdict. | strings |
microsoft365.defender.evidence.cluster.verdict.remediationStatus Remediation status associated with the verdict. | strings |
microsoft365.defender.evidence.cluster.verdict.remediationStatusDetails Details about the remediation status associated with the verdict. | strings |
microsoft365.defender.evidence.cluster.verdict.roles Roles represented in the verdict evidence. | strings |
microsoft365.defender.evidence.cluster.verdict.tags Custom tags associated with the verdict evidence. | strings |
microsoft365.defender.evidence.cluster.verdict.verdict Automated investigation verdict value for the cluster evidence. | strings |
microsoft365.defender.evidence.cluster.version Kubernetes version of the cluster. | strings |
microsoft365.defender.evidence.containers.args List of container arguments. | strings |
microsoft365.defender.evidence.containers.command List of container commands. | strings |
microsoft365.defender.evidence.containers.containerId Container identifier. | strings |
microsoft365.defender.evidence.containers.createdDateTime UTC time the container evidence was created and added (ISO 8601). | pdates |
microsoft365.defender.evidence.containers.image.createdDateTime UTC time the container image evidence was created and added (ISO 8601). | pdates |
microsoft365.defender.evidence.containers.image.imageId Unique identifier (e.g., digest) for the container image. | strings |
microsoft365.defender.evidence.containers.image.registry.createdDateTime UTC time the registry evidence was created and added (ISO 8601). | pdates |
microsoft365.defender.evidence.containers.image.registry.registry Registry URI associated with the container image. | strings |
microsoft365.defender.evidence.containers.image.registry.remediationStatus.createdDateTime UTC time the remediation status evidence for the registry was created (ISO 8601). | pdates |
microsoft365.defender.evidence.containers.image.registry.remediationStatus.detailedRoles Free-form detailed roles for the registry remediation status. | strings |
microsoft365.defender.evidence.containers.image.registry.remediationStatus.remediationStatus Remediation status for the image registry evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.remediationStatus.remediationStatusDetails Details about the remediation status for the image registry evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.remediationStatus.roles Roles represented by the image registry evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.remediationStatus.tags Custom tags associated with the image registry remediation status. | strings |
microsoft365.defender.evidence.containers.image.registry.remediationStatus.verdict Automated investigation verdict for the image registry evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.remediationStatusDetails Details about the remediation status for the image registry evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.roles.createdDateTime UTC time the registry roles evidence was created (ISO 8601). | pdates |
microsoft365.defender.evidence.containers.image.registry.roles.detailedRoles Free-form detailed roles for the image registry evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.roles.remediationStatus Remediation status for the image registry roles evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.roles.remediationStatusDetails Details about the remediation status for the image registry roles evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.roles.roles Roles represented by the image registry roles evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.roles.tags Custom tags associated with the image registry roles evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.roles.verdict Automated investigation verdict for the image registry roles evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.tags Custom tags associated with the image registry evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.verdict.createdDateTime UTC time the image registry verdict evidence was created (ISO 8601). | pdates |
microsoft365.defender.evidence.containers.image.registry.verdict.detailedRoles Free-form detailed roles associated with the image registry verdict. | strings |
microsoft365.defender.evidence.containers.image.registry.verdict.remediationStatus Remediation status associated with the image registry verdict. | strings |
microsoft365.defender.evidence.containers.image.registry.verdict.remediationStatusDetails Details about the remediation status associated with the image registry verdict. | strings |
microsoft365.defender.evidence.containers.image.registry.verdict.roles Roles represented in the image registry verdict evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.verdict.tags Custom tags associated with the image registry verdict evidence. | strings |
microsoft365.defender.evidence.containers.image.registry.verdict.verdict Automated investigation verdict value for the image registry evidence. | strings |
microsoft365.defender.evidence.containers.image.remediationStatusDetails Details about the remediation status for the container image evidence. | strings |
microsoft365.defender.evidence.containers.image.tags Custom tags associated with the container image evidence. | strings |
microsoft365.defender.evidence.containers.isPrivileged Privileged status of the container. | booleans |
microsoft365.defender.evidence.containers.name Container name. | strings |
microsoft365.defender.evidence.containers.remediationStatusDetails Details about the remediation status for the container evidence. | strings |
microsoft365.defender.evidence.containers.tags Custom tags associated with the container evidence. | strings |
microsoft365.defender.evidence.controller.createdDateTime UTC time the controller evidence was created and added (ISO 8601). | pdates |
microsoft365.defender.evidence.controller.name Controller name. | strings |
microsoft365.defender.evidence.controller.remediationStatusDetails Details about the remediation status for the controller evidence. | strings |
microsoft365.defender.evidence.controller.tags Custom tags associated with the controller evidence. | strings |
microsoft365.defender.evidence.controller.type Controller type. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.createdDateTime UTC time the namespace cluster cloud resource evidence was created (ISO 8601). | pdates |
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.detailedRoles Free-form detailed roles for the namespace cluster cloud resource. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.remediationStatus Remediation status for the namespace cluster cloud resource. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.remediationStatusDetails Details about remediation status for the namespace cluster cloud resource. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.roles Roles represented by the namespace cluster cloud resource. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.tags Custom tags for the namespace cluster cloud resource. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.verdict Automated investigation verdict for the namespace cluster cloud resource. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.createdDateTime UTC time the namespace cluster evidence was created (ISO 8601). | pdates |
microsoft365.defender.evidence.controller.namespace.cluster.distribution Distribution type of the namespace's cluster. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.name Name of the cluster for the controller's namespace. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.platform Platform on which the namespace's cluster runs. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.remediationStatusDetails Details about remediation status for the namespace's cluster. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.tags Custom tags associated with the namespace's cluster. | strings |
microsoft365.defender.evidence.controller.namespace.cluster.version Kubernetes version of the namespace's cluster. | strings |
microsoft365.defender.evidence.controller.namespace.createdDateTime UTC time the namespace evidence was created (ISO 8601). | pdates |
microsoft365.defender.evidence.controller.namespace.name Kubernetes namespace name for the controller. | strings |
microsoft365.defender.evidence.controller.namespace.remediationStatusDetails Details about the remediation status for the controller's namespace. | strings |
microsoft365.defender.evidence.controller.namespace.tags Custom tags associated with the controller's namespace. | strings |
microsoft365.defender.evidence.podIp.countryLetterCode Two-letter country code (ISO 3166) associated with the pod IP. | strings |
microsoft365.defender.evidence.podIp.ipAddress Pod IP address (IPv4 or IPv6). | strings |
microsoft365.defender.evidence.serviceAccount.createdDateTime UTC time the service account evidence was created (ISO 8601). | pdates |
microsoft365.defender.evidence.serviceAccount.name Service account name. | strings |
microsoft365.defender.evidence.serviceAccount.remediationStatusDetails Details about the remediation status of the service account evidence. | strings |
microsoft365.defender.evidence.serviceAccount.tags Custom tags associated with the evidence instance. | strings |
microsoft365.defender.evidence.secretType Secret type(s), including built-in and custom Kubernetes secret kinds. | strings |
microsoft365.defender.evidence.clusterIP.countryLetterCode Two-letter ISO 3166 country code for the cluster IP. | strings |
microsoft365.defender.evidence.clusterIP.ipAddress Cluster IP address (IPv4 or IPv6). | strings |
microsoft365.defender.evidence.servicePorts.appProtocol Application protocol associated with the service port. | strings |
microsoft365.defender.evidence.servicePorts.name Name of the service port. | strings |
microsoft365.defender.evidence.servicePorts.nodePort NodePort on which the service is exposed. | pints |
microsoft365.defender.evidence.servicePorts.port Service port exposed by the service. | pints |
microsoft365.defender.evidence.servicePorts.protocol Transport protocol used by the service port. | strings |
microsoft365.defender.evidence.servicePorts.targetPort Target port (name or number) on the pods selected by the service. | strings |
microsoft365.defender.evidence.serviceType Kubernetes service type for the evidence. | strings |
microsoft365.defender.evidence.clusterBy Clustering logic used for grouping similar emails. | strings |
microsoft365.defender.evidence.clusterByValue Value used as the basis for clustering similar emails. | strings |
microsoft365.defender.evidence.emailCount Number of emails in the email cluster. | plongs |
microsoft365.defender.evidence.networkMessageIds Microsoft 365-generated identifiers for messages in the cluster. | strings |
microsoft365.defender.evidence.query Query used to identify the email cluster. | strings |
microsoft365.defender.evidence.primaryAddress Primary email address of the mailbox. | strings |
microsoft365.defender.evidence.upn User principal name of the mailbox. | strings |
microsoft365.defender.evidence.userAccount.accountName Displayed name of the user account. | strings |
microsoft365.defender.evidence.userAccount.azureAdUserId User object identifier in Microsoft Entra ID. | strings |
microsoft365.defender.evidence.userAccount.displayName Display name of the user in Microsoft Entra ID. | strings |
microsoft365.defender.evidence.userAccount.domainName Active Directory domain name of the user. | strings |
microsoft365.defender.evidence.userAccount.resourceAccessEvents.accessDateTime Timestamp of the resource access event (UTC). | pdates |
microsoft365.defender.evidence.userAccount.resourceAccessEvents.accountId Identifier of the user account for the access event. | strings |
microsoft365.defender.evidence.userAccount.resourceAccessEvents.ipAddress IP address of the accessed resource. | strings |
microsoft365.defender.evidence.userAccount.resourceAccessEvents.resourceIdentifier Protocol and host name pair describing the accessed resource. | strings |
microsoft365.defender.evidence.userAccount.userPrincipalName User principal name of the account in Microsoft Entra ID. | strings |
microsoft365.defender.evidence.userAccount.userSid Local security identifier (SID) of the user account. | strings |
microsoft365.defender.evidence.vlans Current VLAN identifiers associated with the NIC. | strings |
microsoft365.defender.evidence.objectId Unique identifier of the application object in Microsoft Entra ID. | strings |
microsoft365.defender.evidence.publisher Name of the application publisher. | strings |
microsoft365.defender.evidence.imageFile.fileName File name of the image (executable/library). | strings |
microsoft365.defender.evidence.imageFile.filePath File path of the image instance. | strings |
microsoft365.defender.evidence.imageFile.filePublisher Publisher of the image file. | strings |
microsoft365.defender.evidence.imageFile.fileSize Size of the image file in bytes. | plongs |
microsoft365.defender.evidence.imageFile.issuer Certificate authority (issuer) for the file's signature. | strings |
microsoft365.defender.evidence.imageFile.md5 MD5 cryptographic hash of the file content. | strings |
microsoft365.defender.evidence.imageFile.sha1 SHA-1 cryptographic hash of the file content. | strings |
microsoft365.defender.evidence.imageFile.sha256 SHA-256 cryptographic hash of the file content. | strings |
microsoft365.defender.evidence.imageFile.sha265Ac SHA-256Ac cryptographic hash of the file content. | strings |
microsoft365.defender.evidence.imageFile.signer Signer of the signed file. | strings |
microsoft365.defender.evidence.parentProcessCreationDateTime UTC creation time of the parent process. | pdates |
microsoft365.defender.evidence.parentProcessId Process ID (PID) of the parent process. | plongs |
microsoft365.defender.evidence.processCommandLine Command line used to create the process. | strings |
microsoft365.defender.evidence.processCreationDateTime UTC creation time of the process. | pdates |
microsoft365.defender.evidence.processId Process ID (PID) of the process. | plongs |
microsoft365.defender.evidence.registryHive Registry hive of the key involved in the recorded action. | strings |
microsoft365.defender.evidence.registryKey Registry key path involved in the recorded action. | strings |
microsoft365.defender.evidence.registryValue Data stored in the registry value at the time of the recorded action. | strings |
microsoft365.defender.evidence.registryValueName Name of the registry value involved in the action. | strings |
microsoft365.defender.evidence.registryValueType Data type of the registry value (e.g., string, binary). | strings |
microsoft365.defender.evidence.securityGroupId Unique identifier of the security group. | strings |
microsoft365.defender.evidence.campaignId Identifier of the campaign the Teams message is part of. | strings |
microsoft365.defender.evidence.channelId Channel ID associated with the Teams message. | strings |
microsoft365.defender.evidence.files.detectionStatus Detection status for the file in context. | strings |
microsoft365.defender.evidence.files.fileDetails.fileName File name associated with the detection evidence. | strings |
microsoft365.defender.evidence.files.fileDetails.filePath File path associated with the detection evidence. | strings |
microsoft365.defender.evidence.files.fileDetails.filePublisher File publisher associated with the detection evidence. | strings |
microsoft365.defender.evidence.files.fileDetails.fileSize Size in bytes of the file associated with the detection evidence. | plongs |
microsoft365.defender.evidence.files.fileDetails.issuer Certificate authority (issuer) of the file associated with the detection evidence. | strings |
microsoft365.defender.evidence.files.fileDetails.md5 MD5 hash of the file associated with the detection evidence. | strings |
microsoft365.defender.evidence.files.fileDetails.sha1 SHA-1 hash of the file associated with the detection evidence. | strings |
microsoft365.defender.evidence.files.fileDetails.sha256 SHA-256 hash of the file associated with the detection evidence. | strings |
microsoft365.defender.evidence.files.fileDetails.sha265Ac SHA-256Ac hash of the file associated with the detection evidence. | strings |
microsoft365.defender.evidence.files.fileDetails.signer Signer of the signed file associated with the detection evidence. | strings |
microsoft365.defender.evidence.files.mdeDeviceId Microsoft Defender for Endpoint device identifier. | strings |
microsoft365.defender.evidence.groupId Identifier of the team or group that the message is part of. | strings |
microsoft365.defender.evidence.isExternal Indicates whether the message is owned by the reporting organization. | booleans |
microsoft365.defender.evidence.isOwned Indicates whether the message is owned by your organization. | booleans |
microsoft365.defender.evidence.lastModifiedDateTime UTC time when the message was last edited. | pdates |
microsoft365.defender.evidence.messageDirection Direction of the Teams message (e.g., inbound, outbound). | strings |
microsoft365.defender.evidence.messageId Message identifier unique within the thread. | strings |
microsoft365.defender.evidence.owningTenantId Tenant ID (GUID) of the owner of the message. | strings |
microsoft365.defender.evidence.parentMessageId Identifier of the message to which this message is a reply. | strings |
microsoft365.defender.evidence.recipients Recipients of the Teams message. | strings |
microsoft365.defender.evidence.senderFromAddress SMTP address of the sender. | strings |
microsoft365.defender.evidence.senderIP IP address of the sender. | strings |
microsoft365.defender.evidence.sourceAppName Source application of the message (e.g., desktop, mobile). | strings |
microsoft365.defender.evidence.sourceId Source identifier of the Teams message. | strings |
microsoft365.defender.evidence.suspiciousRecipients Recipients detected as suspicious. | strings |
microsoft365.defender.evidence.threadId Identifier of the channel or chat the message is part of. | strings |
microsoft365.defender.evidence.threadType Type of Teams message thread (Chat, Topic, Space, Meeting). | strings |
microsoft365.defender.evidence.urls.url URL contained in the message evidence. | strings |
microsoft365.defender.evidence.lastExternalIpAddress Last observed external (public/NAT) IP address associated with the evidence entity. | string |
microsoft365.defender.evidence.lastIpAddress Last observed internal IP address associated with the evidence entity. | string |
microsoft365.defender.evidence._odata.type OData type name that identifies the concrete evidence type. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.