Microsoft365 Defender

Cloud-based endpoint and identity protection logs

Global Fields (4)

FieldType
ngs.createdAt
Timestamp when the event was created locally.
pdate
ngs.id
Unique identifier for the log entry.
string
ngs.indexedAt
Timestamp when the log was indexed into the SIEM.
pdate
ngs.source
Origin or source system of the log.
string

Generic Fields (19)

These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.

FieldReference-Specific FieldsType
gen.severity
Normalized severity field across log sources.
microsoft365.defender.severity
strings
gen.mail.sender
Email address of the message sender.
microsoft365.defender.evidence.p1Sender.emailAddress
microsoft365.defender.evidence.senderFromAddress
strings
gen.mail.receiver
Email address of the message recipient.
microsoft365.defender.evidence.recipientEmailAddress
microsoft365.defender.evidence.recipients
strings
gen.src.ip
Source IP address.
microsoft365.defender.evidence.senderIp
microsoft365.defender.evidence.senderIP
text_general
gen.mail.subject
Subject line of the email.
microsoft365.defender.evidence.subject
strings
gen.proxy.endpoint
Destination endpoint accessed through the proxy.
microsoft365.defender.evidence.url
microsoft365.defender.evidence.blobContainer.url
microsoft365.defender.evidence.image.registry.registry
microsoft365.defender.evidence.userAccount.resourceAccessEvents.resourceIdentifier
string
gen.username
Username associated with the event.
microsoft365.defender.evidence.account.userAccount.userPrincipalName
microsoft365.defender.evidence.loggedOnUsers.accountName
microsoft365.defender.evidence.userAccount.accountName
microsoft365.defender.evidence.userAccount.userPrincipalName
text_general
gen.protocol
Network protocol used (e.g., TCP, UDP, ICMP).
microsoft365.defender.evidence.protocol
microsoft365.defender.evidence.protocols
microsoft365.defender.evidence.servicePorts.protocol
strings
gen.hostname
Normalized hostname of the system generating the log.
microsoft365.defender.evidence.deviceName
microsoft365.defender.evidence.deviceDnsName
microsoft365.defender.evidence.hostName
text_general
gen.dns.domain
Queried DNS domain name.
microsoft365.defender.evidence.dnsDomain
strings
gen.group
User group associated with the event.
microsoft365.defender.evidence.rbacGroupName
microsoft365.defender.evidence.securityGroupId
strings
gen.file.name
File name associated with the event.
microsoft365.defender.evidence.fileDetails.fileName
microsoft365.defender.evidence.imageFile.fileName
microsoft365.defender.evidence.files.fileDetails.fileName
strings
gen.file.path
Full file path associated with the event.
microsoft365.defender.evidence.fileDetails.filePath
microsoft365.defender.evidence.imageFile.filePath
microsoft365.defender.evidence.files.fileDetails.filePath
strings
gen.dest.port
Destination port number.
microsoft365.defender.evidence.servicePorts.nodePort
microsoft365.defender.evidence.servicePorts.port
pint
gen.vendor
Vendor name of the product generating the log.
microsoft365.defender.evidence.imageFile.filePublisher
microsoft365.defender.evidence.files.fileDetails.filePublisher
strings
gen.process.parent.pid
Process ID of the parent process.
microsoft365.defender.evidence.parentProcessId
pint
gen.process.commandline
Command line used to start the process.
microsoft365.defender.evidence.processCommandLine
string
gen.process.pid
Process ID of the running process.
microsoft365.defender.evidence.processId
pint
gen.av.status
Status of the antivirus event (e.g., success, failure).
microsoft365.defender.evidence.files.detectionStatus
strings

Reference-Specific Fields (587)

FieldType
microsoft365.defender.assignedTo
Owner of the incident or alert; free-editable text; null if unassigned
string
microsoft365.defender.classification
Alert/incident classification indicating whether it represents a true threat
string
microsoft365.defender.comments.comment
Text of investigator comments
text_generals
microsoft365.defender.comments.createdByDisplayName
Display name of the person or app that submitted the comment
strings
microsoft365.defender.comments.createdDateTime
Timestamps when comments were submitted
pdates
microsoft365.defender.createdDateTime
Time when the incident or alert was created
pdate
microsoft365.defender.customTags
Custom tags associated with the incident
strings
microsoft365.defender.description
Free-text description of the alert or incident
text_general
microsoft365.defender.determination
Determination/outcome of investigation or incident nature
string
microsoft365.defender.displayName
Incident name
string
microsoft365.defender.id
Unique identifier of the incident or alert resource
string
microsoft365.defender.incidentWebUrl
URL to the incident page in Microsoft 365 Defender
string
microsoft365.defender.lastModifiedBy
Identity that last modified the incident
string
microsoft365.defender.lastUpdateDateTime
Time when the incident or alert was last updated
pdate
microsoft365.defender.redirectIncidentId
Identifier of the incident to which this incident was redirected
string
microsoft365.defender.resolvingComment
Free-text explanation of the resolution and classification choice
text_general
microsoft365.defender.severity
Severity indicating potential impact
string
microsoft365.defender.status
Lifecycle status of the alert or incident
string
microsoft365.defender.summary
High-level overview of the attack and impacted assets
text_general
microsoft365.defender.systemTags
System-generated tags associated with the incident or alert
strings
microsoft365.defender.tenantId
Microsoft Entra tenant identifier where the alert was created
string
microsoft365.defender.actorDisplayName
Adversary or activity group name associated with the alert
string
microsoft365.defender.additionalData
Dynamic dictionary of other alert properties, including user-defined content
text_general
microsoft365.defender.alertPolicyId
Identifier of the policy that generated the alert
string
microsoft365.defender.alertWebUrl
URL for the Microsoft 365 Defender alert page
string
microsoft365.defender.category
MITRE ATT&CK-aligned kill-chain category of the alert
string
microsoft365.defender.customDetails
User-defined custom fields with string values
text_general
microsoft365.defender.detectionSource
Detection technology or sensor that identified the activity
string
microsoft365.defender.detectorId
Identifier of the detector that triggered the alert
string
microsoft365.defender.evidence.createdDateTime
Times when evidence items were created and added to the alert
pdates
microsoft365.defender.evidence.detailedRoles
Free-form detailed descriptions of the entity roles within the alert
strings
microsoft365.defender.evidence.remediationStatus
Remediation status values for evidence entities
strings
microsoft365.defender.evidence.remediationStatusDetails
Details describing remediation status for evidence entities
strings
microsoft365.defender.evidence.roles
Roles that evidence entities represent in the alert
strings
microsoft365.defender.evidence.tags
Custom tags associated with an evidence instance
strings
microsoft365.defender.evidence.verdict
Automated investigation verdicts for evidence entities
strings
microsoft365.defender.firstActivityDateTime
Earliest activity time associated with the alert
pdate
microsoft365.defender.incidentId
Identifier of the incident associated with this alert resource
string
microsoft365.defender.lastActivityDateTime
Latest activity time associated with the alert
pdate
microsoft365.defender.mitreTechniques
Attack techniques aligned with the MITRE ATT&CK framework
strings
microsoft365.defender.productName
Name of the product that published the alert
string
microsoft365.defender.providerAlertId
Provider’s native alert identifier
string
microsoft365.defender.recommendedActions
Recommended response and remediation actions for this alert
text_general
microsoft365.defender.resolvedDateTime
Time when the alert was resolved
pdate
microsoft365.defender.serviceSource
Service or product that created the alert
string
microsoft365.defender.threatDisplayName
Threat name associated with this alert
string
microsoft365.defender.threatFamilyName
Threat family name associated with this alert
string
microsoft365.defender.title
Short identifying title of the alert
string
microsoft365.defender.evidence.amazonAccountId
Unique identifiers for Amazon accounts involved
strings
microsoft365.defender.evidence.amazonResourceId
Amazon Resource Names (ARNs) for cloud resources
strings
microsoft365.defender.evidence.remediationStatus.createdDateTime
Timestamps associated with remediation status entries for evidence
pdates
microsoft365.defender.evidence.remediationStatus.detailedRoles
Detailed role descriptions associated with remediation status entries
strings
microsoft365.defender.evidence.remediationStatus.remediationStatus
Remediation status values associated with remediation status entries
strings
microsoft365.defender.evidence.remediationStatus.remediationStatusDetails
Details about remediation status for remediation status entries
strings
microsoft365.defender.evidence.remediationStatus.roles
Roles associated with remediation status entries
strings
microsoft365.defender.evidence.remediationStatus.tags
Tags associated with remediation status entries
strings
microsoft365.defender.evidence.remediationStatus.verdict
Automated investigation verdicts associated with remediation status entries
strings
microsoft365.defender.evidence.resourceName
Names of cloud or container resources referenced by evidence
strings
microsoft365.defender.evidence.resourceType
Types of resources referenced by evidence
strings
microsoft365.defender.evidence.roles.createdDateTime
Timestamps for role entries attached to evidence
pdates
microsoft365.defender.evidence.roles.detailedRoles
Detailed descriptions of roles attached to evidence roles entries
strings
microsoft365.defender.evidence.roles.remediationStatus
Remediation status values attached to evidence roles entries
strings
microsoft365.defender.evidence.roles.remediationStatusDetails
Details about remediation status attached to evidence roles entries
strings
microsoft365.defender.evidence.roles.roles
Roles that the evidence entities represent within the alert context
strings
microsoft365.defender.evidence.roles.tags
Tags attached to evidence roles entries
strings
microsoft365.defender.evidence.roles.verdict
Automated investigation verdicts attached to evidence roles entries
strings
microsoft365.defender.evidence.verdict.createdDateTime
Timestamps for verdict entries attached to evidence
pdates
microsoft365.defender.evidence.verdict.detailedRoles
Detailed descriptions of roles attached to verdict entries
strings
microsoft365.defender.evidence.verdict.remediationStatus
Remediation status values attached to verdict entries
strings
microsoft365.defender.evidence.verdict.remediationStatusDetails
Details about remediation status attached to verdict entries
strings
microsoft365.defender.evidence.verdict.roles
Roles attached to verdict entries
strings
microsoft365.defender.evidence.verdict.tags
Tags attached to verdict entries
strings
microsoft365.defender.evidence.verdict.verdict
Automated investigation verdict values for verdict entries
strings
microsoft365.defender.evidence.antiSpamDirection
Direction of the email relative to the organization (inbound/outbound/intraorg)
strings
microsoft365.defender.evidence.attachmentsCount
Number of attachments in the email
plongs
microsoft365.defender.evidence.deliveryAction
Delivery action taken for the message
strings
microsoft365.defender.evidence.deliveryLocation
Location where the message was delivered
strings
microsoft365.defender.evidence.internetMessageId
Public-facing Message-ID for the email
strings
microsoft365.defender.evidence.language
Detected language of the email content
strings
microsoft365.defender.evidence.networkMessageId
Microsoft 365 generated unique identifier for the email
strings
microsoft365.defender.evidence.p1Sender.displayName
Display name of the sender
strings
microsoft365.defender.evidence.p1Sender.domainName
Sender’s domain name
strings
microsoft365.defender.evidence.p1Sender.emailAddress
Sender email address
strings
microsoft365.defender.evidence.receivedDateTime
Date and time when the email was received
pdates
microsoft365.defender.evidence.recipientEmailAddress
Recipient email address (post-DL expansion if applicable)
strings
microsoft365.defender.evidence.senderIp
IP address of the last detected mail server that relayed the message
strings
microsoft365.defender.evidence.subject
Subject of the email or Teams message
strings
microsoft365.defender.evidence.threatDetectionMethods
Methods used to detect threats in the message
strings
microsoft365.defender.evidence.threats
Detection names for malware or other threats found
strings
microsoft365.defender.evidence.urlCount
Number of embedded URLs in the email
plongs
microsoft365.defender.evidence.urls
URLs contained in the email
strings
microsoft365.defender.evidence.urn
Uniform resource name of the automated investigation associated with the evidence
strings
microsoft365.defender.evidence.resourceId
Unique identifiers for Azure resources referenced by evidence
strings
microsoft365.defender.evidence.name
Names of namespaces, controllers, service accounts, blobs, secrets, clusters, pods, containers, or services
strings
microsoft365.defender.evidence.storageResource.createdDateTime
Timestamps when storage-related evidence was created and added to the alert
pdates
microsoft365.defender.evidence.storageResource.remediationStatusDetails
Details about remediation status for storage-related evidence
strings
microsoft365.defender.evidence.storageResource.resourceId
Azure resource identifiers for storage-related evidence
strings
microsoft365.defender.evidence.storageResource.resourceName
Names of storage-related resources
strings
microsoft365.defender.evidence.storageResource.resourceType
Types of storage-related resources
strings
microsoft365.defender.evidence.storageResource.tags
Custom tags associated with storage-related evidence
strings
microsoft365.defender.evidence.storageResource.verdict.createdDateTime
Timestamp when the storage resource verdict evidence was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.storageResource.verdict.detailedRoles
Free-form detailed description of the entity roles in the alert.
strings
microsoft365.defender.evidence.storageResource.verdict.remediationStatus
Remediation status assigned to the evidence by automated investigation.
strings
microsoft365.defender.evidence.storageResource.verdict.remediationStatusDetails
Details describing the remediation status for the storage resource verdict.
strings
microsoft365.defender.evidence.storageResource.verdict.roles
Roles that the evidence entity represents in the alert.
strings
microsoft365.defender.evidence.storageResource.verdict.tags
Custom tags associated with the storage resource verdict evidence.
strings
microsoft365.defender.evidence.storageResource.verdict.verdict
Decision reached by automated investigation for the storage resource (e.g., malicious, suspicious).
strings
microsoft365.defender.evidence.url
Full URL of the storage resource or blob.
strings
microsoft365.defender.evidence.blobContainer.createdDateTime
Timestamp when the blob container evidence was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.blobContainer.name
Name of the blob container.
strings
microsoft365.defender.evidence.blobContainer.remediationStatus.createdDateTime
Timestamp when the remediation status evidence for the blob container was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.blobContainer.remediationStatus.detailedRoles
Free-form details of the entity roles for the blob container remediation status.
strings
microsoft365.defender.evidence.blobContainer.remediationStatus.remediationStatus
Remediation status for the blob container evidence.
strings
microsoft365.defender.evidence.blobContainer.remediationStatus.remediationStatusDetails
Details about the remediation status for the blob container.
strings
microsoft365.defender.evidence.blobContainer.remediationStatus.roles
Entity roles related to the blob container remediation status.
strings
microsoft365.defender.evidence.blobContainer.remediationStatus.tags
Custom tags associated with the blob container remediation status evidence.
strings
microsoft365.defender.evidence.blobContainer.remediationStatus.verdict
Automated investigation decision for the blob container remediation status.
strings
microsoft365.defender.evidence.blobContainer.remediationStatusDetails
Details about the remediation status for the blob container evidence.
strings
microsoft365.defender.evidence.blobContainer.roles.createdDateTime
Timestamp when the blob container roles evidence was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.blobContainer.roles.detailedRoles
Free-form details of entity roles for the blob container.
strings
microsoft365.defender.evidence.blobContainer.roles.remediationStatus
Remediation status associated with the blob container roles evidence.
strings
microsoft365.defender.evidence.blobContainer.roles.remediationStatusDetails
Details about remediation status for the blob container roles evidence.
strings
microsoft365.defender.evidence.blobContainer.roles.roles
Roles that the blob container evidence entity represents.
strings
microsoft365.defender.evidence.blobContainer.roles.tags
Custom tags associated with the blob container roles evidence.
strings
microsoft365.defender.evidence.blobContainer.roles.verdict
Automated investigation decision for the blob container roles evidence.
strings
microsoft365.defender.evidence.blobContainer.storageResource.createdDateTime
Timestamp when the storage resource evidence for the blob container was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.blobContainer.storageResource.remediationStatusDetails
Details about the remediation status for the blob container storage resource.
strings
microsoft365.defender.evidence.blobContainer.storageResource.resourceId
Unique identifier for the Azure storage resource.
strings
microsoft365.defender.evidence.blobContainer.storageResource.resourceName
Name of the Azure storage resource.
strings
microsoft365.defender.evidence.blobContainer.storageResource.resourceType
Type of the Azure storage resource.
strings
microsoft365.defender.evidence.blobContainer.storageResource.tags
Custom tags associated with the blob container storage resource evidence.
strings
microsoft365.defender.evidence.blobContainer.storageResource.verdict.createdDateTime
Timestamp when the storage resource verdict evidence for the blob container was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.blobContainer.storageResource.verdict.detailedRoles
Free-form details of roles for the blob container storage resource verdict.
strings
microsoft365.defender.evidence.blobContainer.storageResource.verdict.remediationStatus
Remediation status for the blob container storage resource verdict.
strings
microsoft365.defender.evidence.blobContainer.storageResource.verdict.remediationStatusDetails
Details about remediation status for the blob container storage resource verdict.
strings
microsoft365.defender.evidence.blobContainer.storageResource.verdict.roles
Entity roles for the blob container storage resource verdict.
strings
microsoft365.defender.evidence.blobContainer.storageResource.verdict.tags
Custom tags for the blob container storage resource verdict.
strings
microsoft365.defender.evidence.blobContainer.storageResource.verdict.verdict
Automated investigation decision for the blob container storage resource.
strings
microsoft365.defender.evidence.blobContainer.tags
Custom tags associated with the blob container evidence.
strings
microsoft365.defender.evidence.blobContainer.url
Full URL representation of the blob container.
strings
microsoft365.defender.evidence.etag
ETag associated with the blob.
strings
microsoft365.defender.evidence.fileHashes.algorithm
File hash algorithm used (e.g., md5, sha1, sha256).
strings
microsoft365.defender.evidence.fileHashes.value
File hash value associated with the evidence.
strings
microsoft365.defender.evidence.appId
Unique identifier of the application.
strings
microsoft365.defender.evidence.displayName
Display name associated with the entity (mailbox, security group, or application).
strings
microsoft365.defender.evidence.instanceId
Identifier of the SaaS application instance.
plongs
microsoft365.defender.evidence.instanceName
Name of the SaaS application instance.
strings
microsoft365.defender.evidence.saasAppId
Identifier of the SaaS application.
plongs
microsoft365.defender.evidence.requestId
Unique identifier for the sign-in request.
strings
microsoft365.defender.evidence.sessionId
Session identifier for the account reported in the alert.
strings
microsoft365.defender.evidence.account.userAccount.accountName
Displayed name of the user account.
strings
microsoft365.defender.evidence.account.userAccount.azureAdUserId
User object identifier in Microsoft Entra ID.
strings
microsoft365.defender.evidence.account.userAccount.displayName
User display name in Microsoft Entra ID.
strings
microsoft365.defender.evidence.account.userAccount.domainName
Active Directory domain name of which the user is a member.
strings
microsoft365.defender.evidence.account.userAccount.resourceAccessEvents.accessDateTime
Timestamp of the resource access event.
pdates
microsoft365.defender.evidence.account.userAccount.resourceAccessEvents.accountId
Identifier of the user account for the access event.
strings
microsoft365.defender.evidence.account.userAccount.resourceAccessEvents.ipAddress
IP address of the accessed resource.
strings
microsoft365.defender.evidence.account.userAccount.resourceAccessEvents.resourceIdentifier
Protocol and host name pairs describing the connection to the resource.
strings
microsoft365.defender.evidence.account.userAccount.userPrincipalName
User principal name of the account in Microsoft Entra ID.
strings
microsoft365.defender.evidence.account.userAccount.userSid
Local security identifier (SID) of the user account.
strings
microsoft365.defender.evidence.protocol
Authentication protocol used in the session, if known.
strings
microsoft365.defender.evidence.deviceName
Friendly name of the device, if known.
strings
microsoft365.defender.evidence.operatingSystem
Operating system the device is running, if known.
strings
microsoft365.defender.evidence.browser
Browser used for the sign-in, if known.
strings
microsoft365.defender.evidence.userAgent
User agent string used for the sign-in, if known.
strings
microsoft365.defender.evidence.startUtcDateTime
Session start time in UTC, if known.
pdates
microsoft365.defender.evidence.previousLogonDateTime
Previous sign-in time for this account, if known.
pdates
microsoft365.defender.evidence.args
List of command arguments associated with the evidence.
strings
microsoft365.defender.evidence.command
List of commands associated with the evidence.
strings
microsoft365.defender.evidence.containerId
Identifier of the container instance.
strings
microsoft365.defender.evidence.image.createdDateTime
Timestamp when the container image evidence was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.image.imageId
Unique identifier for the container image entity.
strings
microsoft365.defender.evidence.image.registry.createdDateTime
Timestamp when the image registry evidence was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.image.registry.registry
Container registry URI.
strings
microsoft365.defender.evidence.image.registry.remediationStatus.createdDateTime
Timestamp when the image registry remediation status evidence was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.image.registry.remediationStatus.detailedRoles
Free-form details of roles related to the image registry remediation status.
strings
microsoft365.defender.evidence.image.registry.remediationStatus.remediationStatus
Remediation status for the image registry evidence.
strings
microsoft365.defender.evidence.image.registry.remediationStatus.remediationStatusDetails
Details about the remediation status for the image registry evidence.
strings
microsoft365.defender.evidence.image.registry.remediationStatus.roles
Entity roles for the image registry remediation status.
strings
microsoft365.defender.evidence.image.registry.remediationStatus.tags
Custom tags for the image registry remediation status evidence.
strings
microsoft365.defender.evidence.image.registry.remediationStatus.verdict
Automated investigation decision for the image registry remediation status.
strings
microsoft365.defender.evidence.image.registry.remediationStatusDetails
Remediation status details for the image registry evidence.
strings
microsoft365.defender.evidence.image.registry.roles.createdDateTime
Timestamp when the image registry roles evidence was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.image.registry.roles.detailedRoles
Free-form details of entity roles for the image registry.
strings
microsoft365.defender.evidence.image.registry.roles.remediationStatus
Remediation status associated with the image registry roles evidence.
strings
microsoft365.defender.evidence.image.registry.roles.remediationStatusDetails
Details about remediation status for the image registry roles evidence.
strings
microsoft365.defender.evidence.image.registry.roles.roles
Roles that the image registry evidence entity represents.
strings
microsoft365.defender.evidence.image.registry.roles.tags
Custom tags associated with the image registry roles evidence.
strings
microsoft365.defender.evidence.image.registry.roles.verdict
Automated investigation decision for the image registry roles evidence.
strings
microsoft365.defender.evidence.image.registry.tags
Custom tags for the image registry evidence.
strings
microsoft365.defender.evidence.image.registry.verdict.createdDateTime
Timestamp when the image registry verdict evidence was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.image.registry.verdict.detailedRoles
Free-form details of roles for the image registry verdict.
strings
microsoft365.defender.evidence.image.registry.verdict.remediationStatus
Remediation status for the image registry verdict.
strings
microsoft365.defender.evidence.image.registry.verdict.remediationStatusDetails
Details about remediation status for the image registry verdict.
strings
microsoft365.defender.evidence.image.registry.verdict.roles
Entity roles for the image registry verdict.
strings
microsoft365.defender.evidence.image.registry.verdict.tags
Custom tags for the image registry verdict evidence.
strings
microsoft365.defender.evidence.image.registry.verdict.verdict
Automated investigation decision for the image registry evidence.
strings
microsoft365.defender.evidence.image.remediationStatusDetails
Details about remediation status for the container image evidence.
strings
microsoft365.defender.evidence.image.tags
Custom tags associated with the container image evidence.
strings
microsoft365.defender.evidence.isPrivileged
Whether the entity has privileged status.
booleans
microsoft365.defender.evidence.pod.controller.createdDateTime
Timestamp when this controller evidence was created and added to the alert (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.pod.controller.name
The controller name.
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.createdDateTime
Timestamp when this cloud resource evidence was created and added to the alert (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.detailedRoles
Free-form detailed description of the entity roles in the alert.
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.remediationStatus
Remediation status for the cloud resource evidence (e.g., none, remediated, prevented, blocked, notFound, active, pendingApproval, declined, unremediated, running, partiallyRemediated, unknownFutureValue).
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.remediationStatusDetails
Details about the remediation status for the cloud resource evidence.
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.roles
The role(s) the cloud resource entity represents in the alert.
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.tags
Custom tags associated with the cloud resource evidence instance.
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.cloudResource.verdict
Automated investigation verdict for the cloud resource evidence (e.g., unknown, suspicious, malicious, noThreatsFound, unknownFutureValue).
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.createdDateTime
Timestamp when this cluster evidence was created and added to the alert (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.pod.controller.namespace.cluster.distribution
The distribution type of the Kubernetes cluster.
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.name
The cluster name.
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.platform
The platform the cluster runs on (e.g., unknown, aks, eks, gke, arc, unknownFutureValue).
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.remediationStatusDetails
Details about the remediation status for the cluster evidence.
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.tags
Custom tags associated with the cluster evidence instance.
strings
microsoft365.defender.evidence.pod.controller.namespace.cluster.version
The Kubernetes version of the cluster.
strings
microsoft365.defender.evidence.pod.controller.namespace.createdDateTime
Timestamp when this namespace evidence was created and added to the alert (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.pod.controller.namespace.name
The Kubernetes namespace name.
strings
microsoft365.defender.evidence.pod.controller.namespace.remediationStatusDetails
Details about the remediation status for the namespace evidence.
strings
microsoft365.defender.evidence.pod.controller.namespace.tags
Custom tags associated with the namespace evidence instance.
strings
microsoft365.defender.evidence.pod.controller.remediationStatusDetails
Details about the remediation status for the controller evidence.
strings
microsoft365.defender.evidence.pod.controller.tags
Custom tags associated with the controller evidence instance.
strings
microsoft365.defender.evidence.pod.controller.type
The controller type.
strings
microsoft365.defender.evidence.pod.createdDateTime
Timestamp when this pod evidence was created and added to the alert (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.pod.name
The pod name.
strings
microsoft365.defender.evidence.pod.podIp.countryLetterCode
Two-letter ISO 3166 country code associated with the pod IP.
strings
microsoft365.defender.evidence.pod.podIp.ipAddress
Pod IP address (IPv4 or IPv6).
strings
microsoft365.defender.evidence.pod.remediationStatusDetails
Details about the remediation status for the pod evidence.
strings
microsoft365.defender.evidence.pod.serviceAccount.createdDateTime
Timestamp when this service account evidence was created and added to the alert (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.pod.serviceAccount.name
The service account name.
strings
microsoft365.defender.evidence.pod.serviceAccount.remediationStatusDetails
Details about the remediation status for the service account evidence.
strings
microsoft365.defender.evidence.pod.serviceAccount.tags
Custom tags associated with the service account evidence instance.
strings
microsoft365.defender.evidence.pod.tags
Custom tags associated with the pod evidence instance.
strings
microsoft365.defender.evidence.imageId
Unique identifier of the container image entity.
strings
microsoft365.defender.evidence.registry.createdDateTime
Timestamp when this registry evidence was created and added to the alert (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.registry.registry
The registry URI.
strings
microsoft365.defender.evidence.registry.remediationStatus.createdDateTime
Timestamp when the remediation status evidence entry for the registry was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.registry.remediationStatus.detailedRoles
Free-form detailed description of registry entity roles.
strings
microsoft365.defender.evidence.registry.remediationStatus.remediationStatus
Remediation status for the registry evidence.
strings
microsoft365.defender.evidence.registry.remediationStatus.remediationStatusDetails
Details about the remediation status for the registry evidence.
strings
microsoft365.defender.evidence.registry.remediationStatus.roles
The role(s) the registry entity represents in the alert.
strings
microsoft365.defender.evidence.registry.remediationStatus.tags
Custom tags associated with the registry remediation status evidence instance.
strings
microsoft365.defender.evidence.registry.remediationStatus.verdict
Automated investigation verdict for the registry evidence.
strings
microsoft365.defender.evidence.registry.remediationStatusDetails
Details about the remediation status for the registry evidence (inherited).
strings
microsoft365.defender.evidence.registry.roles.createdDateTime
Timestamp when registry roles evidence was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.registry.roles.detailedRoles
Free-form detailed description of roles for the registry entity.
strings
microsoft365.defender.evidence.registry.roles.remediationStatus
Remediation status for the registry entity roles.
strings
microsoft365.defender.evidence.registry.roles.remediationStatusDetails
Details about the remediation status for registry roles evidence.
strings
microsoft365.defender.evidence.registry.roles.roles
The role(s) the registry entity represents in the alert.
strings
microsoft365.defender.evidence.registry.roles.tags
Custom tags associated with the registry roles evidence instance.
strings
microsoft365.defender.evidence.registry.roles.verdict
Automated investigation verdict for the registry roles evidence.
strings
microsoft365.defender.evidence.registry.tags
Custom tags associated with the registry evidence instance.
strings
microsoft365.defender.evidence.registry.verdict.createdDateTime
Timestamp when registry verdict evidence was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.registry.verdict.detailedRoles
Free-form detailed description of roles for the registry verdict evidence.
strings
microsoft365.defender.evidence.registry.verdict.remediationStatus
Remediation status for the registry verdict evidence.
strings
microsoft365.defender.evidence.registry.verdict.remediationStatusDetails
Details about the remediation status for the registry verdict evidence.
strings
microsoft365.defender.evidence.registry.verdict.roles
The role(s) represented by the registry verdict evidence.
strings
microsoft365.defender.evidence.registry.verdict.tags
Custom tags associated with the registry verdict evidence instance.
strings
microsoft365.defender.evidence.registry.verdict.verdict
Automated investigation verdict value for the registry evidence.
strings
microsoft365.defender.evidence.registry
The registry URI.
strings
microsoft365.defender.evidence.azureAdDeviceId
Microsoft Entra (Azure AD) device ID assigned when the device is Entra joined.
strings
microsoft365.defender.evidence.defenderAvStatus
State of the Defender AntiMalware engine for the device.
strings
microsoft365.defender.evidence.deviceDnsName
Fully qualified domain name (FQDN) of the device.
strings
microsoft365.defender.evidence.dnsDomain
DNS domain the device belongs to (labels separated by dots).
strings
microsoft365.defender.evidence.firstSeenDateTime
Timestamp when the device was first seen.
pdates
microsoft365.defender.evidence.healthStatus
Health state of the device (e.g., active, inactive, impairedCommunication, noSensorData, unknown).
strings
microsoft365.defender.evidence.hostName
Hostname of the device without the domain suffix.
strings
microsoft365.defender.evidence.ipInterfaces
IP interfaces of the device during the alert timeframe.
strings
microsoft365.defender.evidence.loggedOnUsers.accountName
User account name of a logged-on user.
strings
microsoft365.defender.evidence.loggedOnUsers.domainName
Account domain of a logged-on user.
strings
microsoft365.defender.evidence.mdeDeviceId
Microsoft Defender for Endpoint device identifier.
strings
microsoft365.defender.evidence.ntDomain
Windows NT domain of the device.
strings
microsoft365.defender.evidence.onboardingStatus
Onboarding status to Microsoft Defender for Endpoint.
strings
microsoft365.defender.evidence.osBuild
Operating system build version number of the device.
plongs
microsoft365.defender.evidence.osPlatform
Operating system platform of the device.
strings
microsoft365.defender.evidence.rbacGroupId
RBAC device group numeric identifier.
pints
microsoft365.defender.evidence.rbacGroupName
Name of the RBAC device group.
strings
microsoft365.defender.evidence.riskScore
Device risk score as evaluated by Microsoft Defender for Endpoint.
strings
microsoft365.defender.evidence.version
Version
strings
microsoft365.defender.evidence.vmMetadata.cloudProvider
Cloud provider hosting the VM (e.g., unknown, azure, unknownFutureValue).
strings
microsoft365.defender.evidence.vmMetadata.resourceId
Azure resource unique identifier.
strings
microsoft365.defender.evidence.vmMetadata.subscriptionId
Azure subscription unique identifier for the tenant.
strings
microsoft365.defender.evidence.vmMetadata.vmId
Unique identifier of the virtual machine instance.
strings
microsoft365.defender.evidence.detectionStatus
Detection status (e.g., detected, blocked, prevented, unknownFutureValue).
strings
microsoft365.defender.evidence.fileDetails.fileName
File name.
strings
microsoft365.defender.evidence.fileDetails.filePath
File path (location) of the file instance.
strings
microsoft365.defender.evidence.fileDetails.filePublisher
Publisher of the file.
strings
microsoft365.defender.evidence.fileDetails.fileSize
Size of the file in bytes.
plongs
microsoft365.defender.evidence.fileDetails.issuer
Certificate authority that issued the file's certificate.
strings
microsoft365.defender.evidence.fileDetails.md5
MD5 cryptographic hash of the file content.
strings
microsoft365.defender.evidence.fileDetails.sha1
SHA-1 cryptographic hash of the file content.
strings
microsoft365.defender.evidence.fileDetails.sha256
SHA-256 cryptographic hash of the file content.
strings
microsoft365.defender.evidence.fileDetails.sha265Ac
SHA-256Ac cryptographic hash of the file content.
strings
microsoft365.defender.evidence.fileDetails.signer
Signer of the signed file.
strings
microsoft365.defender.evidence.location
Zone or region where the resource is located.
strings
microsoft365.defender.evidence.locationType
Type of location (e.g., unknown, regional, zonal, global, unknownFutureValue).
strings
microsoft365.defender.evidence.projectId
Google project ID as defined by the user.
strings
microsoft365.defender.evidence.projectNumber
Google-assigned project number.
plongs
microsoft365.defender.evidence.ioTHub.createdDateTime
Timestamp when the IoT Hub evidence was created and added to the alert (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.ioTHub.remediationStatus.createdDateTime
Timestamp when the IoT Hub remediation status evidence entry was created (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.ioTHub.remediationStatus.detailedRoles
Free-form detailed descriptions of the entity roles within the alert.
strings
microsoft365.defender.evidence.ioTHub.remediationStatus.remediationStatus
Remediation status values for the evidence entity.
strings
microsoft365.defender.evidence.ioTHub.remediationStatus.remediationStatusDetails
Details about the remediation status.
strings
microsoft365.defender.evidence.ioTHub.remediationStatus.roles
Evidence roles represented by the entity in the alert.
strings
microsoft365.defender.evidence.ioTHub.remediationStatus.tags
Custom tags associated with the evidence instance.
strings
microsoft365.defender.evidence.ioTHub.remediationStatus.verdict
Automated investigation verdicts for the evidence entity.
strings
microsoft365.defender.evidence.ioTHub.remediationStatusDetails
Details about the remediation status.
strings
microsoft365.defender.evidence.ioTHub.resourceId
Unique identifier of the Azure resource related to the IoT Hub evidence.
strings
microsoft365.defender.evidence.ioTHub.resourceName
Name of the Azure resource related to the IoT Hub evidence.
strings
microsoft365.defender.evidence.ioTHub.resourceType
Type of the Azure resource related to the IoT Hub evidence.
strings
microsoft365.defender.evidence.ioTHub.roles.createdDateTime
Timestamps when the evidence roles were added to the alert (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.ioTHub.roles.detailedRoles
Free-form detailed role descriptions for the entity within the alert.
strings
microsoft365.defender.evidence.ioTHub.roles.remediationStatus
Remediation status values associated with the evidence roles.
strings
microsoft365.defender.evidence.ioTHub.roles.remediationStatusDetails
Details about remediation status for the evidence roles.
strings
microsoft365.defender.evidence.ioTHub.roles.roles
Evidence roles represented by the entity.
strings
microsoft365.defender.evidence.ioTHub.roles.tags
Custom tags associated with the roles evidence.
strings
microsoft365.defender.evidence.ioTHub.roles.verdict
Automated investigation verdicts associated with the roles.
strings
microsoft365.defender.evidence.ioTHub.tags
Custom tags associated with the IoT Hub evidence instance.
strings
microsoft365.defender.evidence.ioTHub.verdict.createdDateTime
Timestamps when verdict evidence was added to the alert (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.ioTHub.verdict.detailedRoles
Free-form detailed role descriptions in verdict context.
strings
microsoft365.defender.evidence.ioTHub.verdict.remediationStatus
Remediation status values in verdict context.
strings
microsoft365.defender.evidence.ioTHub.verdict.remediationStatusDetails
Details about remediation status in verdict context.
strings
microsoft365.defender.evidence.ioTHub.verdict.roles
Evidence roles represented in verdict context.
strings
microsoft365.defender.evidence.ioTHub.verdict.tags
Custom tags associated with the verdict evidence.
strings
microsoft365.defender.evidence.ioTHub.verdict.verdict
Automated investigation verdict values.
strings
microsoft365.defender.evidence.deviceId
Identifier of the device.
strings
microsoft365.defender.evidence.owners
Owners associated with the device.
strings
microsoft365.defender.evidence.ioTSecurityAgentId
Identifier of the Azure Security Center for IoT agent running on the device.
strings
microsoft365.defender.evidence.deviceType
Type classification of the device (for example, temperature sensor).
strings
microsoft365.defender.evidence.source
Source vendor for the device entity (microsoft or external vendor).
strings
microsoft365.defender.evidence.sourceRef.url
URL reference for the source entity.
strings
microsoft365.defender.evidence.manufacturer
Manufacturer of the device.
strings
microsoft365.defender.evidence.model
Model designation of the device.
strings
microsoft365.defender.evidence.ipAddress.countryLetterCode
ISO 3166 two-letter country code associated with the IP address.
strings
microsoft365.defender.evidence.ipAddress.ipAddress
IP address value (IPv4 or IPv6) associated with the evidence.
strings
microsoft365.defender.evidence.macAddress
MAC address associated with the device or NIC.
strings
microsoft365.defender.evidence.nics.macAddress
MAC address of the network interface card (NIC).
strings
microsoft365.defender.evidence.nics.vlans
Current VLAN identifiers associated with the NIC.
strings
microsoft365.defender.evidence.protocols
List of protocols supported by the device.
strings
microsoft365.defender.evidence.serialNumber
Serial number of the device.
strings
microsoft365.defender.evidence.site
Site location of the device.
strings
microsoft365.defender.evidence.zone
Zone location of the device within a site.
strings
microsoft365.defender.evidence.sensor
Sensor that monitors the device.
strings
microsoft365.defender.evidence.importance
Importance level classification for the IoT device.
strings
microsoft365.defender.evidence.purdueLayer
Purdue model layer classification for the device.
strings
microsoft365.defender.evidence.isProgramming
Indicates whether the device is classified as a programming device.
booleans
microsoft365.defender.evidence.isAuthorized
Indicates whether the device is classified as authorized.
booleans
microsoft365.defender.evidence.isScanner
Indicates whether the device is classified as a scanner.
booleans
microsoft365.defender.evidence.devicePageLink
URL to the device page within Defender for IoT portal.
strings
microsoft365.defender.evidence.deviceSubType
Subtype classification of the device.
strings
microsoft365.defender.evidence.countryLetterCode
ISO 3166 two-letter country code associated with the device.
strings
microsoft365.defender.evidence.ipAddress
IP address value (IPv4 or IPv6) associated with the device.
strings
microsoft365.defender.evidence.cloudResource.createdDateTime
Timestamps when cloud resource evidence was added to the alert (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.cloudResource.detailedRoles
Free-form detailed descriptions of roles for the cloud resource evidence.
strings
microsoft365.defender.evidence.cloudResource.remediationStatus
Remediation status values for the cloud resource evidence.
strings
microsoft365.defender.evidence.cloudResource.remediationStatusDetails
Details about remediation status for the cloud resource evidence.
strings
microsoft365.defender.evidence.cloudResource.roles
Evidence roles represented by the cloud resource.
strings
microsoft365.defender.evidence.cloudResource.tags
Custom tags associated with the cloud resource evidence.
strings
microsoft365.defender.evidence.cloudResource.verdict
Automated investigation verdict values for the cloud resource evidence.
strings
microsoft365.defender.evidence.distribution
Distribution type of the Kubernetes cluster.
strings
microsoft365.defender.evidence.platform
Platform on which the Kubernetes cluster runs (for example, AKS/EKS/GKE).
strings
microsoft365.defender.evidence.namespace.cluster.cloudResource.createdDateTime
Timestamps when the cluster cloud resource evidence was added (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.namespace.cluster.cloudResource.detailedRoles
Free-form role descriptions for the cluster cloud resource.
strings
microsoft365.defender.evidence.namespace.cluster.cloudResource.remediationStatus
Remediation status values for the cluster cloud resource.
strings
microsoft365.defender.evidence.namespace.cluster.cloudResource.remediationStatusDetails
Details about remediation status for the cluster cloud resource.
strings
microsoft365.defender.evidence.namespace.cluster.cloudResource.roles
Evidence roles for the cluster cloud resource.
strings
microsoft365.defender.evidence.namespace.cluster.cloudResource.tags
Custom tags for the cluster cloud resource evidence.
strings
microsoft365.defender.evidence.namespace.cluster.cloudResource.verdict
Automated investigation verdict values for the cluster cloud resource.
strings
microsoft365.defender.evidence.namespace.cluster.createdDateTime
Timestamps when cluster evidence was added (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.namespace.cluster.distribution
Distribution type of the cluster.
strings
microsoft365.defender.evidence.namespace.cluster.name
Name of the Kubernetes cluster.
strings
microsoft365.defender.evidence.namespace.cluster.platform
Platform on which the cluster runs.
strings
microsoft365.defender.evidence.namespace.cluster.remediationStatus.createdDateTime
Timestamps when the remediation status evidence for the cluster was added (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.namespace.cluster.remediationStatus.detailedRoles
Free-form detailed role descriptions in the cluster remediation status context.
strings
microsoft365.defender.evidence.namespace.cluster.remediationStatus.remediationStatus
Remediation status values in the cluster context.
strings
microsoft365.defender.evidence.namespace.cluster.remediationStatus.remediationStatusDetails
Details about the remediation status in the cluster context.
strings
microsoft365.defender.evidence.namespace.cluster.remediationStatus.roles
Roles represented in the cluster remediation status context.
strings
microsoft365.defender.evidence.namespace.cluster.remediationStatus.tags
Tags associated with the cluster remediation status evidence.
strings
microsoft365.defender.evidence.namespace.cluster.remediationStatus.verdict
Automated investigation verdict values in the cluster context.
strings
microsoft365.defender.evidence.namespace.cluster.remediationStatusDetails
Details about the remediation status for the cluster.
strings
microsoft365.defender.evidence.namespace.cluster.roles.createdDateTime
Timestamps when cluster role evidence was added (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.namespace.cluster.roles.detailedRoles
Free-form detailed role descriptions for the cluster.
strings
microsoft365.defender.evidence.namespace.cluster.roles.remediationStatus
Remediation status values for the cluster roles.
strings
microsoft365.defender.evidence.namespace.cluster.roles.remediationStatusDetails
Details about remediation status for the cluster roles.
strings
microsoft365.defender.evidence.namespace.cluster.roles.roles
Evidence roles represented in the cluster.
strings
microsoft365.defender.evidence.namespace.cluster.roles.tags
Custom tags associated with the cluster roles evidence.
strings
microsoft365.defender.evidence.namespace.cluster.roles.verdict
Automated investigation verdict values for the cluster roles.
strings
microsoft365.defender.evidence.namespace.cluster.tags
Custom tags associated with the cluster evidence.
strings
microsoft365.defender.evidence.namespace.cluster.verdict.createdDateTime
Timestamps when cluster verdict evidence was added (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.namespace.cluster.verdict.detailedRoles
Free-form detailed role descriptions for the cluster verdict context.
strings
microsoft365.defender.evidence.namespace.cluster.verdict.remediationStatus
Remediation status values for the cluster verdict context.
strings
microsoft365.defender.evidence.namespace.cluster.verdict.remediationStatusDetails
Details about remediation status in the cluster verdict context.
strings
microsoft365.defender.evidence.namespace.cluster.verdict.roles
Evidence roles represented in the cluster verdict context.
strings
microsoft365.defender.evidence.namespace.cluster.verdict.tags
Custom tags associated with the cluster verdict evidence.
strings
microsoft365.defender.evidence.namespace.cluster.verdict.verdict
Automated investigation verdict values for the cluster.
strings
microsoft365.defender.evidence.namespace.cluster.version
Kubernetes version of the cluster.
strings
microsoft365.defender.evidence.namespace.createdDateTime
Timestamps when namespace evidence was added (UTC, ISO 8601).
pdates
microsoft365.defender.evidence.namespace.name
Kubernetes namespace name.
strings
microsoft365.defender.evidence.namespace.remediationStatusDetails
Details about the remediation status for the namespace.
strings
microsoft365.defender.evidence.namespace.tags
Custom tags associated with the namespace evidence.
strings
microsoft365.defender.evidence.type
The controller type for the evidence entity.
strings
microsoft365.defender.evidence.cluster.cloudResource.createdDateTime
UTC time the cloud resource evidence was created and added to the alert (ISO 8601).
pdates
microsoft365.defender.evidence.cluster.cloudResource.detailedRoles
Free-form detailed descriptions of the entity's roles in the alert.
strings
microsoft365.defender.evidence.cluster.cloudResource.remediationStatus
Status of the remediation action taken for the cloud resource evidence.
strings
microsoft365.defender.evidence.cluster.cloudResource.remediationStatusDetails
Details about the remediation status for the cloud resource evidence.
strings
microsoft365.defender.evidence.cluster.cloudResource.roles
Roles the cloud resource evidence represents in the alert.
strings
microsoft365.defender.evidence.cluster.cloudResource.tags
Custom tags associated with the cloud resource evidence instance.
strings
microsoft365.defender.evidence.cluster.cloudResource.verdict
Automated investigation verdict for the cloud resource evidence.
strings
microsoft365.defender.evidence.cluster.createdDateTime
UTC time the cluster evidence was created and added to the alert (ISO 8601).
pdates
microsoft365.defender.evidence.cluster.distribution
Distribution type of the Kubernetes cluster.
strings
microsoft365.defender.evidence.cluster.name
The Kubernetes cluster name.
strings
microsoft365.defender.evidence.cluster.platform
Platform the cluster runs on (for example: aks, eks, gke, arc).
strings
microsoft365.defender.evidence.cluster.remediationStatus.createdDateTime
UTC time the remediation status evidence was created and added (ISO 8601).
pdates
microsoft365.defender.evidence.cluster.remediationStatus.detailedRoles
Free-form detailed roles associated with remediation status.
strings
microsoft365.defender.evidence.cluster.remediationStatus.remediationStatus
Remediation action status for the cluster evidence.
strings
microsoft365.defender.evidence.cluster.remediationStatus.remediationStatusDetails
Details about the remediation status for the cluster evidence.
strings
microsoft365.defender.evidence.cluster.remediationStatus.roles
Roles represented by the cluster evidence in the alert context.
strings
microsoft365.defender.evidence.cluster.remediationStatus.tags
Custom tags associated with the remediation status evidence.
strings
microsoft365.defender.evidence.cluster.remediationStatus.verdict
Automated investigation verdict for the remediation status evidence.
strings
microsoft365.defender.evidence.cluster.remediationStatusDetails
Details about the remediation status for the cluster evidence.
strings
microsoft365.defender.evidence.cluster.roles.createdDateTime
UTC time the roles evidence was created and added (ISO 8601).
pdates
microsoft365.defender.evidence.cluster.roles.detailedRoles
Free-form detailed roles for the cluster evidence.
strings
microsoft365.defender.evidence.cluster.roles.remediationStatus
Remediation status associated with the cluster roles.
strings
microsoft365.defender.evidence.cluster.roles.remediationStatusDetails
Details about the remediation status associated with cluster roles.
strings
microsoft365.defender.evidence.cluster.roles.roles
Roles represented by the cluster evidence.
strings
microsoft365.defender.evidence.cluster.roles.tags
Custom tags associated with the cluster roles evidence.
strings
microsoft365.defender.evidence.cluster.roles.verdict
Automated investigation verdict associated with cluster roles.
strings
microsoft365.defender.evidence.cluster.tags
Custom tags associated with the cluster evidence.
strings
microsoft365.defender.evidence.cluster.verdict.createdDateTime
UTC time the verdict evidence was created and added (ISO 8601).
pdates
microsoft365.defender.evidence.cluster.verdict.detailedRoles
Free-form detailed roles associated with the verdict.
strings
microsoft365.defender.evidence.cluster.verdict.remediationStatus
Remediation status associated with the verdict.
strings
microsoft365.defender.evidence.cluster.verdict.remediationStatusDetails
Details about the remediation status associated with the verdict.
strings
microsoft365.defender.evidence.cluster.verdict.roles
Roles represented in the verdict evidence.
strings
microsoft365.defender.evidence.cluster.verdict.tags
Custom tags associated with the verdict evidence.
strings
microsoft365.defender.evidence.cluster.verdict.verdict
Automated investigation verdict value for the cluster evidence.
strings
microsoft365.defender.evidence.cluster.version
Kubernetes version of the cluster.
strings
microsoft365.defender.evidence.containers.args
List of container arguments.
strings
microsoft365.defender.evidence.containers.command
List of container commands.
strings
microsoft365.defender.evidence.containers.containerId
Container identifier.
strings
microsoft365.defender.evidence.containers.createdDateTime
UTC time the container evidence was created and added (ISO 8601).
pdates
microsoft365.defender.evidence.containers.image.createdDateTime
UTC time the container image evidence was created and added (ISO 8601).
pdates
microsoft365.defender.evidence.containers.image.imageId
Unique identifier (e.g., digest) for the container image.
strings
microsoft365.defender.evidence.containers.image.registry.createdDateTime
UTC time the registry evidence was created and added (ISO 8601).
pdates
microsoft365.defender.evidence.containers.image.registry.registry
Registry URI associated with the container image.
strings
microsoft365.defender.evidence.containers.image.registry.remediationStatus.createdDateTime
UTC time the remediation status evidence for the registry was created (ISO 8601).
pdates
microsoft365.defender.evidence.containers.image.registry.remediationStatus.detailedRoles
Free-form detailed roles for the registry remediation status.
strings
microsoft365.defender.evidence.containers.image.registry.remediationStatus.remediationStatus
Remediation status for the image registry evidence.
strings
microsoft365.defender.evidence.containers.image.registry.remediationStatus.remediationStatusDetails
Details about the remediation status for the image registry evidence.
strings
microsoft365.defender.evidence.containers.image.registry.remediationStatus.roles
Roles represented by the image registry evidence.
strings
microsoft365.defender.evidence.containers.image.registry.remediationStatus.tags
Custom tags associated with the image registry remediation status.
strings
microsoft365.defender.evidence.containers.image.registry.remediationStatus.verdict
Automated investigation verdict for the image registry evidence.
strings
microsoft365.defender.evidence.containers.image.registry.remediationStatusDetails
Details about the remediation status for the image registry evidence.
strings
microsoft365.defender.evidence.containers.image.registry.roles.createdDateTime
UTC time the registry roles evidence was created (ISO 8601).
pdates
microsoft365.defender.evidence.containers.image.registry.roles.detailedRoles
Free-form detailed roles for the image registry evidence.
strings
microsoft365.defender.evidence.containers.image.registry.roles.remediationStatus
Remediation status for the image registry roles evidence.
strings
microsoft365.defender.evidence.containers.image.registry.roles.remediationStatusDetails
Details about the remediation status for the image registry roles evidence.
strings
microsoft365.defender.evidence.containers.image.registry.roles.roles
Roles represented by the image registry roles evidence.
strings
microsoft365.defender.evidence.containers.image.registry.roles.tags
Custom tags associated with the image registry roles evidence.
strings
microsoft365.defender.evidence.containers.image.registry.roles.verdict
Automated investigation verdict for the image registry roles evidence.
strings
microsoft365.defender.evidence.containers.image.registry.tags
Custom tags associated with the image registry evidence.
strings
microsoft365.defender.evidence.containers.image.registry.verdict.createdDateTime
UTC time the image registry verdict evidence was created (ISO 8601).
pdates
microsoft365.defender.evidence.containers.image.registry.verdict.detailedRoles
Free-form detailed roles associated with the image registry verdict.
strings
microsoft365.defender.evidence.containers.image.registry.verdict.remediationStatus
Remediation status associated with the image registry verdict.
strings
microsoft365.defender.evidence.containers.image.registry.verdict.remediationStatusDetails
Details about the remediation status associated with the image registry verdict.
strings
microsoft365.defender.evidence.containers.image.registry.verdict.roles
Roles represented in the image registry verdict evidence.
strings
microsoft365.defender.evidence.containers.image.registry.verdict.tags
Custom tags associated with the image registry verdict evidence.
strings
microsoft365.defender.evidence.containers.image.registry.verdict.verdict
Automated investigation verdict value for the image registry evidence.
strings
microsoft365.defender.evidence.containers.image.remediationStatusDetails
Details about the remediation status for the container image evidence.
strings
microsoft365.defender.evidence.containers.image.tags
Custom tags associated with the container image evidence.
strings
microsoft365.defender.evidence.containers.isPrivileged
Privileged status of the container.
booleans
microsoft365.defender.evidence.containers.name
Container name.
strings
microsoft365.defender.evidence.containers.remediationStatusDetails
Details about the remediation status for the container evidence.
strings
microsoft365.defender.evidence.containers.tags
Custom tags associated with the container evidence.
strings
microsoft365.defender.evidence.controller.createdDateTime
UTC time the controller evidence was created and added (ISO 8601).
pdates
microsoft365.defender.evidence.controller.name
Controller name.
strings
microsoft365.defender.evidence.controller.remediationStatusDetails
Details about the remediation status for the controller evidence.
strings
microsoft365.defender.evidence.controller.tags
Custom tags associated with the controller evidence.
strings
microsoft365.defender.evidence.controller.type
Controller type.
strings
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.createdDateTime
UTC time the namespace cluster cloud resource evidence was created (ISO 8601).
pdates
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.detailedRoles
Free-form detailed roles for the namespace cluster cloud resource.
strings
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.remediationStatus
Remediation status for the namespace cluster cloud resource.
strings
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.remediationStatusDetails
Details about remediation status for the namespace cluster cloud resource.
strings
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.roles
Roles represented by the namespace cluster cloud resource.
strings
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.tags
Custom tags for the namespace cluster cloud resource.
strings
microsoft365.defender.evidence.controller.namespace.cluster.cloudResource.verdict
Automated investigation verdict for the namespace cluster cloud resource.
strings
microsoft365.defender.evidence.controller.namespace.cluster.createdDateTime
UTC time the namespace cluster evidence was created (ISO 8601).
pdates
microsoft365.defender.evidence.controller.namespace.cluster.distribution
Distribution type of the namespace's cluster.
strings
microsoft365.defender.evidence.controller.namespace.cluster.name
Name of the cluster for the controller's namespace.
strings
microsoft365.defender.evidence.controller.namespace.cluster.platform
Platform on which the namespace's cluster runs.
strings
microsoft365.defender.evidence.controller.namespace.cluster.remediationStatusDetails
Details about remediation status for the namespace's cluster.
strings
microsoft365.defender.evidence.controller.namespace.cluster.tags
Custom tags associated with the namespace's cluster.
strings
microsoft365.defender.evidence.controller.namespace.cluster.version
Kubernetes version of the namespace's cluster.
strings
microsoft365.defender.evidence.controller.namespace.createdDateTime
UTC time the namespace evidence was created (ISO 8601).
pdates
microsoft365.defender.evidence.controller.namespace.name
Kubernetes namespace name for the controller.
strings
microsoft365.defender.evidence.controller.namespace.remediationStatusDetails
Details about the remediation status for the controller's namespace.
strings
microsoft365.defender.evidence.controller.namespace.tags
Custom tags associated with the controller's namespace.
strings
microsoft365.defender.evidence.podIp.countryLetterCode
Two-letter country code (ISO 3166) associated with the pod IP.
strings
microsoft365.defender.evidence.podIp.ipAddress
Pod IP address (IPv4 or IPv6).
strings
microsoft365.defender.evidence.serviceAccount.createdDateTime
UTC time the service account evidence was created (ISO 8601).
pdates
microsoft365.defender.evidence.serviceAccount.name
Service account name.
strings
microsoft365.defender.evidence.serviceAccount.remediationStatusDetails
Details about the remediation status of the service account evidence.
strings
microsoft365.defender.evidence.serviceAccount.tags
Custom tags associated with the evidence instance.
strings
microsoft365.defender.evidence.secretType
Secret type(s), including built-in and custom Kubernetes secret kinds.
strings
microsoft365.defender.evidence.clusterIP.countryLetterCode
Two-letter ISO 3166 country code for the cluster IP.
strings
microsoft365.defender.evidence.clusterIP.ipAddress
Cluster IP address (IPv4 or IPv6).
strings
microsoft365.defender.evidence.servicePorts.appProtocol
Application protocol associated with the service port.
strings
microsoft365.defender.evidence.servicePorts.name
Name of the service port.
strings
microsoft365.defender.evidence.servicePorts.nodePort
NodePort on which the service is exposed.
pints
microsoft365.defender.evidence.servicePorts.port
Service port exposed by the service.
pints
microsoft365.defender.evidence.servicePorts.protocol
Transport protocol used by the service port.
strings
microsoft365.defender.evidence.servicePorts.targetPort
Target port (name or number) on the pods selected by the service.
strings
microsoft365.defender.evidence.serviceType
Kubernetes service type for the evidence.
strings
microsoft365.defender.evidence.clusterBy
Clustering logic used for grouping similar emails.
strings
microsoft365.defender.evidence.clusterByValue
Value used as the basis for clustering similar emails.
strings
microsoft365.defender.evidence.emailCount
Number of emails in the email cluster.
plongs
microsoft365.defender.evidence.networkMessageIds
Microsoft 365-generated identifiers for messages in the cluster.
strings
microsoft365.defender.evidence.query
Query used to identify the email cluster.
strings
microsoft365.defender.evidence.primaryAddress
Primary email address of the mailbox.
strings
microsoft365.defender.evidence.upn
User principal name of the mailbox.
strings
microsoft365.defender.evidence.userAccount.accountName
Displayed name of the user account.
strings
microsoft365.defender.evidence.userAccount.azureAdUserId
User object identifier in Microsoft Entra ID.
strings
microsoft365.defender.evidence.userAccount.displayName
Display name of the user in Microsoft Entra ID.
strings
microsoft365.defender.evidence.userAccount.domainName
Active Directory domain name of the user.
strings
microsoft365.defender.evidence.userAccount.resourceAccessEvents.accessDateTime
Timestamp of the resource access event (UTC).
pdates
microsoft365.defender.evidence.userAccount.resourceAccessEvents.accountId
Identifier of the user account for the access event.
strings
microsoft365.defender.evidence.userAccount.resourceAccessEvents.ipAddress
IP address of the accessed resource.
strings
microsoft365.defender.evidence.userAccount.resourceAccessEvents.resourceIdentifier
Protocol and host name pair describing the accessed resource.
strings
microsoft365.defender.evidence.userAccount.userPrincipalName
User principal name of the account in Microsoft Entra ID.
strings
microsoft365.defender.evidence.userAccount.userSid
Local security identifier (SID) of the user account.
strings
microsoft365.defender.evidence.vlans
Current VLAN identifiers associated with the NIC.
strings
microsoft365.defender.evidence.objectId
Unique identifier of the application object in Microsoft Entra ID.
strings
microsoft365.defender.evidence.publisher
Name of the application publisher.
strings
microsoft365.defender.evidence.imageFile.fileName
File name of the image (executable/library).
strings
microsoft365.defender.evidence.imageFile.filePath
File path of the image instance.
strings
microsoft365.defender.evidence.imageFile.filePublisher
Publisher of the image file.
strings
microsoft365.defender.evidence.imageFile.fileSize
Size of the image file in bytes.
plongs
microsoft365.defender.evidence.imageFile.issuer
Certificate authority (issuer) for the file's signature.
strings
microsoft365.defender.evidence.imageFile.md5
MD5 cryptographic hash of the file content.
strings
microsoft365.defender.evidence.imageFile.sha1
SHA-1 cryptographic hash of the file content.
strings
microsoft365.defender.evidence.imageFile.sha256
SHA-256 cryptographic hash of the file content.
strings
microsoft365.defender.evidence.imageFile.sha265Ac
SHA-256Ac cryptographic hash of the file content.
strings
microsoft365.defender.evidence.imageFile.signer
Signer of the signed file.
strings
microsoft365.defender.evidence.parentProcessCreationDateTime
UTC creation time of the parent process.
pdates
microsoft365.defender.evidence.parentProcessId
Process ID (PID) of the parent process.
plongs
microsoft365.defender.evidence.processCommandLine
Command line used to create the process.
strings
microsoft365.defender.evidence.processCreationDateTime
UTC creation time of the process.
pdates
microsoft365.defender.evidence.processId
Process ID (PID) of the process.
plongs
microsoft365.defender.evidence.registryHive
Registry hive of the key involved in the recorded action.
strings
microsoft365.defender.evidence.registryKey
Registry key path involved in the recorded action.
strings
microsoft365.defender.evidence.registryValue
Data stored in the registry value at the time of the recorded action.
strings
microsoft365.defender.evidence.registryValueName
Name of the registry value involved in the action.
strings
microsoft365.defender.evidence.registryValueType
Data type of the registry value (e.g., string, binary).
strings
microsoft365.defender.evidence.securityGroupId
Unique identifier of the security group.
strings
microsoft365.defender.evidence.campaignId
Identifier of the campaign the Teams message is part of.
strings
microsoft365.defender.evidence.channelId
Channel ID associated with the Teams message.
strings
microsoft365.defender.evidence.files.detectionStatus
Detection status for the file in context.
strings
microsoft365.defender.evidence.files.fileDetails.fileName
File name associated with the detection evidence.
strings
microsoft365.defender.evidence.files.fileDetails.filePath
File path associated with the detection evidence.
strings
microsoft365.defender.evidence.files.fileDetails.filePublisher
File publisher associated with the detection evidence.
strings
microsoft365.defender.evidence.files.fileDetails.fileSize
Size in bytes of the file associated with the detection evidence.
plongs
microsoft365.defender.evidence.files.fileDetails.issuer
Certificate authority (issuer) of the file associated with the detection evidence.
strings
microsoft365.defender.evidence.files.fileDetails.md5
MD5 hash of the file associated with the detection evidence.
strings
microsoft365.defender.evidence.files.fileDetails.sha1
SHA-1 hash of the file associated with the detection evidence.
strings
microsoft365.defender.evidence.files.fileDetails.sha256
SHA-256 hash of the file associated with the detection evidence.
strings
microsoft365.defender.evidence.files.fileDetails.sha265Ac
SHA-256Ac hash of the file associated with the detection evidence.
strings
microsoft365.defender.evidence.files.fileDetails.signer
Signer of the signed file associated with the detection evidence.
strings
microsoft365.defender.evidence.files.mdeDeviceId
Microsoft Defender for Endpoint device identifier.
strings
microsoft365.defender.evidence.groupId
Identifier of the team or group that the message is part of.
strings
microsoft365.defender.evidence.isExternal
Indicates whether the message is owned by the reporting organization.
booleans
microsoft365.defender.evidence.isOwned
Indicates whether the message is owned by your organization.
booleans
microsoft365.defender.evidence.lastModifiedDateTime
UTC time when the message was last edited.
pdates
microsoft365.defender.evidence.messageDirection
Direction of the Teams message (e.g., inbound, outbound).
strings
microsoft365.defender.evidence.messageId
Message identifier unique within the thread.
strings
microsoft365.defender.evidence.owningTenantId
Tenant ID (GUID) of the owner of the message.
strings
microsoft365.defender.evidence.parentMessageId
Identifier of the message to which this message is a reply.
strings
microsoft365.defender.evidence.recipients
Recipients of the Teams message.
strings
microsoft365.defender.evidence.senderFromAddress
SMTP address of the sender.
strings
microsoft365.defender.evidence.senderIP
IP address of the sender.
strings
microsoft365.defender.evidence.sourceAppName
Source application of the message (e.g., desktop, mobile).
strings
microsoft365.defender.evidence.sourceId
Source identifier of the Teams message.
strings
microsoft365.defender.evidence.suspiciousRecipients
Recipients detected as suspicious.
strings
microsoft365.defender.evidence.threadId
Identifier of the channel or chat the message is part of.
strings
microsoft365.defender.evidence.threadType
Type of Teams message thread (Chat, Topic, Space, Meeting).
strings
microsoft365.defender.evidence.urls.url
URL contained in the message evidence.
strings
microsoft365.defender.evidence.lastExternalIpAddress
Last observed external (public/NAT) IP address associated with the evidence entity.
string
microsoft365.defender.evidence.lastIpAddress
Last observed internal IP address associated with the evidence entity.
string
microsoft365.defender.evidence._odata.type
OData type name that identifies the concrete evidence type.
string

Sample Log Event

Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.