Microsoft Defender XDR Logs (Beta)
Connecting Microsoft Defender XDR logs to your Panther Console
Overview
Panther supports ingesting Microsoft Defender XDR logs via common Data Transport options, like Azure Event Hub and Blob Storage.
How to onboard Microsoft Defender XDR logs to Panther
You'll first create an Azure Blob Storage or Azure Event Hub source in Panther, then configure Azure to export logs to that location.
Prerequisites
Before onboarding Microsoft Defender XDR logs to Panther, ensure that:
You have an Azure subscription and your user has an Owner or Contributor role.
If you plan to ingest your Defender XDR logs through the Event Hub Data Transport, you have an already created Event Hubs namespace and Event Hub (as specified in the prerequisites).
If you plan to ingest your Defender XDR logs through the Blob Storage Data Transport, it's not necessary to have already created a storage account.
Your user has the permission to publish messages to your namespace or storage account.
Step 1: Create the Microsoft Defender XDR source in Panther
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Microsoft Defender XDR,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the Azure Event Hub option. Either leave this selection as-is, or select Azure Blob Storage.
Click Start Setup.
Follow Panther's instructions for configuring an Azure Event Hub or Azure Blob Storage Source.
If you choose Azure Blob Storage and during Step 2: Create required Azure infrastructure you choose to create your Azure resources manually (instead of using Terraform), skip the step to create an Azure container, as one will automatically be created in your storage account in Step 2, below.
Step 2: Export Microsoft Defender XDR logs with a streaming API
To export Microsoft Defender XDR logs to Event Hubs or a storage account, follow the instructions below.
In your Azure Portal, navigate to the Microsoft Defender portal at https://security.microsoft.com/.
In the left-hand navigation bar, click Settings.
Click Microsoft Defender XDR.
Under General, click Streaming API.
Under Streaming API, click + Add.
Fill out the form:
Name: Enter a descriptive name, e.g.,
Panther forwarder.Select either Forward events to Azure Storage or Forward events to Event Hub, based the type of log source you created in Panther in Step 1.
If you select Forward events to Azure Storage, in the Storage account Resource ID field, enter the ID of your storage account.
If you select Forward events to Event Hub, in the Event-Hub Resource ID field, enter the ID of your event hub.
Event Types: Select the log categories you'd like to send to Panther. See a full list of event types here.
Click Submit.
Supported log types
MicrosoftDefenderXDR.AdvancedHunting
schema: MicrosoftDefenderXDR.AdvancedHunting
description: Advanced hunting schema for Microsoft Defender XDR
referenceURL: https://learn.microsoft.com/en-us/defender-xdr/streaming-api-storage#the-schema-of-the-events-in-the-storage-account
fields:
- name: _TimeReceivedBySvc
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%d %H:%M:%S.%N'
- '%Y-%m-%dT%H:%M:%S.%N'
- name: operationName
type: string
- name: Tenant
type: string
- name: time
required: true
description: The time Microsoft Defender XDR received the event
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%d %H:%M:%S.%N'
- name: tenantId
required: true
description: The tenant ID of the organization
type: string
- name: category
required: true
description: The Advanced Hunting table name with 'AdvancedHunting-' prefix
type: string
- name: properties
required: true
description: Microsoft Defender XDR Advanced Hunting event properties (https://learn.microsoft.com/en-us/defender-xdr/supported-event-types#hunting-tables-support-status-in-event-streaming-api)
type: object
fields:
- name: AadDeviceId
description: Unique identifier for the device in Microsoft Entra ID
type: string
- name: AccountDisplayName
description: Display name of the account involved in the logon
type: string
- name: AccountDomain
description: Domain of the account that performed the change
type: string
indicators:
- domain
- name: AccountId
description: Identifier for the account from Microsoft Defender for Cloud Apps
type: string
- name: AccountName
description: Name of the account that performed the change
type: string
- name: AccountObjectId
description: Microsoft Entra ID object ID of the account that performed the change
type: string
- name: AccountSid
description: SID of the account that performed the change
type: string
- name: AccountType
description: Type of user account (Regular, System, Admin, Application)
type: string
- name: AccountUpn
description: UPN of the account that performed the change
type: string
indicators:
- email
- name: ActionType
description: Type of directory change (e.g., AddMember, RemoveMember, ModifyGroup)
type: string
- name: ActivityObjects
description: List of objects involved in the recorded activity
type: json
- name: ActivityType
description: Type of activity that triggered the event
type: string
- name: AdditionalFields
description: Additional metadata in JSON array format
type: json
isEmbeddedJSON: true
- name: AlertId
description: The unique identifier of the alert
type: string
- name: AppGuardContainerId
description: Identifier for the virtualized container used by Application Guard
type: string
- name: AppInstanceId
description: Unique identifier for the instance of an application
type: int
- name: Application
description: Application that performed the recorded action
type: string
- name: ApplicationId
description: The unique identifier of the application
type: bigint
- name: AssetValue
description: Business value assigned to the device (Low, Normal, High)
type: string
- name: AttachmentCount
description: Number of attachments in the email
type: int
- name: AttachmentId
description: Unique identifier for the attachment
type: string
- name: AttackTechniques
description: The MITRE ATT&CK techniques associated with the alert
type: array
element:
type: string
indicators:
- ip
isEmbeddedJSON: true
- name: AuditSource
description: Audit data source (e.g., session control, app connector)
type: string
- name: AuthenticationDetails
description: List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth)
type: string
- name: AwsResourceName
description: AWS resource name for the device
type: string
- name: AzureResourceId
description: Azure resource ID linked to the device
type: string
- name: AzureVmId
description: Azure VM ID assigned to the device
type: string
- name: AzureVmSubscriptionId
description: Azure subscription ID for the device
type: string
- name: BehaviorId
description: Unique identifier for the behavior
type: string
- name: BulkComplaintLevel
description: Threshold assigned to email from bulk mailers, a high bulk complaint level (BCL) means the email is more likely to generate complaints, and thus more likely to be spam
type: int
- name: Categories
description: List of categories that the information belongs to, in JSON array format
type: json
isEmbeddedJSON: true
- name: Category
description: Type of threat indicator or breach activity identified by the alert
type: string
- name: CertificateCountersignatureTime
description: Date and time the certificate was countersigned
type: timestamp
timeFormats:
- rfc3339
- name: CertificateCreationTime
description: Date and time the certificate was created
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%d %H:%M:%S.%N'
- name: CertificateExpirationTime
description: Date and time the certificate will expire
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%d %H:%M:%S.%N'
- name: CertificateSerialNumber
description: Unique identifier for the certificate issued by the CA
type: string
- name: City
description: City where the client IP address is geolocated
type: string
- name: ClickAction
description: Type of user interaction with the URL (e.g., ClickedThrough, Blocked)
type: string
- name: ClickVerdict
description: Final verdict (e.g., Malicious, Clean) returned when the URL was clicked
type: string
- name: ClientVersion
description: Version of the endpoint agent or sensor running on the device
type: string
- name: CloudPlatform
description: The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform
type: string
- name: CloudPlatforms
description: Cloud platforms the device belongs to
type: string
- name: CloudResource
description: The cloud resource name associated with the event
type: string
- name: ClusterId
description: Cluster ID used to associate emails during investigations
type: string
- name: ConfidenceLevel
description: List of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is "High" or "Low".
type: string
- name: ConnectedNetwork
description: Network name or SSID associated with the connection
type: string
- name: ConnectionType
description: Type of network connection (e.g., Ethernet, Wi-Fi, Loopback)
type: string
- name: ConnectivityType
description: Type of connectivity from the device to the cloud
type: string
- name: Connectors
description: Custom instructions that define organizational mail flow and how the email was routed
type: string
- name: CountryCode
description: Two-letter code for the country where the IP is geolocated
type: string
- name: CreatedProcessSessionId
description: Windows session ID of the created process
type: bigint
- name: CrlDistributionPointUrls
description: URLs to network shares containing certificates or CRLs
type: json
- name: DHCPServer
description: IP address of the DHCP server used by the device
type: string
indicators:
- ip
- name: DNSAddresses
description: List of DNS servers configured on the device, separated by semicolons
type: array
element:
type: string
indicators:
- ip
isEmbeddedJSON: true
- name: DataSources
description: Products or services that provided information for the behavior
type: string
- name: DefaultGateway
description: Default gateway address used by the device
type: string
indicators:
- ip
- name: DeliveryAction
description: Final delivery result for the email
type: string
- name: DeliveryLocation
description: Location where the email was delivered (e.g., Inbox, Junk, Quarantine)
type: string
- name: Description
description: Description of the behavior
type: string
- name: DetailedEntityRole
description: The roles of the entity in the behavior
type: string
- name: DetectionMethods
description: Methods used to detect malware, phishing, or other threats found in the email
type: string
- name: DetectionSource
description: Detection technology or sensor that identified the notable component or activity
type: string
- name: DeviceCategory
description: Classification of the device (Endpoint, IoT, etc.)
type: string
- name: DeviceDynamicTags
description: Dynamically created device tags
type: string
- name: DeviceId
description: Unique identifier for the device in the service
type: string
- name: DeviceManualTags
description: Manually created device tags
type: string
- name: DeviceName
description: Fully qualified domain name (FQDN) of the device where the event occurred
type: string
- name: DeviceSubtype
description: Additional modifier such as tablet or smartphone
type: string
- name: DeviceType
description: Type of device (e.g., workstation, server)
type: string
- name: DiscoverySources
description: Products or services that have seen the device
type: string
- name: EmailAction
description: Action taken on the email (e.g., Delivered, Quarantined)
type: string
- name: EmailActionPolicy
description: Name of the policy that triggered the action
type: string
- name: EmailActionPolicyGuid
description: Unique identifier for the policy that determined the final mail action
type: string
- name: EmailActionSource
description: Source of the action (e.g., User, Microsoft, Admin)
type: string
- name: EmailClusterId
description: Identifier for the group of similar emails clustered based on heuristic analysis of their contents
type: string
- name: EmailDirection
description: Direction of the email (Inbound, Outbound, Intra-org)
type: string
- name: EmailLanguage
description: Detected language of the email content
type: string
- name: EmailSubject
description: Subject of the email containing the URL
type: string
- name: EndTime
description: Date and time of the last activity related to the behavior
type: timestamp
timeFormats:
- rfc3339
- name: EntityRole
description: Indicates whether the entity is impacted or merely related
type: string
- name: EntityType
description: Type of object, such as a file, a process, a device, or a user
type: string
- name: EvidenceDirection
description: Indicates whether the entity is the source or the destination of a network connection
type: string
- name: EvidenceRole
description: How the entity is involved in an alert, indicating whether it is impacted or is merely related
type: string
- name: ExclusionReason
description: Reason for device exclusion
type: string
- name: ExposureLevel
description: Vulnerability exposure level (Low, Medium, High)
type: string
- name: FailureReason
description: Information explaining why the recorded action failed
type: string
- name: FileExtension
description: Extension of the attached file
type: string
- name: FileName
description: Name of the file that the recorded action was applied to
type: string
- name: FileNames
description: Names of file attachments
type: array
element:
type: string
- name: FileOriginIP
description: IP address where the file was downloaded from
type: string
indicators:
- ip
- name: FileOriginReferrerUrl
description: Referrer URL for the file download
type: string
indicators:
- url
- name: FileOriginUrl
description: URL where the file was downloaded from
type: string
indicators:
- url
- name: FileSize
description: Size of the file in bytes
type: bigint
- name: FolderPath
description: Folder containing the file that the recorded action was applied to
type: string
- name: GcpFullResourceName
description: GCP full resource name for the device
type: string
- name: HardwareUuid
description: Hardware UUID of the device
type: string
- name: HostDeviceId
description: ID of host device if running WSL
type: string
- name: IPAddress
description: IP address assigned to the device during communication
type: string
indicators:
- ip
- name: IPAddressType
description: Type of IP address (Public, Private, Reserved, etc.)
type: string
- name: IPCategory
description: Additional information about the IP address
type: string
- name: IPTags
description: Customer-defined tags for IP addresses or ranges
type: json
- name: IPv6Address
description: IPv6 address assigned to the network adapter
type: string
indicators:
- ip
- name: InitiatingProcessAccountDomain
description: Domain of the account that ran the initiating process
type: string
- name: InitiatingProcessAccountName
description: User name of the account that ran the initiating process
type: string
- name: InitiatingProcessAccountObjectId
description: Microsoft Entra object ID of the initiating account
type: string
- name: InitiatingProcessAccountSid
description: Security Identifier (SID) of the initiating account
type: string
- name: InitiatingProcessAccountUpn
description: User principal name (UPN) of the initiating account
type: string
indicators:
- email
- name: InitiatingProcessCommandLine
description: Command line used to run the initiating process
type: string
- name: InitiatingProcessCreationTime
description: Date and time when the initiating process was started
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%d %H:%M:%S.%N'
- name: InitiatingProcessFileName
description: File name of the initiating process
type: string
- name: InitiatingProcessFileSize
description: Size of the initiating process file in bytes
type: bigint
- name: InitiatingProcessFolderPath
description: Folder path containing the initiating process
type: string
- name: InitiatingProcessId
description: PID of the initiating process
type: bigint
- name: InitiatingProcessIntegrityLevel
description: Integrity level of the process that initiated the event
type: string
- name: InitiatingProcessLogonId
description: Identifier for a logon session of the process that initiated the event
type: bigint
- name: InitiatingProcessMD5
description: MD5 hash of the initiating process
type: string
indicators:
- md5
- name: InitiatingProcessName
description: Name of the process that initiated the change
type: string
- name: InitiatingProcessParentAccountDomain
description: Domain of the account that ran the parent process that spawned the process responsible for the event
type: string
- name: InitiatingProcessParentAccountName
description: User name of the account that ran the parent process that spawned the process responsible for the event
type: string
- name: InitiatingProcessParentAccountObjectId
description: Unique identifier for the account in Microsoft Entra ID
type: string
- name: InitiatingProcessParentAccountSid
description: Security Identifier (SID) of the account that ran the parent process that spawned the process responsible for the event
type: string
- name: InitiatingProcessParentAccountUpn
description: User principal name (UPN) of the account that ran the parent process that spawned the process responsible for the event
type: string
indicators:
- email
- name: InitiatingProcessParentCreationTime
description: Date and time when the parent process was started
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%d %H:%M:%S.%N'
- name: InitiatingProcessParentFileName
description: File name or path of the parent process
type: string
- name: InitiatingProcessParentFolderPath
description: Folder containing the parent process (image file) that spawned the process responsible for the event
type: string
- name: InitiatingProcessParentId
description: PID of the parent process
type: bigint
- name: InitiatingProcessParentIntegrityLevel
description: Integrity level of the parent process that spawned the process responsible for the event
type: string
- name: InitiatingProcessParentLogonId
description: Identifier for a logon session of the parent process that spawned the process responsible for the event
type: int
- name: InitiatingProcessParentMD5
description: MD5 hash of the parent process (image file) that spawned the process responsible for the event
type: string
indicators:
- md5
- name: InitiatingProcessParentSHA1
description: SHA-1 of the parent process (image file) that spawned the process responsible for the event
type: string
indicators:
- sha1
- name: InitiatingProcessParentSHA256
description: SHA-256 of the parent process (image file) that spawned the process responsible for the event
type: string
indicators:
- sha256
- name: InitiatingProcessParentTokenElevation
description: Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the parent process that spawned the process responsible for the event
type: string
- name: InitiatingProcessRemoteSessionDeviceName
description: Device name from which the RDP session originated
type: string
- name: InitiatingProcessRemoteSessionIP
description: IP address of the remote device for the RDP session
type: string
indicators:
- ip
- name: InitiatingProcessSHA1
description: SHA-1 hash of the initiating process
type: string
indicators:
- sha1
- name: InitiatingProcessSHA256
description: SHA-256 hash of the initiating process
type: string
indicators:
- sha256
- name: InitiatingProcessSessionId
description: Windows session ID of the initiating process
type: bigint
- name: InitiatingProcessTokenElevation
description: Indicates whether UAC privilege elevation was applied
type: string
- name: InitiatingProcessUniqueId
description: Unique identifier of the initiating process (equals the Process Start Key)
type: string
- name: InitiatingProcessVersionInfoCompanyName
description: Company name from the initiating process version info
type: string
- name: InitiatingProcessVersionInfoFileDescription
description: File description from the initiating process version info
type: string
- name: InitiatingProcessVersionInfoInternalFileName
description: Internal file name from the initiating process version info
type: string
- name: InitiatingProcessVersionInfoOriginalFileName
description: Original file name from the initiating process version info
type: string
- name: InitiatingProcessVersionInfoProductName
description: Product name from the initiating process version info
type: string
- name: InitiatingProcessVersionInfoProductVersion
description: Product version from the initiating process version info
type: string
- name: InternetMessageId
description: Unique message identifier from the Message-ID header
type: string
- name: IsAdminOperation
description: Indicates whether the activity was performed by an administrator
type: boolean
- name: IsAnonymousProxy
description: Indicates whether the IP address belongs to a known anonymous proxy
type: boolean
- name: IsAzureADJoined
description: Whether the device is joined to Microsoft Entra ID
type: boolean
- name: IsAzureInfoProtectionApplied
description: Indicates if Azure Information Protection was applied
type: boolean
- name: IsDomainJoined
description: Whether the device is joined to a domain
type: boolean
- name: IsExcluded
description: Whether the device is excluded from vulnerability management
type: boolean
- name: IsExternalUser
description: Indicates if the user is external to the organization's domain
type: boolean
- name: IsImpersonated
description: Indicates if the activity was performed by an impersonated user
type: boolean
- name: IsInitiatingProcessRemoteSession
description: Whether the initiating process was run under an RDP session
type: boolean
- name: IsInternetFacing
description: Whether the device is internet-facing
type: boolean
- name: IsLocalAdmin
description: Whether the user is a local administrator on the device
type: boolean
- name: IsLocalLogon
description: Whether the logon occurred using a local account
type: boolean
- name: IsProcessRemoteSession
description: Whether the created process ran under RDP
type: boolean
- name: IsRootSignerMicrosoft
description: Indicates if the root certificate was issued by Microsoft
type: boolean
- name: IsSigned
description: Indicates whether the file is signed
type: boolean
- name: IsTransient
description: Whether the device is transient or short-lived
type: boolean
- name: IsTrusted
description: Indicates if the file is trusted based on certificate validation
type: boolean
- name: Isp
description: Internet service provider associated with the IP address
type: string
- name: Issuer
description: Information about the issuing certificate authority (CA)
type: string
- name: IssuerHash
description: Unique hash value identifying the issuing certificate authority (CA)
type: string
- name: JoinType
description: Microsoft Entra ID join type
type: string
- name: LastSeenForUser
description: Attribute last-seen indicators for the user
type: json
- name: LatestDeliveryAction
description: Last known action attempted on an email by the service or by an admin through manual remediation
type: string
- name: LatestDeliveryLocation
description: Last known location of the email
type: string
- name: LocalIP
description: IP address assigned to the local device used during communication
type: string
indicators:
- ip
- name: LocalPort
description: TCP port on the local device used for communication
type: int
- name: LoggedOnUsers
description: List of logged-on users in JSON array format
type: string
- name: LogonId
description: Unique ID for the logon session
type: bigint
- name: LogonType
description: Type of logon session (e.g., Interactive, RemoteInteractive, Network)
type: string
- name: MD5
description: MD5 hash of the attached file
type: string
indicators:
- md5
- name: MacAddress
description: MAC address of the network adapter
type: string
- name: MachineGroup
description: Machine group used for role-based access control
type: string
- name: MalwareFamily
description: Name of the malware family identified in the attachment
type: string
- name: MergedDeviceIds
description: Previous device IDs assigned to the same device
type: string
- name: MergedToDeviceId
description: Most recent device ID for the device
type: string
- name: MitigationStatus
description: Mitigation action applied to the device
type: string
- name: Model
description: Model name or number of the device
type: string
- name: ModifiedProperties
description: Key-value map of the attributes that were changed
type: json
- name: NetworkAdapterAlias
description: User-friendly name or alias for the network adapter
type: string
- name: NetworkAdapterName
description: Name of the network adapter on the device
type: string
- name: NetworkAdapterStatus
description: Current operational status of the network adapter
type: string
- name: NetworkMessageId
description: Unique identifier for the email across Microsoft 365 Defender
type: string
- name: NetworkMessageParentId
description: Identifier used for deduplication across messages sent to multiple recipients
type: string
- name: OAuthAppId
description: The unique identifier of the OAuth application
type: string
- name: OAuthApplicationId
description: Unique identifier of the third-party OAuth application
type: string
- name: OSArchitecture
description: Architecture of the operating system
type: string
- name: OSBuild
description: Build version of the operating system
type: bigint
- name: OSDistribution
description: OS distribution such as Ubuntu or RedHat
type: string
- name: OSPlatform
description: Operating system platform of the device
type: string
- name: OSVersion
description: Operating system version
type: string
- name: OSVersionInfo
description: Additional OS version info (e.g., codename)
type: string
- name: ObjectId
description: Unique identifier of the object that the action was applied to
type: string
- name: ObjectName
description: Name of the object that the recorded action was applied to
type: string
- name: ObjectType
description: Type of object such as file or folder
type: string
- name: OnboardingStatus
description: Onboarding status to Microsoft Defender for Endpoint
type: string
- name: OrgLevelAction
description: Organization-wide action (e.g., ZAP move to junk/quarantine)
type: string
- name: OrgLevelPolicy
description: Organizational policy that triggered the action taken on the email
type: string
- name: OsBuildRevision
description: Build revision of the operating system
type: string
- name: PreviousFileName
description: Original file name before it was renamed
type: string
- name: PreviousFolderPath
description: Original folder of the file before the action
type: string
- name: PreviousRegistryValueData
description: Data held in the registry value before the recorded change
type: string
- name: PreviousRegistryValueType
description: Data type held before the change occurred
type: string
- name: ProcessCommandLine
description: Command line used to create the new process
type: string
- name: ProcessCreationTime
description: Date and time when the process was created
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%d %H:%M:%S.%N'
- name: ProcessId
description: Process ID (PID) of the newly created process
type: int
- name: ProcessIntegrityLevel
description: Integrity level of the newly created process
type: string
- name: ProcessRemoteSessionDeviceName
description: Device name for the RDP session that started the created process
type: string
- name: ProcessRemoteSessionIP
description: IP address for the RDP session that started the created process
type: string
indicators:
- ip
- name: ProcessTokenElevation
description: Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process
type: string
- name: ProcessUniqueId
description: Unique identifier of the process (equals the Process Start Key)
type: string
- name: Protocol
description: Network protocol used for communication
type: string
- name: PublicIP
description: Public IP address used by the onboarded device
type: string
indicators:
- ip
- name: Query
description: The actual LDAP query executed on the domain controller
type: string
- name: QueryEngine
description: The search engine or interface used (e.g., LDAP)
type: string
- name: QueryScope
description: Scope of the LDAP query (e.g., Base, OneLevel, Subtree)
type: string
- name: QueryTarget
description: The distinguished name (DN) or base of the query
type: string
- name: QueryTargetDeviceId
description: Unique identifier of the domain controller that received the query
type: string
- name: QueryTargetDeviceName
description: Name of the domain controller that received the query
type: string
- name: RawEventData
description: Raw event data from the source application or service
type: json
- name: RecipientEmailAddress
description: Email address of the user who clicked the URL
type: string
indicators:
- email
- name: RecipientObjectId
description: Microsoft Entra ID object ID of the recipient
type: string
- name: RegistryDeviceTag
description: Device tag added through the registry
type: string
- name: RegistryKey
description: Registry key that the recorded action was applied to
type: string
- name: RegistryValueData
description: Data of the registry value that the recorded action was applied to
type: string
- name: RegistryValueName
description: Name of the registry value that the recorded action was applied to
type: string
- name: RegistryValueType
description: Data type of the registry value (e.g., REG_SZ, REG_DWORD)
type: string
- name: RemoteDeviceName
description: Name of the remote device (if available)
type: string
- name: RemoteDnsDomain
description: Top-level DNS domain of the remote device
type: string
indicators:
- domain
- name: RemoteIP
description: IP address of the system that clicked the URL
type: string
indicators:
- ip
- name: RemoteIPType
description: IP address classification (e.g., Public, Private)
type: string
- name: RemotePort
description: TCP port on the remote device used for communication
type: int
- name: RemoteUrl
description: URL or fully qualified domain name (FQDN) that was being connected to
type: string
indicators:
- url
- name: ReportId
description: Event identifier based on a repeating counter
type: string
- name: RequestAccountDomain
description: Domain of the remote account
type: string
- name: RequestAccountName
description: User name of the remote account
type: string
- name: RequestAccountSid
description: SID of the remote account
type: string
- name: RequestProtocol
description: Network protocol used to initiate the activity
type: string
- name: RequestSourceIP
description: Source IP address of the remote device
type: string
indicators:
- ip
- name: RequestSourcePort
description: Source port on the remote device
type: int
- name: ResourceID
description: The unique identifier of the cloud resource
type: string
- name: ResourceType
description: The type of the cloud resource
type: string
- name: SHA1
description: SHA-1 of the file that the recorded action was applied to
type: string
indicators:
- sha1
- name: SHA256
description: SHA-256 hashes of the attachments
type: string
indicators:
- sha256
- name: SenderDisplayName
description: Display name of the sender
type: string
- name: SenderFromAddress
description: Email address from the "From" field of the email
type: string
indicators:
- email
- name: SenderFromDomain
description: Domain from the sender’s "From" address
type: string
indicators:
- domain
- name: SenderIP
description: IP address of the sender
type: string
indicators:
- ip
- name: SenderIPv4
description: IPv4 address of the last detected mail server that relayed the message
type: string
indicators:
- ip
- name: SenderIPv6
description: IPv6 address of the last detected mail server that relayed the message
type: string
indicators:
- ip
- name: SenderMailFromAddress
description: SMTP MAIL FROM address of the sender
type: string
indicators:
- email
- name: SenderMailFromDomain
description: Domain from the SMTP MAIL FROM command
type: string
indicators:
- domain
- name: SenderObjectId
description: Unique identifier for the sender's account in Microsoft Entra ID
type: string
- name: SensitivityLabel
description: Sensitivity label applied to the file
type: string
- name: SensitivitySubLabel
description: Sublabel applied under the primary sensitivity label
type: string
- name: SensorHealthState
description: Health of the device’s EDR sensor
type: string
- name: ServiceSource
description: Product or service that provided the alert information
type: string
- name: SessionData
description: Defender for Cloud Apps session ID for access/session control
type: json
- name: Severity
description: Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert
type: string
- name: ShareName
description: Name of the shared folder
type: string
- name: SignatureType
description: Indicates how the signature was obtained (embedded or catalog)
type: string
- name: Signer
description: Information about the signer of the file
type: string
- name: SignerHash
description: Unique hash value identifying the signer
type: string
- name: Site
description: Physical location of the device
type: string
- name: StartTime
description: Date and time of the first activity related to the behavior
type: timestamp
timeFormats:
- '%Y-%m-%d %H:%M:%S.%N'
- rfc3339
- name: Subject
description: Subject of the email
type: string
- name: SubnetPrefix
description: Subnet prefix or netmask associated with the assigned IP address
type: string
- name: SubscriptionId
description: Unique identifier of the cloud service subscription
type: string
- name: TargetAccountDomain
description: Domain of the object that was modified
type: string
indicators:
- domain
- name: TargetAccountName
description: Name of the object that was modified
type: string
- name: TargetAccountObjectId
description: Microsoft Entra ID object ID of the modified account
type: string
- name: TargetAccountSid
description: SID of the object that was modified
type: string
- name: TargetAccountUpn
description: UPN of the object that was modified (if applicable)
type: string
indicators:
- email
- name: ThreatFamily
description: Malware family that the suspicious or malicious file or process has been classified under
type: string
- name: ThreatNames
description: Detection name for malware or other threats found
type: string
- name: ThreatTypes
description: Detected threats associated with the URL (semicolon-delimited if multiple)
type: string
- name: Timestamp
description: Date and time when the URL click event was recorded
type: timestamp
timeFormats:
- rfc3339
- '%Y-%m-%d %H:%M:%S.%N'
isEventTime: true
- name: Title
description: The title of the alert
type: string
- name: UncommonForUser
description: Attributes in the event that are uncommon for the user
type: json
- name: Url
description: The full URL clicked by the user
type: string
indicators:
- url
- name: UrlCount
description: Number of embedded URLs in the email
type: int
- name: UrlDomain
description: Domain extracted from the clicked URL
type: string
indicators:
- domain
- name: UserAgent
description: User agent from the web browser or client app
type: string
- name: UserAgentTags
description: Tags with client info like outdated browser or OS
type: json
- name: UserLevelAction
description: Action taken on the email in response to matches to a mailbox policy defined by the recipient
type: string
- name: UserLevelPolicy
description: End-user mailbox policy that triggered the action taken on the email
type: string
- name: Vendor
description: Device vendor or manufacturer
type: string
Last updated
Was this helpful?