Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Endpoints (MDE) behaviors table. Contains information about behaviors, which in the context of Microsoft 365 Defender refers to a conclusion or insight based on one or more raw events, which can provide analysts more context in investigations.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | LogManagement |
| Basic log | Yes |
| Ingestion-time transformation | No |
| Sample Queries | - |
Columns
| Column | Type | Description |
|---|---|---|
| AccountObjectId | string | Unique identifier for the account in Azure AD. |
| AccountUpn | string | User principal name (UPN) of the account. |
| ActionType | string | Type of activity that triggered the event. Associated with specific MITRE ATT&CK techniques. |
| AdditionalFields | string | Additional information about the entity or event. |
| AttackTechniques | string | MITRE ATT&CK techniques associated with the activity that triggered the alert. Defined by the MITRE ATT&CK Matrix for Enterprise. |
| BehaviorId | string | Unique identifier for the behavior. |
| _BilledSize | real | The record size in bytes |
| Categories | string | Types of threat indicator or breach activity identified by the alert. Defined by the MITRE ATT&CK Matrix for Enterprise. |
| DataSources | string | Products or services that provided information for the behavior. |
| Description | string | Description of the behavior. |
| DetectionSource | string | Detection technology or sensor that identified the notable component or activity. |
| DeviceId | string | Unique identifier for the device in the service. |
| EndTime | datetime | Date and time of the last activity related to the behavior. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| ServiceSource | string | Product or service that provided the alert information. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| StartTime | datetime | Date and time of the first activity related to the behavior. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time when the record was generated. |
| Type | string | The name of the table |