MD5 hash of the file that the recorded action was applied toĬompany name from the version information of the newly created process This field is usually not populated - use the SHA1 column when available. SHA-256 of the file that the recorded action was applied to. SHA-1 of the file that the recorded action was applied to Name of the file that the recorded action was applied toįolder containing the file that the recorded action was applied to See the in-portal schema reference for details Type of activity that triggered the event.
Unique identifier for the machine in the serviceįully qualified domain name (FQDN) of the machine Column nameĭate and time when the event was recorded
For detailed information about the events types ( ActionType values) supported by a table, use the built-in schema reference available in Microsoft 365 Defender.įor information on other tables in the advanced hunting schema, see the advanced hunting reference.