Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Information about files attached to emails
| Attribute | Value |
|---|---|
| Category | Defender |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| DetectionMethods | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| FileExtension | string | File extension of the attachment. |
| FileName | string | Name of the file that the recorded action was applied to. |
| FileSize | long | Size of the file in bytes. |
| FileType | string | File extension type. |
| NetworkMessageId | string | Unique identifier for the email, generated by Office 365. |
| RecipientEmailAddress | string | Email address of the recipient, or email address of the recipient after distribution list expansion. |
| RecipientObjectId | string | Email recipient unique identifier in Azure AD. |
| ReportId | string | Unique identifier for the event. |
| SenderDisplayName | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| SenderFromAddress | string | Sender domain in the from header, which is visible to email recipients on their email clients. |
| SenderObjectId | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| ThreatNames | string | Sender email address in the from header, which is visible to email recipients on their email clients. |
| ThreatTypes | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats. |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Potentially malicious svg file delivered to Inbox |
GitHub Only:
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Defender for Office 365:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForOffice365 |
In solution ZeroTrust(TIC3.0): ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user"
| Workbook |
|---|
| ZeroTrustTIC3 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForOffice365 | |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| PhishingAnalysis |
References by type: 0 connectors, 1 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user" |
- | 1 | - | - | 1 |
| Total | 0 | 1 | 0 | 0 | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Add member to role |
- | 1 | - | - | 1 |
Add user |
- | 1 | - | - | 1 |
InteractiveLogon |
- | 1 | - | - | 1 |
RemoteInteractiveLogon |
- | 1 | - | - | 1 |
Reset user password |
- | 1 | - | - | 1 |
ResourceAccess |
- | 1 | - | - | 1 |
Sign-in |
- | 1 | - | - | 1 |
Update user |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊