Defender Data Source Field Definitions
An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.
Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.
Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.
Field Name | Definition |
incidentId | Unique identifier to represent the incident |
redirectIncidentId | Only populated in case an incident is being grouped together with another incident, as part of the incident processing logic. |
incidentName | String value available for every incident. |
createdTime | Time when incident was first created. |
lastUpdateTime | Time when the incident was last updated on the backend.This field can be used when you’re setting the request parameter for the range of time that incidents are retrieved. |
assignedTo | Owner of the incident, or null if no owner is assigned. |
classification | The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive |
determination | Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other |
detectionSource | Specifies source of detection. |
status | Categorize incidents (as Active, or Resolved). It can help you organize and manage your response to incidents. |
severity | Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.One of the following values: Informational, Low, *Medium, and High. |
tags | Array of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic. |
comments | Array of comments created by secops when managing the incident, for example additional information about the classification selection. |
alerts | Array containing all of the alerts related to the incident, plus other information, such as severity, entities that were involved in the alert, and the source of the alerts. |
alertId | Unique identifier to represent the alert |
incidentId | Unique identifier to represent the incident this alert is associated with |
serviceSource | Service that the alert originates from, such as Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, or Microsoft Defender for Office 365. |
creationTime | Time when alert was first created. |
lastUpdatedTime | Time when alert was last updated at the backend. |
resolvedTime | Time when alert was resolved. |
firstActivity | Time when alert first reported that activity was updated at the backend. |
title | Brief identifying string value available for each alert. |
description | String value describing each alert. |
category | Visual and numeric view of how far the attack has progressed along the kill chain. Aligned to the MITRE ATT&CK™ framework. |
status | Categorize alerts (as New, Active, or Resolved). It can help you organize and manage your response to alerts. |
severity | Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. One of the following values: Informational, Low, Medium, and High. |
investigationId | The automated investigation ID triggered by this alert. |
investigationState | Information on the investigation’s current status. One of the following values: Unknown, Terminated, SuccessfullyRemediated, Benign, Failed, PartiallyRemediated, Running, PendingApproval, PendingResource, PartiallyInvestigated, TerminatedByUser, TerminatedBySystem, Queued, InnerFailure, PreexistingAlert, UnsupportedOs, UnsupportedAlertType, SuppressedAlert. |
classification | The specification for the incident. The property values are: Unknown, FalsePositive, TruePositive, or null |
determination | Specifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null |
assignedTo | Owner of the incident, or null if no owner is assigned. |
actorName | The activity group, if any, the associated with this alert. |
threatFamilyName | Threat family associated with this alert. |
mitreTechniques | The attack techniques, as aligned with the MITRE ATT&CK™ framework. |
devices | All devices where alerts related to the incident were sent. |
DeviceId | The device ID as designated in Microsoft Defender for Endpoint. |
aadDeviceId | The device ID as designated in Azure Active Directory. Only available for domain-joined devices. |
deviceDnsName | The fully qualified domain name for the device. |
osPlatform | The OS platform the device is running. |
osBuild | The build version for the OS the device is running. |
rbacGroupName | The role-based access control (RBAC) group associated with the device. |
firstSeen | Time when device was first seen. |
healthStatus | The health state of the device. |
riskScore | The risk score for the device. |
entities | All entities that have been identified to be part of, or related to, a given alert. |
entityType | Entities that have been identified to be part of, or related to, a given alert. The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry |
sha1 | Available if entityType is File. The file hash for alerts associated with a file or process. |
sha256 | Available if entityType is File. The file hash for alerts associated with a file or process. |
fileName | Available if entityType is File. The file name for alerts associated with a file or process |
filePath | Available if entityType is File. The file path for alerts associated with a file or process |
processId | Available if entityType is Process. |
processCommandLine | Available if entityType is Process. |
processCreationTime | Available if entityType is Process. |
parentProcessId | Available if entityType is Process. |
parentProcessCreationTime | Available if entityType is Process. |
ipAddress | Available if entityType is Ip. IP address for alerts associated with network events, such as Communication to a malicious network destination. |
url | Available if entityType is Url. Url for alerts associated to network events, such as, Communication to a malicious network destination. |
accountName | Available if entityType is User. |
domainName | Available if entityType is User. |
userSid | Available if entityType is User. |
aadUserId | Available if entityType is User. |
userPrincipalName | Available if entityType is User/MailBox/MailMessage. |
mailboxDisplayName | Available if entityType is MailBox. |
mailboxAddress | Available if entityType is User/MailBox/MailMessage. |
clusterBy | Available if entityType is MailCluster. |
sender | Available if entityType is User/MailBox/MailMessage. |
recipient | Available if entityType is MailMessage. |
subject | Available if entityType is MailMessage. |
deliveryAction | Available if entityType is MailMessage. |
securityGroupId | Available if entityType is SecurityGroup. |
securityGroupName | Available if entityType is SecurityGroup. |
registryHive | Available if entityType is Registry. |
registryKey | Available if entityType is Registry. |
registryValueType | Available if entityType is Registry. |
registryValue | Available if entityType is Registry. |
deviceId | The ID, if any, of the device related to the entity. |