Microsoft Defender · Schema

AlertEvidence

Evidence associated with an alert. Can represent various entity types including User, Process, File, IP address, and URL.

Properties

Name Type Description
entityType string The type of evidence entity.
evidenceCreationTime stringnull The time the evidence was created.
sha1 stringnull SHA-1 hash of the file.
sha256 stringnull SHA-256 hash of the file.
fileName stringnull The file name.
filePath stringnull The file path.
processId integernull The process ID.
processCommandLine stringnull The process command line.
processCreationTime stringnull The process creation time.
parentProcessId integernull The parent process ID.
parentProcessCreationTime stringnull The parent process creation time.
parentProcessFileName stringnull The parent process file name.
parentProcessFilePath stringnull The parent process file path.
ipAddress stringnull The IP address.
url stringnull The URL.
registryKey stringnull The registry key.
registryHive stringnull The registry hive.
registryValueType stringnull The registry value type.
registryValue stringnull The registry value.
accountName stringnull The account name.
domainName stringnull The domain name.
userSid stringnull The user security identifier (SID).
aadUserId stringnull The Microsoft Entra user ID.
userPrincipalName stringnull The user principal name.
detectionStatus stringnull The detection status of the evidence.
View JSON Schema on GitHub

JSON Schema

microsoft-defender-alertevidence-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "#/components/schemas/AlertEvidence",
  "title": "AlertEvidence",
  "type": "object",
  "description": "Evidence associated with an alert. Can represent various entity types including User, Process, File, IP address, and URL.",
  "properties": {
    "entityType": {
      "type": "string",
      "description": "The type of evidence entity.",
      "enum": [
        "User",
        "Process",
        "File",
        "Ip",
        "Url"
      ]
    },
    "evidenceCreationTime": {
      "type": [
        "string",
        "null"
      ],
      "format": "date-time",
      "description": "The time the evidence was created."
    },
    "sha1": {
      "type": [
        "string",
        "null"
      ],
      "description": "SHA-1 hash of the file."
    },
    "sha256": {
      "type": [
        "string",
        "null"
      ],
      "description": "SHA-256 hash of the file."
    },
    "fileName": {
      "type": [
        "string",
        "null"
      ],
      "description": "The file name."
    },
    "filePath": {
      "type": [
        "string",
        "null"
      ],
      "description": "The file path."
    },
    "processId": {
      "type": [
        "integer",
        "null"
      ],
      "description": "The process ID."
    },
    "processCommandLine": {
      "type": [
        "string",
        "null"
      ],
      "description": "The process command line."
    },
    "processCreationTime": {
      "type": [
        "string",
        "null"
      ],
      "format": "date-time",
      "description": "The process creation time."
    },
    "parentProcessId": {
      "type": [
        "integer",
        "null"
      ],
      "description": "The parent process ID."
    },
    "parentProcessCreationTime": {
      "type": [
        "string",
        "null"
      ],
      "format": "date-time",
      "description": "The parent process creation time."
    },
    "parentProcessFileName": {
      "type": [
        "string",
        "null"
      ],
      "description": "The parent process file name."
    },
    "parentProcessFilePath": {
      "type": [
        "string",
        "null"
      ],
      "description": "The parent process file path."
    },
    "ipAddress": {
      "type": [
        "string",
        "null"
      ],
      "description": "The IP address."
    },
    "url": {
      "type": [
        "string",
        "null"
      ],
      "description": "The URL."
    },
    "registryKey": {
      "type": [
        "string",
        "null"
      ],
      "description": "The registry key."
    },
    "registryHive": {
      "type": [
        "string",
        "null"
      ],
      "description": "The registry hive."
    },
    "registryValueType": {
      "type": [
        "string",
        "null"
      ],
      "description": "The registry value type."
    },
    "registryValue": {
      "type": [
        "string",
        "null"
      ],
      "description": "The registry value."
    },
    "accountName": {
      "type": [
        "string",
        "null"
      ],
      "description": "The account name."
    },
    "domainName": {
      "type": [
        "string",
        "null"
      ],
      "description": "The domain name."
    },
    "userSid": {
      "type": [
        "string",
        "null"
      ],
      "description": "The user security identifier (SID)."
    },
    "aadUserId": {
      "type": [
        "string",
        "null"
      ],
      "description": "The Microsoft Entra user ID."
    },
    "userPrincipalName": {
      "type": [
        "string",
        "null"
      ],
      "description": "The user principal name."
    },
    "detectionStatus": {
      "type": [
        "string",
        "null"
      ],
      "description": "The detection status of the evidence.",
      "enum": [
        "Detected",
        "Blocked",
        "Prevented",
        null
      ]
    }
  }
}