Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The BehaviorInfo table in the advanced hunting schema contains information about behaviors from Microsoft Defender for Cloud Apps and User and Entity Behavior Analytics (UEBA). Use this reference to construct queries that return information from this table.
Important
The BehaviorInfo table is in preview and is not available for GCC. The information here may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. Have feedback to share? Fill out our feedback form.
Behaviors are a type of data in Microsoft Defender XDR based on one or more raw events. Behaviors provide contextual insight into events and can, but not necessarily, indicate malicious activity. For more information, see the following articles:
- Investigate behaviors with advanced hunting
- Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel
This advanced hunting table is populated by records from both Defender for Cloud Apps and UEBA. If your organization doesn't deploy these services in Microsoft Defender XDR, queries that use the table won't work or return any results. For more information about how to deploy services in Defender XDR, see Deploy supported services.
To make sure Defender for Cloud Apps and UEBA data populate the BehaviorInfo table, follow the instructions in the following articles:
For information on other tables in the advanced hunting schema, see the advanced hunting reference.
| Column name | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Date and time when the record was generated |
BehaviorId |
string |
Unique identifier for the behavior |
Title |
string |
Title of the behavior |
Description |
string |
Description of the behavior |
Categories |
string |
Type of threat indicator or breach activity identified by the behavior, as defined by the MITRE ATT&CK framework |
AttackTechniques |
string |
MITRE ATT&CK techniques associated with the activity that triggered the behavior |
ServiceSource |
string |
Product or service that identified the behavior |
DetectionSource |
string |
Detection technology or sensor that identified the notable component or activity |
DataSources |
string |
Products or services that provided information for the behavior |
DeviceId |
string |
Unique identifier for the device in the service |
AccountUpn |
string |
User principal name (UPN) of the account |
AccountObjectId |
string |
Unique identifier for the account in Microsoft Entra ID |
StartTime |
datetime |
Date and time of the first activity related to the behavior |
EndTime |
datetime |
Date and time of the last activity related to the behavior |
AdditionalFields |
string |
Additional information about the behavior |
ActionType |
string |
Type of behavior |
Related topics
- Advanced hunting overview
- Learn the query language
- Use shared queries
- Hunt across devices, emails, apps, and identities
- Understand the schema
- Apply query best practices
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.