| Alerts and incidents | AlertInfo, AlertEvidence, SecurityAlert, SecurityIncident where available for the selected Defender/Sentinel context. | AlertId, IncidentId, ServiceSource, DetectionSource, Severity, Category, entity fields, Title, Timestamp. | Does the row describe a detection/incident or the underlying activity? Pivot to raw-event tables before causal conclusions. |
| Endpoint process and file | DeviceProcessEvents, DeviceFileEvents, DeviceEvents, DeviceImageLoadEvents. | DeviceId/DeviceName, SHA256, FileName, ProcessCommandLine, initiating process, AccountSid/ObjectId, FolderPath. | Is the device onboarded and the event/action supported? Are hash, process tree, signer, and user context complete? |
| Endpoint network and logon | DeviceNetworkEvents, DeviceLogonEvents, DeviceNetworkInfo, DeviceInfo. | RemoteIP/RemoteUrl/RemotePort, Protocol, LogonType, AccountSid/UPN, InitiatingProcess, device tags/groups, exposure. | Is the network row a connection, DNS/proxy-derived value, or enrichment? Normalize IP/URL and account/device identity. |
| Identity | IdentityLogonEvents, IdentityDirectoryEvents, IdentityQueryEvents, IdentityInfo. | AccountObjectId/Sid/UPN, Application, Protocol, IPAddress, DeviceName, ActionType, privileged role and risk context. | Are cloud and on-premises identities linked? Could service accounts, shared devices, NAT, sync delay, or normal admin work explain it? |
| Email and collaboration | EmailEvents, EmailAttachmentInfo, EmailUrlInfo, EmailPostDeliveryEvents, UrlClickEvents. | NetworkMessageId, InternetMessageId, sender/recipient, Subject, DeliveryAction, ThreatTypes, SHA256, Url, click action. | Are message IDs/URLs normalized, recipients expanded, post-delivery actions considered, and Defender for Office telemetry licensed/available? |
| Cloud apps and SaaS | CloudAppEvents and supported app-governance/cloud-app data. | AccountObjectId/DisplayName, Application, IPAddress, ActionType, object/resource, user agent, device/session context. | Is the app connected and audited? Are API, actor, proxy, admin, and user actions distinguishable? |
| Data security and Purview | Supported DataSecurity* tables, DLP/Insider Risk signals, sensitivity and data-classification context where configured. | User, data source, policy/rule, sensitivity label, activity, application, device, exfiltration channel, alert/incident. | Has the organization enabled the integration and authorized sensitive employee/data use? Are privacy and least-access rules applied? |
| Exposure and vulnerability | DeviceTvm* and supported exposure-management tables. | DeviceId, software/CVE, recommendation, exposure level, internet-facing/critical asset context, remediation status. | Is the data a current inventory/snapshot or an event? Join only after narrowing device/software scope and effective date. |