|
Field name |
Description |
Example value |
|---|---|---|
|
user_name |
User name under whose account you are logged in on the endpoint device. |
DESKTOP-0731NFQ\\User |
|
timestamp |
Time when the event was received in the following format: yyyy-mm-ddThh:mm:ssZ. |
2022-05-12T08:11:46.15869Z |
|
endpoint_name |
Endpoint device name. |
DESKTOP-0731NFQ |
|
endpoint_id |
Endpoint device ID. |
35fb5820-74db-4eac-b05b-d01bc284c4e8 |
|
process_id |
Process ID. |
3916 |
|
hash |
Application hash. |
B4CE5C3495FEA0A4FDBAC8ABDCD199F7E4CA8C1F |
|
app_name |
Application name. |
C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe |
|
action |
Action (start or stop the application). |
start, stop |
|
version |
Application version. |
6.2.19041.746 |
|
subject |
Subject name of the signing. |
Microsoft Corporation |
|
issuer |
Issuer of the certificate for the application. |
Microsoft Windows Production PCA 2011 |
|
cmd_line |
Command line query. |
C:\\Windows\\system32\\svchost.exe -k wsappx -p -s AppXSvc |
|
session_id |
Session ID. |
1656038456 |