AlertEvidence
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Tables Index
Files, IP addresses, URLs, users, or devices associated with alerts
| Attribute |
Value |
| Category |
Internal |
| Basic Logs Eligible |
✓ Yes (source) |
| Supports Transformations |
✓ Yes (source) |
| Ingestion API Supported |
✗ No |
| Lake-Only Ingestion |
✓ Yes (source) |
| Azure Monitor Tables Reference |
View Documentation |
| Defender XDR Advanced Hunting Schema |
View Documentation |
Contents
Schema (44 columns)
Source: Azure Monitor documentation
| Column Name |
Type |
Description |
| _BilledSize |
real |
The record size in bytes |
| _IsBillable |
string |
Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AccountDomain |
string |
Domain of the account. |
| AccountName |
string |
User name of the account. |
| AccountObjectId |
string |
Unique identifier for the account in Azure Active Directory. |
| AccountSid |
string |
Security Identifier (SID) of the account. |
| AccountUpn |
string |
User principal name (UPN) of the account. |
| AdditionalFields |
dynamic |
Additional information about the event in JSON array format. |
| AlertId |
string |
Unique identifier for the alert. |
| Application |
string |
Application that performed the recorded action. |
| ApplicationId |
int |
Unique identifier for the application. |
| AttackTechniques |
string |
MITRE ATT&CK techniques associated with the activity that triggered the alert. |
| Categories |
string |
List of categories that the information belongs to, in JSON array format. |
| CloudPlatform |
string |
The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform. |
| CloudResource |
string |
Cloud resource name. |
| DetectionSource |
string |
Detection technology or sensor that identified the notable component or activity. |
| DeviceId |
string |
Unique identifier for the device in the service. |
| DeviceName |
string |
Fully qualified domain name (FQDN) of the machine. |
| EmailSubject |
string |
Subject of the email. |
| EntityType |
string |
Type of object, such as a file, a process, a device, or a user. |
| EvidenceDirection |
string |
Indicates whether the entity is the source or the destination of a network connection. |
| EvidenceRole |
string |
How the entity is involved in an alert, indicating whether it is impacted or is merely related. |
| FileName |
string |
Name of the file that the recorded action was applied to. |
| FileSize |
long |
Size of the file in bytes. |
| FolderPath |
string |
Folder containing the file that the recorded action was applied to. |
| LocalIP |
string |
IP address assigned to the local device used during communication. |
| NetworkMessageId |
string |
Unique identifier for the email, generated by Office 365. |
| OAuthApplicationId |
string |
Unique identifier of the third-party OAuth application. |
| ProcessCommandLine |
string |
Command line used to create the new process. |
| RegistryKey |
string |
Registry key that the recorded action was applied to. |
| RegistryValueData |
string |
Data of the registry value that the recorded action was applied to. |
| RegistryValueName |
string |
Name of the registry value that the recorded action was applied to. |
| RemoteIP |
string |
IP address that was being connected to. |
| RemoteUrl |
string |
URL or fully qualified domain name (FQDN) that was being connected to. |
| ServiceSource |
string |
Product or service that provided the alert information. |
| Severity |
string |
Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert. |
| SHA1 |
string |
SHA-1 of the file that the recorded action was applied to. |
| SHA256 |
string |
SHA-256 of the file that the recorded action was applied to. This field is usually not populated-use the SHA1 column when available. |
| SourceSystem |
string |
The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId |
string |
The Log Analytics workspace ID |
| ThreatFamily |
string |
Malware family that the suspicious or malicious file or process has been classified under. |
| TimeGenerated |
datetime |
Date and time (UTC) when the record was generated. |
| Title |
string |
Title of the alert. |
| Type |
string |
The name of the table |
Solutions (6)
This table is used by the following solutions:
Connectors (1)
This table is ingested by the following connectors:
Content Items Using This Table (12)
Analytic Rules (2)
In solution Microsoft Defender XDR: ActionType == "BrowserLaunchedToOpenUrl"
EntityType in "MailMessage,Url"
ServiceSource == "Microsoft Defender for Office 365"
In solution Vectra XDR: EntityType in "Device,User"
Hunting Queries (5)
GitHub Only:
Workbooks (5)
In solution ContinuousDiagnostics&Mitigation:
In solution MaturityModelForEventLogManagementM2131:
In solution Microsoft Defender XDR: ActionType == "Automated Remediation"
Title startswith "CC_"
In solution NISTSP80053: Title contains "backdoor"
Title contains "dos"
Title contains "exploit"
Title contains "file"
Title contains "mining"
Title contains "test"
Title contains "tool"
Title contains "ware"
In solution ZeroTrust(TIC3.0): Title contains "IDS"
Title contains "IPS"
Title contains "anomal"
Title contains "auth"
Title contains "behavior"
Title contains "data"
Title contains "deception"
Title contains "denial"
Title contains "detonation"
Title contains "dns"
Title contains "dos"
Title contains "dynamic"
Title contains "email"
Title contains "exfil"
Title contains "exploit"
Title contains "fusion"
Title contains "honeytoken"
Title contains "intrusion"
Title contains "learning"
Title contains "login"
Title contains "loss"
Title contains "mal"
Title contains "malware"
Title contains "password"
Title contains "phish"
Title contains "sand"
Title contains "url"
Parsers Using This Table (1)
ASIM Parsers (1)
Selection Criteria Summary (7 criteria, 7 total references)
References by type: 0 connectors, 7 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
ActionType == "BrowserLaunchedToOpenUrl"
EntityType in "MailMessage,Url"
ServiceSource == "Microsoft Defender for Office 365" |
- |
1 |
- |
- |
1 |
EntityType in "Device,User" |
- |
1 |
- |
- |
1 |
ActionType == "ChatCreated" |
- |
1 |
- |
- |
1 |
ActionType in "MoveToDeletedItems,MovedToDeletedItems" |
- |
1 |
- |
- |
1 |
ActionType == "Automated Remediation"
Title startswith "CC_" |
- |
1 |
- |
- |
1 |
Title contains "backdoor"
Title contains "dos"
Title contains "exploit"
Title contains "file"
Title contains "mining"
Title contains "test"
Title contains "tool"
Title contains "ware" |
- |
1 |
- |
- |
1 |
Title contains "IDS"
Title contains "IPS"
Title contains "anomal"
Title contains "auth"
Title contains "behavior"
Title contains "data"
Title contains "deception"
Title contains "denial"
Title contains "detonation"
Title contains "dns"
Title contains "dos"
Title contains "dynamic"
Title contains "email"
Title contains "exfil"
Title contains "exploit"
Title contains "fusion"
Title contains "honeytoken"
Title contains "intrusion"
Title contains "learning"
Title contains "login"
Title contains "loss"
Title contains "mal"
Title contains "malware"
Title contains "password"
Title contains "phish"
Title contains "sand"
Title contains "url" |
- |
1 |
- |
- |
1 |
| Total |
0 |
7 |
0 |
0 |
7 |
ActionType
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
BrowserLaunchedToOpenUrl |
- |
1 |
- |
- |
1 |
ChatCreated |
- |
1 |
- |
- |
1 |
MoveToDeletedItems |
- |
1 |
- |
- |
1 |
MovedToDeletedItems |
- |
1 |
- |
- |
1 |
Automated Remediation |
- |
1 |
- |
- |
1 |
EntityType
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
MailMessage |
- |
1 |
- |
- |
1 |
Url |
- |
1 |
- |
- |
1 |
Device |
- |
1 |
- |
- |
1 |
User |
- |
1 |
- |
- |
1 |
ServiceSource
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
Microsoft Defender for Office 365 |
- |
1 |
- |
- |
1 |
Title
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
contains dos |
- |
2 |
- |
- |
2 |
contains exploit |
- |
2 |
- |
- |
2 |
startswith CC_ |
- |
1 |
- |
- |
1 |
contains backdoor |
- |
1 |
- |
- |
1 |
contains file |
- |
1 |
- |
- |
1 |
contains mining |
- |
1 |
- |
- |
1 |
contains test |
- |
1 |
- |
- |
1 |
contains tool |
- |
1 |
- |
- |
1 |
contains ware |
- |
1 |
- |
- |
1 |
contains IDS |
- |
1 |
- |
- |
1 |
contains IPS |
- |
1 |
- |
- |
1 |
contains anomal |
- |
1 |
- |
- |
1 |
contains auth |
- |
1 |
- |
- |
1 |
contains behavior |
- |
1 |
- |
- |
1 |
contains data |
- |
1 |
- |
- |
1 |
contains deception |
- |
1 |
- |
- |
1 |
contains denial |
- |
1 |
- |
- |
1 |
contains detonation |
- |
1 |
- |
- |
1 |
contains dns |
- |
1 |
- |
- |
1 |
contains dynamic |
- |
1 |
- |
- |
1 |
contains email |
- |
1 |
- |
- |
1 |
contains exfil |
- |
1 |
- |
- |
1 |
contains fusion |
- |
1 |
- |
- |
1 |
contains honeytoken |
- |
1 |
- |
- |
1 |
contains intrusion |
- |
1 |
- |
- |
1 |
contains learning |
- |
1 |
- |
- |
1 |
contains login |
- |
1 |
- |
- |
1 |
contains loss |
- |
1 |
- |
- |
1 |
contains mal |
- |
1 |
- |
- |
1 |
contains malware |
- |
1 |
- |
- |
1 |
contains password |
- |
1 |
- |
- |
1 |
contains phish |
- |
1 |
- |
- |
1 |
contains sand |
- |
1 |
- |
- |
1 |
contains url |
- |
1 |
- |
- |
1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Tables Index