Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization
| Attribute | Value |
|---|---|
| Category | Internal |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AlertId | string | Unique identifier for the alert. |
| AttackTechniques | string | MITRE ATT&CK techniques associated with the activity that triggered the alert. |
| Category | string | Type of threat indicator or breach activity identified by the alert. |
| DetectionSource | string | Detection technology or sensor that identified the notable component or activity. |
| ServiceSource | string | Product or service that provided the alert information. |
| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated. |
| Title | string | Title of the alert. |
| Type | string | The name of the table |
This table is used by the following solutions:
In solution Microsoft Defender XDR: Title in "An active \,Echo command over pipe on localhost,Event log was cleared,File backups were deleted,Known attack framework activity was observed,Suspicious \,Suspicious decoded content,Suspicious process launch by Rundll32.exe,\,behavior was prevented,malware was detected"
| Analytic Rule |
|---|
| Potential Ransomware activity related to Cobalt Strike |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Alerts Related to Log4j Vulnerability | Title == "Suspicious script launched" |
| Devices with Log4j vulnerability alerts and additional other alert related context | |
| Microsoft Teams chat initiated by a suspicious external user | Title == "Microsoft Teams chat initiated by a suspicious external user" |
| Potential Ransomware activity related to Cobalt Strike | Title in "An active \,Echo command over pipe on localhost,Event log was cleared,File backups were deleted,Known attack framework activity was observed,Suspicious \,Suspicious decoded content,Suspicious process launch by Rundll32.exe,\,behavior was prevented,malware was detected" |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| URL click on ZAP email | Title contains "Email messages containing malicious URL removed after delivery" |
| URLClick details based on malicious URL click alert | Title contains "Potentially malicious" |
References by type: 0 connectors, 6 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Title in "An active \,Echo command over pipe on localhost,Event log was cleared,File backups were deleted,Known attack framework activity was observed,Suspicious \,Suspicious decoded content,Suspicious process launch by Rundll32.exe,\,behavior was prevented,malware was detected" |
- | 2 | - | - | 2 |
Title == "Microsoft Teams chat initiated by a suspicious external user" |
- | 1 | - | - | 1 |
Title contains "Email messages containing malicious URL removed after delivery" |
- | 1 | - | - | 1 |
Title contains "Potentially malicious" |
- | 1 | - | - | 1 |
Title == "Suspicious script launched" |
- | 1 | - | - | 1 |
| Total | 0 | 6 | 0 | 0 | 6 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
An active \ |
- | 2 | - | - | 2 |
Echo command over pipe on localhost |
- | 2 | - | - | 2 |
Event log was cleared |
- | 2 | - | - | 2 |
File backups were deleted |
- | 2 | - | - | 2 |
Known attack framework activity was observed |
- | 2 | - | - | 2 |
Suspicious \ |
- | 2 | - | - | 2 |
Suspicious decoded content |
- | 2 | - | - | 2 |
Suspicious process launch by Rundll32.exe |
- | 2 | - | - | 2 |
\ |
- | 2 | - | - | 2 |
behavior was prevented |
- | 2 | - | - | 2 |
malware was detected |
- | 2 | - | - | 2 |
Microsoft Teams chat initiated by a suspicious external user |
- | 1 | - | - | 1 |
contains Email messages containing malicious URL removed after delivery |
- | 1 | - | - | 1 |
contains Potentially malicious |
- | 1 | - | - | 1 |
Suspicious script launched |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊