BehaviorAnalytics

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Reference for BehaviorAnalytics table in Azure Monitor Logs.

Attribute	Value
Category	Internal
Basic Logs Eligible	✗ No (source)
Supports Transformations	✓ Yes (source)
Ingestion API Supported	✗ No
Azure Monitor Tables Reference	View Documentation

Schema
Solutions
Content Items

Schema (33 columns)

Source: Azure Monitor documentation

Column Name	Type	Description
_BilledSize	real	The record size in bytes
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account
_ResourceId	string	A unique identifier for the resource that the record is associated with
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
ActionType	string	The specific type of action that triggered the event.
ActivityInsights	dynamic	Activity and behavioral insights.
ActivityType	string	The activity type that triggered the event.
ActorName	string	The name of the user initiating the action that generated the event.
ActorPrincipalName	string	The principal name of the user initiating the action that generated the event.
DestinationDevice	string	The hostname of the destination device.
DestinationIPAddress	string	The destination IP address.
DestinationIPLocation	string	The destination Geo location based on the IP address.
Device	string	The name of the device on which the event occurred or which reported the event, depending on the schema.
DevicesInsights	dynamic	Devices metadata and insights.
EventProductVersion	string	The version of the product generating the event.
EventSource	string	Data source for this event.
EventVendor	string	The vendor of the product generating the event.
InvestigationPriority	int	Investigation priority score.
NativeTableName	string	The original table from which the record was fetched.
SourceDevice	string	The hostname of the source device.
SourceIPAddress	string	The source IP address.
SourceIPLocation	string	The source Geo location based on the IP address.
SourceRecordId	string	The unique Id of the source raw event.
SourceSystem	string	The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics
TargetName	string	The name of the target user in the action that generated the event.
TargetPrincipalName	string	The name of the target user in the action that generated the event.
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Time when the raw event was generated (UTC).
TimeProcessed	datetime	Time when enrichment processing occurred (UTC).
Type	string	The name of the table
UserName	string	User name of the account.
UserPrincipalName	string	User principal name of the account.
UsersInsights	dynamic	Users metadata and insights.

Solutions (13)

This table is used by the following solutions:

Content Items Using This Table (57)

Analytic Rules (7)

In solution Microsoft Entra ID:

Analytic Rule	Selection Criteria
MFA Rejected by User
Sign-ins from IPs that attempt sign-ins to disabled accounts
Successful logon from IP and failure from a different IP
Suspicious Sign In Followed by MFA Modification
User Accounts - Sign in Failure due to CA Spikes

Standalone Content:

Analytic Rule	Selection Criteria
Azure VM Run Command operation executed during suspicious login window
Suspicious Sign In by Entra ID Connect Sync Account

Hunting Queries (36)

In solution Business Email Compromise - Financial Fraud:

Hunting Query	Selection Criteria
Login attempts using Legacy Auth
Risky Sign-in with new MFA method
Successful Signin From Non-Compliant Device
User Accounts - New Single Factor Auth
User Login IP Address Teleportation

In solution Cloud Identity Threat Protection Essentials:

Hunting Query	Selection Criteria
Sign-ins From VPS Providers
Sign-ins from Nord VPN Providers
Suspicious Sign-ins to Privileged Account

In solution MicrosoftPurviewInsiderRiskManagement:

Hunting Query	Selection Criteria
Insider Risk_ISP Anomaly to Exfil
Insider Risk_Multiple Entity-Based Anomalies

In solution UEBA Essentials:

Hunting Query	Selection Criteria
Anomalies on users tagged as VIP
Anomalous AWS Console Login Without MFA from Uncommon Country
Anomalous Activity Role Assignment
Anomalous Code Execution on a Virtual Machine
Anomalous Database Export Activity
Anomalous Database Vulnerability Baseline Removal
Anomalous Failed Logon
Anomalous First-Time Device Logon
Anomalous GCP IAM Activity
Anomalous Geo Location Logon
Anomalous Key Vault Modification by High-Privilege User
Anomalous Microsoft Entra ID Account Creation
Anomalous Okta First-Time or Uncommon Actions
Anomalous Password Reset
Anomalous RDP Activity
Anomalous Resource Access
Anomalous Sign-in by New or Dormant Account
Anomalous action performed in tenant by privileged user
Anomalous connection from highly privileged user
Anomalous login activity originated from Botnet, Tor proxy or C2
Dormant Local Admin Logon
Dormant account activity from uncommon country

Standalone Content:

Hunting Query	Selection Criteria
Inactive or new account signins
Login attempt by Blocked MFA user

GitHub Only:

Hunting Query	Selection Criteria
Dormant User Update MFA and Logs In - UEBA
Privileged Account Password Changes

Workbooks (14)

In solution AzureSecurityBenchmark:

Workbook	Selection Criteria
AzureSecurityBenchmark

In solution CybersecurityMaturityModelCertification(CMMC)2.0:

Workbook	Selection Criteria
CybersecurityMaturityModelCertification_CMMCV2

In solution DPDP Compliance:

Workbook	Selection Criteria
DPDPCompliance

In solution GDPR Compliance & Data Security:

Workbook	Selection Criteria
GDPRComplianceAndDataSecurity

In solution MaturityModelForEventLogManagementM2131:

Workbook	Selection Criteria
MaturityModelForEventLogManagement_M2131