Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for BehaviorAnalytics table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Internal |
| Basic Logs Eligible | ✗ No (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| ActionType | string | The specific type of action that triggered the event. |
| ActivityInsights | dynamic | Activity and behavioral insights. |
| ActivityType | string | The activity type that triggered the event. |
| ActorName | string | The name of the user initiating the action that generated the event. |
| ActorPrincipalName | string | The principal name of the user initiating the action that generated the event. |
| DestinationDevice | string | The hostname of the destination device. |
| DestinationIPAddress | string | The destination IP address. |
| DestinationIPLocation | string | The destination Geo location based on the IP address. |
| Device | string | The name of the device on which the event occurred or which reported the event, depending on the schema. |
| DevicesInsights | dynamic | Devices metadata and insights. |
| EventProductVersion | string | The version of the product generating the event. |
| EventSource | string | Data source for this event. |
| EventVendor | string | The vendor of the product generating the event. |
| InvestigationPriority | int | Investigation priority score. |
| NativeTableName | string | The original table from which the record was fetched. |
| SourceDevice | string | The hostname of the source device. |
| SourceIPAddress | string | The source IP address. |
| SourceIPLocation | string | The source Geo location based on the IP address. |
| SourceRecordId | string | The unique Id of the source raw event. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TargetName | string | The name of the target user in the action that generated the event. |
| TargetPrincipalName | string | The name of the target user in the action that generated the event. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Time when the raw event was generated (UTC). |
| TimeProcessed | datetime | Time when enrichment processing occurred (UTC). |
| Type | string | The name of the table |
| UserName | string | User name of the account. |
| UserPrincipalName | string | User principal name of the account. |
| UsersInsights | dynamic | Users metadata and insights. |
This table is used by the following solutions:
In solution Microsoft Entra ID:
| Analytic Rule | Selection Criteria |
|---|---|
| MFA Rejected by User | ActivityType in "FailedLogOn,LogOn" |
| Sign-ins from IPs that attempt sign-ins to disabled accounts | ActivityType in "FailedLogOn,LogOn"EventSource == "Azure AD" |
| Successful logon from IP and failure from a different IP | ActivityType in "FailedLogOn,LogOn" |
| Suspicious Sign In Followed by MFA Modification | |
| User Accounts - Sign in Failure due to CA Spikes | ActivityType in "FailedLogOn,LogOn" |
In solution Business Email Compromise - Financial Fraud:
| Hunting Query | Selection Criteria |
|---|---|
| Login attempts using Legacy Auth | ActivityType in "FailedLogOn,LogOn" |
| Risky Sign-in with new MFA method | ActivityType in "FailedLogOn,LogOn" |
| Successful Signin From Non-Compliant Device | ActivityType in "FailedLogOn,LogOn" |
| User Accounts - New Single Factor Auth | |
| User Login IP Address Teleportation | ActivityType in "FailedLogOn,LogOn" |
In solution Cloud Identity Threat Protection Essentials: ActivityType in "FailedLogOn,LogOn"
| Hunting Query |
|---|
| Sign-ins From VPS Providers |
| Sign-ins from Nord VPN Providers |
| Suspicious Sign-ins to Privileged Account |
In solution MicrosoftPurviewInsiderRiskManagement:
| Hunting Query | Selection Criteria |
|---|---|
| Insider Risk_ISP Anomaly to Exfil | ActivityInsights contains "ISP" |
| Insider Risk_Multiple Entity-Based Anomalies |
In solution UEBA Essentials:
In solution AzureSecurityBenchmark:
| Workbook | Selection Criteria |
|---|---|
| AzureSecurityBenchmark |
In solution CybersecurityMaturityModelCertification(CMMC)2.0:
| Workbook | Selection Criteria |
|---|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution DPDP Compliance: ActivityInsights has "True"
| Workbook |
|---|
| DPDPCompliance |
In solution GDPR Compliance & Data Security: ActivityInsights has "True"
| Workbook |
|---|
| GDPRComplianceAndDataSecurity |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution MicrosoftPurviewInsiderRiskManagement: ActivityInsights has "True"ActivityType == "LogOn"
| Workbook |
|---|
| InsiderRiskManagement |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| InvestigationInsights |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
References by type: 0 connectors, 32 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActivityType in "FailedLogOn,LogOn" |
- | 10 | - | - | 10 |
ActivityInsights has "True" |
- | 9 | - | - | 9 |
ActivityInsights has "True"ActivityType == "LogOn" |
- | 4 | - | - | 4 |
ActivityType in "FailedLogOn,LogOn"EventSource == "Azure AD" |
- | 1 | - | - | 1 |
ActivityInsights contains "ISP" |
- | 1 | - | - | 1 |
ActivityType == "signin.amazonaws.com"EventSource contains "aws" |
- | 1 | - | - | 1 |
ActivityType == "LogOn" |
- | 1 | - | - | 1 |
EventSource == "MDE DeviceLogonEvents" |
- | 1 | - | - | 1 |
ActivityType contains "IAM"EventSource == "GCP Audit Logs" |
- | 1 | - | - | 1 |
EventSource == "Okta_CL" |
- | 1 | - | - | 1 |
ActivityInsights contains "True"ActivityType in "FailedLogOn,LogOn" |
- | 1 | - | - | 1 |
ActivityType == "Administrative" |
- | 1 | - | - | 1 |
| Total | 0 | 32 | 0 | 0 | 32 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has True |
- | 13 | - | - | 13 |
contains ISP |
- | 1 | - | - | 1 |
contains True |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
LogOn |
- | 17 | - | - | 17 |
FailedLogOn |
- | 12 | - | - | 12 |
signin.amazonaws.com |
- | 1 | - | - | 1 |
contains IAM |
- | 1 | - | - | 1 |
Administrative |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Azure AD |
- | 1 | - | - | 1 |
contains aws |
- | 1 | - | - | 1 |
MDE DeviceLogonEvents |
- | 1 | - | - | 1 |
GCP Audit Logs |
- | 1 | - | - | 1 |
Okta_CL |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊