Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection
| Attribute | Value |
|---|---|
| Category | MDE |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Lake-Only Ingestion | ✓ Yes (source) |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AccountDomain | string | Domain of the account. |
| AccountName | string | User name of the account. |
| AccountSid | string | Security identifier (SID) of the account. |
| ActionType | string | Type of activity that triggered the event. |
| AdditionalFields | dynamic | Additional information about the entity or event. |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity. |
| CreatedProcessSessionId | long | Windows session ID of the created process. |
| DeviceId | string | Unique identifier for the device in the service. |
| DeviceName | string | Fully qualified domain name (FQDN) of the device. |
| FileName | string | Domain of the account. |
| FileOriginIP | string | IP address where the file was downloaded from. |
| FileOriginUrl | string | URL where the file was downloaded from. |
| FileSize | long | Size of the file in bytes. |
| FolderPath | string | Domain of the account. |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
| InitiatingProcessAccountObjectId | string | Azure AD object ID of the user account that ran the process responsible for the event. |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
| InitiatingProcessAccountUpn | string | User principal name (UPN) of the account that ran the process responsible for the event. |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
| InitiatingProcessFileName | string | Name of the process that initiated the event. |
| InitiatingProcessFileSize | long | Size in bytes of the file that ran the process responsible for the event. |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. |
| InitiatingProcessId | long | Process ID (PID) of the process that initiated the event. |
| InitiatingProcessLogonId | long | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event. |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started. |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event. |
| InitiatingProcessParentId | long | Process ID (PID) of the parent process that spawned the process responsible for the event. |
| InitiatingProcessRemoteSessionDeviceName | string | Device name of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessRemoteSessionIP | string | IP address of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessSessionId | long | Windows session ID of the initiating process. |
| InitiatingProcessSHA1 | string | SHA-1 hash of the process (image file) that initiated the event. |
| InitiatingProcessSHA256 | string | SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available. |
| InitiatingProcessUniqueId | string | Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices. |
| InitiatingProcessVersionInfoCompanyName | string | Company name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoFileDescription | string | Description from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoInternalFileName | string | Internal file name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoOriginalFileName | string | Original file name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductName | string | Product name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductVersion | string | Product version from the version information of the process (image file) responsible for the event. |
| IsInitiatingProcessRemoteSession | bool | Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false). |
| IsProcessRemoteSession | bool | Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false). |
| LocalIP | string | IP address assigned to the local machine used during communication. |
| LocalPort | int | TCP port on the local machine used during communication. |
| LogonId | long | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
| MD5 | string | MD5 hash of the file that the recorded action was applied to. |
| ProcessCommandLine | string | Command line used to create the new process. |
| ProcessCreationTime | datetime | Date and time the process was created. |
| ProcessId | long | Process ID (PID) of the newly created process. |
| ProcessRemoteSessionDeviceName | string | Device name of the remote device from which the created process's RDP session was initiated. |
| ProcessRemoteSessionIP | string | IP address of the remote device from which the created process's RDP session was initiated. |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. |
| RegistryKey | string | Registry key that the recorded action was applied to. |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
| RemoteDeviceName | string | Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information.. |
| RemoteIP | string | IP address that was being connected to. |
| RemotePort | int | TCP port on the remote device that was being connected to. |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
| SHA1 | string | SHA-1 hash of the file that the recorded action was applied to. |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time the event was recorded by the MDE agent on the endpoint. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Endpoint Threat Protection Essentials: ActionType == "PowerShellCommand"
| Analytic Rule |
|---|
| Suspicious Powershell Commandlet Executed |
In solution FalconFriday:
| Analytic Rule | Selection Criteria |
|---|---|
| Office ASR rule triggered from browser spawned office process. | ActionType contains "Office" |
| Suspicious Process Injection from Office application | ActionType in "CreateRemoteThreadApiCall,QueueUserApcRemoteApiCall,SetThreadContextRemoteApiCall"InitiatingProcessCommandLine !contains "/dde"InitiatingProcessCommandLine has_any ".doc"InitiatingProcessCommandLine has_any ".docx"InitiatingProcessFileName in "excel.exe,powerpnt.exe,winword.exe" |
| Suspicious named pipes | ActionType == "NamedPipeEvent" |
In solution Lumen Defender Threat Feed:
| Analytic Rule | Selection Criteria |
|---|---|
| Lumen TI IPAddress in DeviceEvents |
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Dataverse - Terminated employee exfiltration to USB drive |
In solution Microsoft Defender XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| C2-NamedPipe | ActionType == "NamedPipeEvent" |
| Deimos Component Execution | ActionType == "AmsiScriptContent"AdditionalFields endswith "[mArS.deiMos]::inteRaCt()"InitiatingProcessFileName == "powershell.exe" |
| Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 | |
| Files Copied to USB Drives | |
| Local Admin Group Changes | ActionType == "UserAccountAddedToLocalGroup"ActionType contains "UserAccountCreated"ActionType contains "UserAccountModified" |
| Possible Phishing with CSL and Network Sessions | |
| SUNSPOT malware hashes | |
| TEARDROP memory-only dropper | ActionType has "ExploitGuardNonMicrosoftSignedBlocked"InitiatingProcessFileName has "svchost.exe" |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| Zinc Actor IOCs files - October 2022 | |
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
In solution Endpoint Threat Protection Essentials: ActionType == "PowerShellCommand"
| Hunting Query |
|---|
| Suspicious Powershell Commandlet Execution |
In solution Microsoft Business Applications:
| Hunting Query | Selection Criteria |
|---|---|
| Dataverse - Dataverse export copied to USB devices |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Anomalous Payload Delivered from ISO files | RemoteUrl !startswith "C:"RemoteUrl endswith ".lnk" |
| C2-NamedPipe | ActionType == "NamedPipeEvent" |
| Deimos Component Execution | ActionType == "AmsiScriptContent"AdditionalFields endswith "[mArS.deiMos]::inteRaCt()"InitiatingProcessFileName == "powershell.exe" |
| Files Copied to USB Drives | |
| LemonDuck Registration Function | ActionType == "PowerShellCommand"AdditionalFields == "{\" |
| Local Admin Group Changes | ActionType == "UserAccountAddedToLocalGroup"ActionType contains "UserAccountCreated"ActionType contains "UserAccountModified" |
| Scheduled Task Creation | ActionType == "ScheduledTaskCreated"InitiatingProcessAccountSid != "S-1-5-18" |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution CybersecurityMaturityModelCertification(CMMC)2.0: ActionType in "Add member to role,Add user,FileCreated,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user,UsbDriveMounted"
| Workbook |
|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution Microsoft Defender XDR: ActionType in "AntivirusDetection,FileCreated,PnpDeviceConnected,UsbDriveMounted"ActionType endswith "Audited"ActionType endswith "Blocked"ActionType startswith "Asr"
| Workbook |
|---|
| MicrosoftDefenderForEndPoint |
In solution SOC Handbook: ActionType startswith "Asr"
| Workbook |
|---|
| AttackSurfaceReduction |
References by type: 0 connectors, 18 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType == "NamedPipeEvent" |
- | 3 | - | - | 3 |
ActionType == "PowerShellCommand" |
- | 2 | - | - | 2 |
ActionType == "UserAccountAddedToLocalGroup"ActionType contains "UserAccountCreated"ActionType contains "UserAccountModified" |
- | 2 | - | - | 2 |
ActionType == "AmsiScriptContent"AdditionalFields endswith "[mArS.deiMos]::inteRaCt()"InitiatingProcessFileName == "powershell.exe" |
- | 2 | - | - | 2 |
ActionType contains "Office" |
- | 1 | - | - | 1 |
ActionType in "CreateRemoteThreadApiCall,QueueUserApcRemoteApiCall,SetThreadContextRemoteApiCall"InitiatingProcessCommandLine !contains "/dde"InitiatingProcessCommandLine has_any ".doc"InitiatingProcessCommandLine has_any ".docx"InitiatingProcessFileName in "excel.exe,powerpnt.exe,winword.exe" |
- | 1 | - | - | 1 |
ActionType has "ExploitGuardNonMicrosoftSignedBlocked"InitiatingProcessFileName has "svchost.exe" |
- | 1 | - | - | 1 |
RemoteUrl !startswith "C:"RemoteUrl endswith ".lnk" |
- | 1 | - | - | 1 |
ActionType == "ScheduledTaskCreated"InitiatingProcessAccountSid != "S-1-5-18" |
- | 1 | - | - | 1 |
ActionType == "PowerShellCommand"AdditionalFields == "{\" |
- | 1 | - | - | 1 |
ActionType in "Add member to role,Add user,FileCreated,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user,UsbDriveMounted" |
- | 1 | - | - | 1 |
ActionType in "AntivirusDetection,FileCreated,PnpDeviceConnected,UsbDriveMounted"ActionType endswith "Audited"ActionType endswith "Blocked"ActionType startswith "Asr" |
- | 1 | - | - | 1 |
ActionType startswith "Asr" |
- | 1 | - | - | 1 |
| Total | 0 | 18 | 0 | 0 | 18 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
PowerShellCommand |
- | 3 | - | - | 3 |
NamedPipeEvent |
- | 3 | - | - | 3 |
UserAccountAddedToLocalGroup |
- | 2 | - | - | 2 |
contains UserAccountCreated |
- | 2 | - | - | 2 |
contains UserAccountModified |
- | 2 | - | - | 2 |
AmsiScriptContent |
- | 2 | - | - | 2 |
FileCreated |
- | 2 | - | - | 2 |
UsbDriveMounted |
- | 2 | - | - | 2 |
startswith Asr |
- | 2 | - | - | 2 |
contains Office |
- | 1 | - | - | 1 |
CreateRemoteThreadApiCall |
- | 1 | - | - | 1 |
QueueUserApcRemoteApiCall |
- | 1 | - | - | 1 |
SetThreadContextRemoteApiCall |
- | 1 | - | - | 1 |
has ExploitGuardNonMicrosoftSignedBlocked |
- | 1 | - | - | 1 |
ScheduledTaskCreated |
- | 1 | - | - | 1 |
Add member to role |
- | 1 | - | - | 1 |
Add user |
- | 1 | - | - | 1 |
InteractiveLogon |
- | 1 | - | - | 1 |
RemoteInteractiveLogon |
- | 1 | - | - | 1 |
Reset user password |
- | 1 | - | - | 1 |
ResourceAccess |
- | 1 | - | - | 1 |
Sign-in |
- | 1 | - | - | 1 |
Update user |
- | 1 | - | - | 1 |
AntivirusDetection |
- | 1 | - | - | 1 |
PnpDeviceConnected |
- | 1 | - | - | 1 |
endswith Audited |
- | 1 | - | - | 1 |
endswith Blocked |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
endswith [mArS.deiMos]::inteRaCt() |
- | 2 | - | - | 2 |
{\ |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= S-1-5-18 |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!contains /dde |
- | 1 | - | - | 1 |
has_any .doc |
- | 1 | - | - | 1 |
has_any .docx |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
powershell.exe |
- | 2 | - | - | 2 |
excel.exe |
- | 1 | - | - | 1 |
powerpnt.exe |
- | 1 | - | - | 1 |
winword.exe |
- | 1 | - | - | 1 |
has svchost.exe |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!startswith C: |
- | 1 | - | - | 1 |
endswith .lnk |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊