Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller.
| Attribute | Value |
|---|---|
| Category | Security, XDR |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AccountDisplayName | string | Name of the account user displayed in the address book |
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountObjectId | string | Unique identifier for the account in Azure AD |
| AccountSid | string | Security Identifier (SID) of the account |
| AccountUpn | string | User principal name (UPN) of the account |
| ActionType | string | Type of activity that triggered the event |
| AdditionalFields | dynamic | Additional information about the entity or event |
| Application | string | Application that performed the recorded action |
| DestinationDeviceName | string | Name of the device running the server application that processed the recorded action |
| DestinationIPAddress | string | IP address of the device running the server application that processed the recorded action |
| DestinationPort | string | Destination port of related network communications |
| DeviceName | string | Fully qualified domain name (FQDN) of the device |
| IPAddress | string | IP address assigned to the endpoint and used during related network communications |
| ISP | string | Internet service provider (ISP) associated with the endpoint IP address |
| Location | string | City, country, or other geographic location associated with the event |
| Port | string | TCP port used during communication |
| Protocol | string | Protocol used during the communication |
| ReportId | string | Unique identifier for the event |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TargetAccountDisplayName | string | Display name of the account that the recorded action was applied to |
| TargetAccountUpn | string | User principal name (UPN) of the account that the recorded action was applied to |
| TargetDeviceName | string | Fully qualified domain name (FQDN) of the device that the recorded action was applied to |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Defender XDR: ActionType == "SAM Account Name changed"
| Hunting Query |
|---|
| SAM Name Change CVE-2021-42278 |
In solution Microsoft Defender XDR: ActionType in "LogonFailed,LogonSuccess"
| Workbook |
|---|
| MicrosoftDefenderForIdentity |
In solution SOX IT Compliance: ActionType in "DirectoryRoleMembershipChanged,GroupMembershipChanged,PrivilegeEscalation,SensitiveAccountChanged,UserAccountControlChanged"
| Workbook |
|---|
| SOXITCompliance |
References by type: 0 connectors, 3 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType == "SAM Account Name changed" |
- | 1 | - | - | 1 |
ActionType in "LogonFailed,LogonSuccess" |
- | 1 | - | - | 1 |
ActionType in "DirectoryRoleMembershipChanged,GroupMembershipChanged,PrivilegeEscalation,SensitiveAccountChanged,UserAccountControlChanged" |
- | 1 | - | - | 1 |
| Total | 0 | 3 | 0 | 0 | 3 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
SAM Account Name changed |
- | 1 | - | - | 1 |
LogonFailed |
- | 1 | - | - | 1 |
LogonSuccess |
- | 1 | - | - | 1 |
DirectoryRoleMembershipChanged |
- | 1 | - | - | 1 |
GroupMembershipChanged |
- | 1 | - | - | 1 |
PrivilegeEscalation |
- | 1 | - | - | 1 |
SensitiveAccountChanged |
- | 1 | - | - | 1 |
UserAccountControlChanged |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊