Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Authentication events on Active Directory and Microsoft online services
| Attribute | Value |
|---|---|
| Category | Security, XDR |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Lake-Only Ingestion | ✓ Yes (source) |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AccountDisplayName | string | Name of the account user displayed in the address book |
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountObjectId | string | Unique identifier for the account in Azure AD |
| AccountSid | string | Security Identifier (SID) of the account |
| AccountUpn | string | User principal name (UPN) of the account |
| ActionType | string | Type of activity that triggered the event |
| AdditionalFields | dynamic | Additional information about the entity or event |
| Application | string | Application that performed the recorded action |
| DestinationDeviceName | string | Name of the device running the server application that processed the recorded action |
| DestinationIPAddress | string | IP address of the device running the server application that processed the recorded action |
| DestinationPort | string | Destination port of related network communications |
| DeviceName | string | Fully qualified domain name (FQDN) of the device |
| DeviceType | string | Type of device |
| FailureReason | string | Information explaining why the recorded action failed |
| IPAddress | string | IP address assigned to the endpoint and used during related network communications |
| ISP | string | Internet service provider (ISP) associated with the endpoint IP address |
| LastSeenForUser | dynamic | Number of days since each statistical feature for the user was last seen |
| Location | string | City, country, or other geographic location associated with the event |
| LogonType | string | Type of logon session |
| OSPlatform | string | Platform of the operating system running on the machine |
| Port | string | TCP port used during communication |
| Protocol | string | Network protocol used |
| ReportId | string | Unique identifier for the event |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TargetAccountDisplayName | string | Display name of the account that the recorded action was applied to |
| TargetDeviceName | string | Fully qualified domain name (FQDN) of the device that the recorded action was applied to |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated |
| Type | string | The name of the table |
| UncommonForUser | dynamic | List of features observed to be statistically uncommon for the user that performed the activity |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Defender XDR: ActionType == "LogonSuccess"Protocol == "Kerberos"
| Analytic Rule |
|---|
| Detect Potential Kerberoast Activities |
In solution Microsoft Defender XDR: ActionType == "LogonSuccess"Protocol == "Kerberos"
| Hunting Query |
|---|
| Detect Potential kerberoast Activities |
In solution Microsoft Defender XDR: LogonType in "Credentials validation,Resource access"
| Workbook |
|---|
| MicrosoftDefenderForIdentity |
References by type: 0 connectors, 3 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType == "LogonSuccess"Protocol == "Kerberos" |
- | 2 | - | - | 2 |
LogonType in "Credentials validation,Resource access" |
- | 1 | - | - | 1 |
| Total | 0 | 3 | 0 | 0 | 3 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
LogonSuccess |
- | 2 | - | - | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Credentials validation |
- | 1 | - | - | 1 |
Resource access |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Kerberos |
- | 2 | - | - | 2 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊