SecurityAlert

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Reference for SecurityAlert table in Azure Monitor Logs.

Attribute	Value
Category	Internal
Basic Logs Eligible	✗ No (source)
Supports Transformations	✓ Yes (source)
Ingestion API Supported	✗ No
Azure Monitor Tables Reference	View Documentation

Schema
Additional Information
Solutions
Connectors
Content Items
Parsers
Resource Types

Schema (35 columns)

Source: Azure Monitor documentation

Column Name	Type	Description
_BilledSize	real	The record size in bytes
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account
AlertLink	string
AlertName	string
AlertSeverity	string
AlertType	string
CompromisedEntity	string
ConfidenceLevel	string
ConfidenceScore	real
Description	string
DisplayName	string
EndTime	datetime
Entities	string
ExtendedLinks	string
ExtendedProperties	string
IsIncident	bool
ProcessingEndTime	datetime
ProductComponentName	string
ProductName	string
ProviderName	string
RemediationSteps	string
ResourceId	string
SourceComputerId	string
StartTime	datetime
Status	string
SubTechniques	string
SystemAlertId	string
Tactics	string
Techniques	string
TimeGenerated	datetime
Type	string	The name of the table
VendorName	string
VendorOriginalId	string
WorkspaceResourceGroup	string
WorkspaceSubscriptionId	string

Additional Information

📖 Related Documentation: Security alert schema reference - Describes the SecurityAlert table schema and field definitions

Solutions (52)

This table is used by the following solutions:

Connectors (10)

This table is ingested by the following connectors:

Connector	Selection Criteria
Microsoft Entra ID Protection
Microsoft Defender for Identity
Subscription-based Microsoft Defender for Cloud (Legacy)
Microsoft Defender for IoT
Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint
Tenant-based Microsoft Defender for Cloud
Microsoft Defender XDR
Microsoft Defender for Office 365 (Preview)
Microsoft 365 Insider Risk Management

Content Items Using This Table (177)

Analytic Rules (56)

In solution AzureDevOpsAuditing:

Analytic Rule	Selection Criteria
Azure DevOps Pipeline modified by a new user

In solution Dragos:

Analytic Rule	Selection Criteria
Dragos Notifications

In solution IoTOTThreatMonitoringwithDefenderforIoT:

Analytic Rule	Selection Criteria
Denial of Service (Microsoft Defender for IoT)
Excessive Login Attempts (Microsoft Defender for IoT)
Firmware Updates (Microsoft Defender for IoT)
High bandwidth in the network (Microsoft Defender for IoT)
Illegal Function Codes for ICS traffic (Microsoft Defender for IoT)
Internet Access (Microsoft Defender for IoT)
Multiple scans in the network (Microsoft Defender for IoT)
No traffic on Sensor Detected (Microsoft Defender for IoT)
PLC Stop Command (Microsoft Defender for IoT)
PLC unsecure key state (Microsoft Defender for IoT)
Suspicious malware found in the network (Microsoft Defender for IoT)
Unauthorized DHCP configuration in the network (Microsoft Defender for IoT)
Unauthorized PLC changes (Microsoft Defender for IoT)
Unauthorized device in the network (Microsoft Defender for IoT)
Unauthorized remote access to the network (Microsoft Defender for IoT)

In solution Microsoft Business Applications:

Analytic Rule	Selection Criteria
Dataverse - Guest user exfiltration following Power Platform defense impairment
Dataverse - Suspicious use of TDS endpoint
Dataverse - Terminated employee exfiltration over email
Power Apps - Multiple users access a malicious link after launching new app

In solution Microsoft Defender XDR:

Analytic Rule	Selection Criteria
AV detections related to SpringShell Vulnerability
AV detections related to Tarrask malware
AV detections related to Ukraine threats

In solution Microsoft Defender for Cloud:

Analytic Rule	Selection Criteria
Detect CoreBackUp Deletion Activity from related Security Alerts

In solution Microsoft Defender for Cloud Apps:

Analytic Rule	Selection Criteria
Linked Malicious Storage Artifacts

In solution Microsoft Entra ID Protection:

Analytic Rule	Selection Criteria
Correlate Unfamiliar sign-in properties & atypical travel alerts

In solution MicrosoftDefenderForEndpoint:

Analytic Rule	Selection Criteria
Aqua Blizzard AV hits - Feb 2022

In solution MicrosoftPurviewInsiderRiskManagement:

Analytic Rule	Selection Criteria
Insider Risk_High User Security Alert Correlations
Insider Risk_Microsoft Purview Insider Risk Management Alert Observed

In solution Multi Cloud Attack Coverage Essentials - Resource Abuse:

Analytic Rule	Selection Criteria
Cross-Cloud Suspicious user activity observed in GCP Envourment
Successful AWS Console Login from IP Address Observed Conducting Password Spray
Suspicious AWS console logins by credential access alerts
User impersonation by Identity Protection alerts

In solution Threat Intelligence:

Analytic Rule	Selection Criteria
TI Map URL Entity to SecurityAlert Data
TI map Domain entity to SecurityAlert
TI map Email entity to SecurityAlert

In solution Threat Intelligence (NEW):

Analytic Rule	Selection Criteria
TI Map URL Entity to SecurityAlert Data
TI map Domain entity to SecurityAlert
TI map Email entity to SecurityAlert

In solution Web Shells Threat Protection:

Analytic Rule	Selection Criteria
Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts

In solution Zinc Open Source:

Analytic Rule	Selection Criteria
AV detections related to Zinc actors

Standalone Content:

Analytic Rule	Selection Criteria
AV detections related to Dev-0530 actors
AV detections related to Europium actors
AV detections related to Hive Ransomware
Detecting Impossible travel with mailbox permission tampering & Privilege Escalation attempt
Dev-0228 File Path Hashes November 2021
Dev-0228 File Path Hashes November 2021 (ASIM Version)
M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity
Mass Download & copy to USB device by single user
Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory
Phishing link click observed in Network Traffic
Prestige ransomware IOCs Oct 2022
Solorigate Defender Detections
Workspace deletion activity from an infected device

GitHub Only:

Analytic Rule	Selection Criteria
Suspicious VM Instance Creation Activity Detected

Hunting Queries (31)

In solution AzureDevOpsAuditing:

Hunting Query	Selection Criteria
Azure DevOps - New Package Feed Created
Azure DevOps - New Release Pipeline Created

In solution Cloud Identity Threat Protection Essentials:

Hunting Query	Selection Criteria
Application Granted EWS Permissions

In solution Legacy IOC based Threat Protection:

Hunting Query	Selection Criteria
Dev-0056 Command Line Activity November 2021
Dev-0322 Command Line Activity November 2021
Dev-0322 Command Line Activity November 2021 (ASIM Version)
Dev-0322 File Drop Activity November 2021
Dev-0322 File Drop Activity November 2021 (ASIM Version)
Nylon Typhoon Command Line Activity November 2021
Retrospective hunt for Forest Blizzard IP IOCs

In solution Microsoft Business Applications:

Hunting Query	Selection Criteria
Dataverse - Activity after Microsoft Entra alerts

In solution MicrosoftPurviewInsiderRiskManagement:

Hunting Query	Selection Criteria
Insider Risk_Entity Anomaly Followed by IRM Alert
Insider Risk_ISP Anomaly to Exfil
Insider Risk_Possible Sabotage

Standalone Content:

Hunting Query	Selection Criteria
Alerts On Host
Alerts related to File
Alerts related to IP
Tracking Privileged Account Rare Activity
Web shell command alert enrichment
Web shell file alert enrichment

GitHub Only:

Hunting Query	Selection Criteria
Alerts With This Process
Alerts related to account
BitLocker Key Retrieval
Dev-0056 Command Line Activity November 2021 (ASIM Version)
Exchange Servers and Associated Security Alerts
Integrate Purview with Cloud App Events
Recon Activity with Interactive Logon Correlation
SQL Alert Correlation with CommonSecurityLogs and AuditLogs
Storage Alert Correlation with CommonSecurityLogs and StorageLogs
Storage Alerts Correlation with CommonSecurityLogs & AuditLogs
Unfamiliar Signin Correlation with AzurePortal Signin Attempts and AuditLogs

Workbooks (72)

In solution Apache Log4j Vulnerability Detection:

Workbook	Selection Criteria
Log4jImpactAssessment

In solution Azure Key Vault:

Workbook	Selection Criteria
AzureKeyVaultWorkbook

In solution Azure SQL Database solution for sentinel:

Workbook	Selection Criteria
Workbook-AzureSQLSecurity

In solution Azure kubernetes Service:

Workbook	Selection Criteria
AksSecurity

In solution AzureSecurityBenchmark:

Workbook	Selection Criteria
AzureSecurityBenchmark

In solution Censys:

Workbook	Selection Criteria
Censys

In solution ContinuousDiagnostics&Mitigation:

Workbook	Selection Criteria
ContinuousDiagnostics&Mitigation

In solution CybersecurityMaturityModelCertification(CMMC)2.0:

Workbook	Selection Criteria
CybersecurityMaturityModelCertification_CMMCV2

In solution DNS Essentials:

Workbook	Selection Criteria
DNSSolutionWorkbook

In solution DORA Compliance:

Workbook	Selection Criteria
DORACompliance

In solution DPDP Compliance:

Workbook	Selection Criteria
DPDPCompliance

In solution ExtraHop:

Workbook	Selection Criteria
ExtraHopDetectionsOverview

In solution GDPR Compliance & Data Security:

Workbook	Selection Criteria
GDPRComplianceAndDataSecurity

In solution GreyNoiseThreatIntelligence:

Workbook	Selection Criteria
GreyNoiseOverview

In solution HIPAA Compliance:

Workbook	Selection Criteria
HIPAACompliance

In solution Infoblox:

Workbook	Selection Criteria
Infoblox_Lookup_Workbook
Infoblox_Workbook

In solution Infoblox SOC Insights:

Workbook	Selection Criteria
InfobloxSOCInsightsWorkbook

In solution Lumen Defender Threat Feed:

Workbook	Selection Criteria
Lumen-Threat-Feed-Overview

In solution MaturityModelForEventLogManagementM2131:

Workbook	Selection Criteria
MaturityModelForEventLogManagement_M2131

In solution Microsoft Defender Threat Intelligence:

Workbook	Selection Criteria
MicrosoftThreatIntelligence

In solution Microsoft Defender XDR:

Workbook	Selection Criteria
MicrosoftDefenderForIdentity
MicrosoftDefenderForOffice365detectionsandinsights

In solution Microsoft Defender for Cloud Apps:

Workbook	Selection Criteria
MicrosoftCloudAppSecurity

In solution MicrosoftPurviewInsiderRiskManagement:

Workbook	Selection Criteria
InsiderRiskManagement

In solution NISTSP80053:

Workbook	Selection Criteria
NISTSP80053

In solution Network Session Essentials:

Workbook	Selection Criteria
NetworkSessionEssentials
NetworkSessionEssentialsV2

In solution ReversingLabs:

Workbook	Selection Criteria
ReversingLabs-CapabilitiesOverview

In solution SAP BTP:

Workbook	Selection Criteria
SAPBTPActivity

In solution SOC Handbook:

Workbook	Selection Criteria
AnalyticsEfficiency
AnomalyData
AzureSentinelSecurityAlerts
IncidentOverview
IntsightsIOCWorkbook
InvestigationInsights
MITREAttack
SentinelCentral

In solution Threat Intelligence:

Workbook	Selection Criteria
ThreatIntelligence

In solution Threat Intelligence (NEW):

Workbook	Selection Criteria
ThreatIntelligenceNew

In solution ThreatAnalysis&Response:

Workbook	Selection Criteria
DynamicThreatModeling&Response
ThreatAnalysis&Response

In solution ThreatConnect:

Workbook	Selection Criteria
ThreatConnectOverview

In solution Web Session Essentials:

Workbook	Selection Criteria
WebSessionEssentials

In solution ZeroTrust(TIC3.0):

Workbook	Selection Criteria
ZeroTrustTIC3

GitHub Only:

Workbook	Selection Criteria
ASC-ComplianceandProtection
AdvancedWorkbookConcepts
AksSecurity
AnalyticsEfficiency
AnomalyData
AzureKeyVaultWorkbook
AzureSentinelSecurityAlerts
DSTIMWorkbook
DoDZeroTrustWorkbook
ExchangeCompromiseHunting
IOT_Alerts
IntsightsIOCWorkbook
InvestigationInsights
MITREAttack
MicrosoftCloudAppSecurity
MicrosoftSentinelDeploymentandMigrationTracker
OptimizationWorkbook
PhishingAnalysis
SentinelWorkspaceReconTools
Sentinel_Central
SolarWindsPostCompromiseHunting
ThreatIntelligence
UserEntityBehaviorAnalytics
VisualizationDemo
WorkspaceUsage
ZeroTrustStrategyWorkbook
microsoftdefenderforidentity

Parsers Using This Table (2)

Other Parsers (2)

Parser	Solution	Selection Criteria
DragosNotificationsToSentinel	Dragos
DragosPullNotificationsToSentinel	Dragos

Resource Types

This table collects data from the following Azure resource types:

microsoft.securityinsights/securityinsights

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Tables Index

SecurityAlert

Contents

Schema (35 columns)

Additional Information

Solutions (52)

Connectors (10)

Content Items Using This Table (177)

Analytic Rules (56)

Hunting Queries (31)

Workbooks (72)

Parsers Using This Table (2)

Other Parsers (2)

Resource Types