Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for SecurityEvent table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Windows |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AccessMask | string | Hexadecimal mask for the requested or performed operation. |
| Account | string | The Security context for services or users. |
| AccountDomain | string | Subject's domain or computer name. |
| AccountExpires | string | The date when the account expires. |
| AccountName | string | The name of the account that requested the "remove domain trust" operation. |
| AccountSessionIdentifier | string | A unique identifier that is generated by the machine when the session is created. |
| AccountType | string | Identifies whether the account is a computer account (machine) or a user's. |
| Activity | string | The descriptive title of the event occurred. |
| AdditionalInfo | string | Additional information that is provided by the source, which do not mapped to other fields, represented by list. |
| AdditionalInfo2 | string | Additional information that is provided by the source, which do not mapped to other fields, represented by list. |
| AllowedToDelegateTo | string | The list of SPNs to which this account can present delegated credentials. |
| Attributes | string | Additional information about the event. |
| AuditPolicyChanges | string | Events that are generated when changes are made to the system audit policy or audit settings on a file or registry key. |
| AuditsDiscarded | int | Number of audit messages that were discarded. |
| AuthenticationLevel | int | Number of audit messages that were discarded. |
| AuthenticationPackageName | string | the name of loaded Authentication Package. The format is: DLL_PATH_AND_NAME: AUTHENTICATION_PACKAGE_NAME. |
| AuthenticationProvider | string | The identity of the provider responsible for the authentication process (can include a certificate authority, a username, a password authentication system, etc). |
| AuthenticationServer | string | The server in which located the authentication provider. |
| AuthenticationService | int | The service in which located the authentication provider. |
| AuthenticationType | string | the type of authentication that was used for the event (two-factor authentication, biometric authentication, etc). |
| AzureDeploymentID | string | Azure deployment ID of the cloud service the log belongs to. |
| CACertificateHash | string | The hash value of the certificate authority's (CA) certificate that was used to authenticate the user who performed the event. |
| CalledStationID | string | Information about the ID of the station that initiated the action that led to the security event. |
| CallerProcessId | string | Hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
| CallerProcessName | string | Full path and the name of the executable for the process. |
| CallingStationID | string | Information about the ID of the station that initiated the action that led to the security event. |
| CAPublicKeyHash | string | Hash value that identifies the public key of a certification authority (CA) that issued a certificate. |
| CategoryId | string | The category of the security event that occurred (login attempt, data breach, etc). |
| CertificateDatabaseHash | string | Hash value that identifies the database that issued a certificate. |
| Channel | string | The channel to which the event was logged. |
| ClassId | string | 'Class Guid' attribute of device. |
| ClassName | string | 'Class' attribute of device. |
| ClientAddress | string | IP address of the computer from which the TGT request was received. |
| ClientIPAddress | string | IP address of the computer that initiated the action that led to the event. |
| ClientName | string | computer name from which the user was reconnected. Has 'Unknown' value for console session. |
| CommandLine | string | The command line arguments that were passed to an application or process that was involved in the event. |
| CompatibleIds | string | 'Compatible Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details': |
| Computer | string | The name of the computer on which the event occurred. |
| Correlation | string | The activity identifiers that consumers can use to group related events together. |
| DCDNSName | string | The DNS name of the domain controller that was involved in the event. |
| DeviceDescription | string | the description of the device that was involved in the event. |
| DeviceId | string | The unique identifier of the device that was involved in the event. |
| DisplayName | string | It is a name, displayed in the address book for a particular account. This is usually the combination of the user's first name, middle initial, and last name. |
| Disposition | string | The event outcome/ resolution, such as whether the event was resolved or whether any action was taken in response to the event. |
| DomainBehaviorVersion | string | msDS-Behavior-Version domain attribute was modified. Numeric value. |
| DomainName | string | The name of removed trusted domain. |
| DomainPolicyChanged | string | Indicates whether any domain policies have been changed as part of the event (password policies, security policies, etc). |
| DomainSid | string | SID of the trust partner. This parameter might not be captured in the event, and in that case appears as 'NULL SID'. |
| EAPType | string | The type of Extensible Authentication Protocol (EAP) that was used for the event authentication process. |
| ElevatedToken | string | A 'Yes' or 'No' flag. If 'Yes', then the session this event represents is elevated and has administrator privileges. |
| ErrorCode | int | Contains error code for Failure events. For Success events this parameter has '0x0' value. |
| EventData | string | Event specific data associated with the event. |
| EventID | int | The identifier that the provider used to identify the event. |
| EventLevelName | string | The rendered message string of the level specified in the event. |
| EventRecordId | string | The record number assigned to the event when it was logged. |
| EventSourceName | string | The name of the software that logs the event (applicationor a succomponent). |
| ExtendedQuarantineState | string | The state of the network quarantine process, if applicable. Network quarantine is a process by which unauthorized devices are prevented from accessing a network until they meet certain security requirements or have been checked for malware. |
| FailureReason | string | textual explanation of Status field value. For this event, it typically has 'Account locked out' value. |
| FileHash | string | The hash value for any files that are were accessed or modified as part of the event, or any files that were used in the authentication or authorization process. |
| FilePath | string | Full path and filename of the key file on which the operation was performed. |
| FilePathNoUser | string | The path of any files that are related to the event, excluding the username or other user-specific information. |
| Filter | string | Filters that are used in the performed event. |
| ForceLogoff | string | '\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire' group policy. |
| Fqbn | string | The fully qualified binary name (FQBN) for any files that are related to the event. |
| FullyQualifiedSubjectMachineName | string | The fully qualified domain name (FQDN) of the machine that initiated the event. |
| FullyQualifiedSubjectUserName | string | The username of the user or service that initiated the event in FQDN format. |
| GroupMembership | string | The list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. |
| HandleId | string | Hexadecimal value of a handle to Object Name. This field can be used for correlation with other events. |
| HardwareIds | string | 'Hardware Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details': |
| HomeDirectory | string | User's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \Server\Share\Directory. |
| HomePath | string | User's home path. The path must be a network UNC of the form \Server\Share\Directory. |
| InterfaceUuid | string | The unique identifier (UUID) for the network interface that was used for the event. |
| IpAddress | string | the network address (usually IPv4 or IPv6) associated with the event. |
| IpPort | string | The network port number associated with the event. |
| KeyLength | int | The length of NTLM Session Security key. Typically it has 128 bit or 56 bit length. |
| Keywords | string | A bitmask of the keywords defined in the event. |
| Level | string | Windows categorizes every event with a severity level. The levels in order of severity are information, verbose, warning, error and critical expressed in numbers. |
| LmPackageName | string | The name of the package or software component that is currently using the Local Security Authority (LSA) on the machine where the event is being generated. |
| LocationInformation | string | 'Location information' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details': |
| LockoutDuration | string | '\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration' group policy. Numeric value. |
| LockoutObservationWindow | string | '\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after' group policy. Numeric value. |
| LockoutThreshold | string | '\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold' group policy. Numeric value. |
| LoggingResult | string | The result of the logon process. |
| LogonGuid | string | A GUID that can help you correlate this event with another event that can contain the same Logon GUID. |
| LogonHours | string | Hours that the account is allowed to logon to the domain. |
| LogonID | string | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID. |
| LogonProcessName | string | The name of registered logon process. |
| LogonType | int | The type of logon which was performed. |
| LogonTypeName | string | The type of logon or authentication event that is being captured by the event log (common values:Interactive, Network, RemoteInteractive, Unlock). |
| MachineAccountQuota | string | ms-DS-MachineAccountQuota domain attribute was modified. Numeric value. |
| MachineInventory | string | Information about the hardware configuration and software environment of the computer where the event is being generated. It can include different data points, for instance: the make and model of the computer, the amount of RAM or storage space available, the version numbers of various software applications, etc). |
| MachineLogon | string | Information about a successful logon event in the machine. |
| ManagementGroupName | string | Additional information based on the resource type. |
| MandatoryLabel | string | ID of integrity label which was assigned to the new process. |
| MaxPasswordAge | string | The period of time (in days) that a password can be used before the system requires the user to change it. |
| MemberName | string | The user account that was involved in the event. |
| MemberSid | string | The security identifier (SID) associated with the user account that was involved in the event. |
| MinPasswordAge | string | The period of time (in days) that a password must be used before the system requires the user to change it. |
| MinPasswordLength | string | The least number of characters that can make up a password for a user account. |
| MixedDomainMode | string | The domain mode of a system or domain controller. |
| NASIdentifier | string | The identifier of the network access server (NAS) that was involved in the event. |
| NASIPv4Address | string | The IPv4Address of the network access server (NAS) that was involved in the event, if applicable. |
| NASIPv6Address | string | The IPv6Address of the network access server (NAS) that was involved in the event, if applicable. |
| NASPort | string | the port on the network access server that was used in the event. |
| NASPortType | string | the type of network access server (NAS) used in the event. |
| NetworkPolicyName | string | The name of the network policy associated with the event. |
| NewDate | string | New date in UTC time zone. The format is YYYY-MM-DD. |
| NewMaxUsers | string | The new maximum number of users allowed for a resource in the event. |
| NewProcessId | string | Hexadecimal Process ID of the new process. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
| NewProcessName | string | Full path and the name of the executable for the new process. |
| NewRemark | string | The new value of network share 'Comments:' field. Has 'N/A' value if it isn't set. |
| NewShareFlags | string | The share flags associated with a resource in the event, for instance: information on whether the resource is read-only or read/write, whether it is hidden, and other parameters that can affect access and permissions. |
| NewTime | string | New time that was set in UTC time zone. The format is YYYY-MM-DDThh:mm:ss.nnnnnnnZ |
| NewUacValue | string | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. |
| NewValue | string | New value for changed registry key value. |
| NewValueType | string | New type of changed registry key value. |
| ObjectName | string | Name and other identifying information for the object for which access was requested. For example, for a file, the path would be included. |
| ObjectServer | string | Contains the name of the Windows subsystem calling the routine. |
| ObjectType | string | The type of an object that was accessed during the operation. |
| ObjectValueName | string | The name of modified registry key value. |
| OemInformation | string | The original equipment manufacturer (OEM) associated with a device or system in the event. |
| OldMaxUsers | string | The previous maximum number of users allowed for a resource in the event. |
| OldRemark | string | the old value of network share 'Comments:' field. Has 'N/A' value if it isn't set. |
| OldShareFlags | string | The previous share flags associated with a resource in the event, for instance: information on whether the resource is read-only or read/write, whether it is hidden, and other parameters that can affect access and permissions. |
| OldUacValue | string | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of userAccountControl attribute of user object. |
| OldValue | string | Old value for changed registry key value. |
| OldValueType | string | Old type of changed registry key value. |
| Opcode | string | The opcode element is defined by the SystemPropertiesType complex type. |
| OperationType | string | The type of operation which was performed on an object |
| PackageName | string | The name of the LAN Manager sub-package (NTLM-family protocol name) that was used during logon. |
| ParentProcessName | string | The name of the parent process associated with the event. |
| PasswordHistoryLength | string | \Security Settings\Account Policies\Password Policy\Enforce password history" group policy. Numeric value. |
| PasswordLastSet | string | Last time the account's password was modified. |
| PasswordProperties | string | The password policies or properties associated with the event, for example: password length, complexity and expiration date. |
| PreviousDate | string | The previous date associated with the event. |
| PreviousTime | string | Previous time in UTC time zone. The format is YYYY-MM-DDThh:mm:ss.nnnnnnnZ. |
| PrimaryGroupId | string | Relative Identifier (RID) of user's object primary group. |
| PrivateKeyUsageCount | string | The number of times a private key has been used. |
| PrivilegeList | string | The privileges, including user, group, or system privileges associated with the event. |
| Process | string | The name of the process that generates the event. |
| ProcessId | string | Identifies the process that generated the event. |
| ProcessName | string | Full path and the name of the executable for the process. |
| ProfilePath | string | Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. |
| Properties | string | Depends on Object Type. This field can be empty or contain the list of the object properties that were accessed. |
| ProtocolSequence | string | Information about the protocol used for an authentication attempt. |
| ProxyPolicyName | string | Name of the policy that was used to configure the proxy server for connecting to the network. |
| QuarantineHelpURL | string | URL that provides help with troubleshooting a network quarantine issue. |
| QuarantineSessionID | string | Identifier of the session where the file was assessed for quarantine. |
| QuarantineSessionIdentifier | string | Identifier of the session where the file was assessed for quarantine. |
| QuarantineState | string | It shows whether the file is quarantined. |
| QuarantineSystemHealthResult | string | Report that shows the status of the files that have been quarantined. |
| RelativeTargetName | string | Relative name of the accessed target file or folder. This file-path is relative to the network share. If access was requested for the share itself, then this field appears as "". |
| RemoteIpAddress | string | The IP address of the computer that initiated a remote connection. |
| RemotePort | string | The port number of the remote computer that initiated a connection. |
| Requester | string | The event requester identifier. |
| RequestId | string | A unique identifier that's associated with particular requests, such as those made over HTTP. |
| RestrictedAdminMode | string | Only populated for RemoteInteractive logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. |
| RowsDeleted | string | The number of rows that were deleted as a part of a particular operation. |
| SamAccountName | string | logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). |
| ScriptPath | string | Specifies the path of the account's logon script. |
| SecurityDescriptor | string | Information about the security settings and permissions of a particular object or resource. |
| ServiceAccount | string | The security context that the service will run as when started. |
| ServiceFileName | string | Indicates the type of service that was registered with the Service Control Manager. |
| ServiceName | string | The name of installed service. |
| ServiceStartType | int | Contains information about how a particular service should be started, whether it should be started automatically or manually. |
| ServiceType | string | Indicates the type of service that was registered with the Service Control Manager. |
| SessionName | string | The name of the session to which the user was reconnected. |
| ShareLocalPath | string | The local path of accessed network share. |
| ShareName | string | The name of accessed network share. The format is: *\SHARE_NAME. |
| SidHistory | string | Contains previous SIDs used for the object if the object was moved from another domain. |
| SourceComputerId | string | Unique identifier assigned to each computer in a Windows domain. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| Status | string | The reason why logon failed. For this event, it typically has '0xC0000234' value. The most common status codes are listed in Table 12. Windows logon status codes. |
| StorageAccount | string | Sets the storage account access key. |
| SubcategoryGuid | string | The unique GUID of changed subcategory. |
| SubcategoryId | string | A unique identifier for a specific type of the event. |
| Subject | string | Information about the security principal (for instance: user account) that initiated the event. |
| SubjectAccount | string | Information about the account that is initiating the event. |
| SubjectDomainName | string | Information about the domain or workgroup to which the subject account belongs. |
| SubjectKeyIdentifier | string | A unique identifier for a particular certificate subject. |
| SubjectLogonId | string | A unique identifier for the logon session associated with the subject account. |
| SubjectMachineName | string | Information about the machine or system from which the event was created. |
| SubjectMachineSID | string | The security identifier (SID) for the machine that generated the event. |
| SubjectUserName | string | The name of the user account that generated the event. |
| SubjectUserSid | string | The security identifier (SID) for the user account that generated the event. |
| SubStatus | string | Additional information about logon failure. The most common substatus codes listed in the 'Table 12. Windows logon status codes'. |
| SystemProcessId | int | Identifies the process that generated the event. |
| SystemThreadId | int | Identifies the thread that generated the event. |
| SystemUserId | string | The ID of the user who is responsible for the event. |
| TableId | string | The specific data table identifier the event data is stored in. |
| TargetAccount | string | The account targeted by the event (user name, computer name, etc). |
| TargetDomainName | string | The name of the domain that the target account belongs to. |
| TargetInfo | string | Additional information about the event target (for example: the path to a file or folder, the name of a registry key, etc). |
| TargetLinkedLogonId | string | Information that helps to link related events together by their logon attempt IDs. It can be useful in keeping all relevant events organized, tracking activity across multiple sessions, and identifying the attack source. |
| TargetLogonGuid | string | A globally unique identifier (GUID) associated with the logon session related to the event. |
| TargetLogonId | string | A unique identifier associated with the logon session related to the event. |
| TargetOutboundDomainName | string | The domain that the account specified in the TargetAccount field was authenticated against during an outbound authentication attempt. |
| TargetOutboundUserName | string | The name of the user account that was authenticated during an outbound authentication attempt. |
| TargetServerName | string | The name of the server on which the new process was run. Has "localhost" value if the process was run locally. |
| TargetSid | string | The security identifier (SID) of the server on which the new process was run. |
| TargetUser | string | The user account identifier that generated the new process. |
| TargetUserName | string | The name of the user account that generated the new process. |
| TargetUserSid | string | The security identifier (SID) associated with the user or resource involved in the event. |
| Task | int | The task defined in the event. |
| TemplateContent | string | The content of the event message or notification in a structured form. |
| TemplateDSObjectFQDN | string | FQDN of the DS object that represents the GPO template. |
| TemplateInternalName | string | The internal name of the GPO template. |
| TemplateOID | string | the unique identifier for the template that was used to create the event. |
| TemplateSchemaVersion | string | Version of the template schema that defines the data to include with an event. |
| TemplateVersion | string | Version of the template that defines the data to include with an event. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The time stamp when the event was generated on the computer. |
| TokenElevationType | string | Type of token that was assigned to a new process in accordance with User Account Control Policy. |
| TransmittedServices | string | The list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user - most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, seehttps://msdn.microsoft.com/library/cc246072.aspx. |
| Type | string | The name of the table |
| UserAccountControl | string | Shows the list of changes in userAccountControl attribute. You will see a line of text for each change. |
| UserParameters | string | If you change any setting using Active Directory Users and Computers management console in Dial-in tab of user's account properties, then you will see |
| UserPrincipalName | string | Internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. |
| UserWorkstations | string | Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a computer object. |
| VendorIds | string | 'Hardware Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details'. |
| Version | int | Contains the version number of the event's definition. |
| VirtualAccount | string | A 'Yes' or 'No' flag, which indicates if the account is a virtual account (e.g., 'Managed Service Account'), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using 'NetworkService'. |
| Workstation | string | The name of the machine that was used to perform the event. |
| WorkstationName | string | Machine name from which a logon attempt was performed. |
This table is used by the following solutions:
This table is ingested by the following connectors:
In solution Attacker Tools Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Powershell Empire Cmdlets Executed in Command Line |
In solution Dev 0270 Detection and Hunting:
| Analytic Rule | Selection Criteria |
|---|---|
| DEV-0270 New User Creation | |
| Dev-0270 Malicious Powershell usage | |
| Dev-0270 Registry IOC - September 2022 | |
| Dev-0270 WMIC Discovery |
In solution EatonForeseer: EventID in "4624,4625,4634,4647,4648,4675"
| Analytic Rule |
|---|
| EatonForeseer - Unauthorized Logins |
In solution Endpoint Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Base64 encoded Windows process command-lines | |
| Malware in the recycle bin | |
| Potential Remote Desktop Tunneling | EventID in "4624,4625" |
| Process executed from binary hidden in Base64 encoded file | |
| Security Event log cleared | |
| Windows Binaries Executed from Non-Default Directory | EventID == "4688" |
In solution FalconFriday:
| Analytic Rule | Selection Criteria |
|---|---|
| Certified Pre-Owned - TGTs requested with certificate authentication | EventID == "4768" |
| Certified Pre-Owned - backup of CA private key - rule 1 | EventID == "5058" |
| Certified Pre-Owned - backup of CA private key - rule 2 | EventID == "5059" |
| Excessive share permissions | EventID == "5143" |
In solution Lumen Defender Threat Feed:
| Analytic Rule | Selection Criteria |
|---|---|
| Lumen TI IPAddress in SecurityEvents |
In solution Network Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Network endpoint to host executable correlation |
In solution Semperis Directory Services Protector:
| Analytic Rule | Selection Criteria |
|---|---|
| Semperis DSP Failed Logons | EventID == "20002" |
| Semperis DSP Kerberos krbtgt account with old password | EventID in "9208,9211,9212" |
| Semperis DSP Mimikatz's DCShadow Alert | EventID in "9208,9211,9212" |
| Semperis DSP Operations Critical Notifications | EventID == "30001" |
| Semperis DSP RBAC Changes | EventID == "20012" |
| Semperis DSP Recent sIDHistory changes on AD objects | EventID in "9208,9211,9212" |
| Semperis DSP Well-known privileged SIDs in sIDHistory | EventID in "9208,9211,9212" |
| Semperis DSP Zerologon vulnerability | EventID in "9208,9211,9212" |
In solution Threat Intelligence:
| Analytic Rule | Selection Criteria |
|---|---|
| TI map Email entity to SecurityEvent | |
| TI map File Hash to Security Event |
In solution Threat Intelligence (NEW):
| Analytic Rule | Selection Criteria |
|---|---|
| TI map Email entity to SecurityEvent | |
| TI map File Hash to Security Event |
In solution Web Shells Threat Protection: EventID in "4663,4688"
| Analytic Rule |
|---|
| Identify SysAid Server web shell creation |
In solution Windows Security Events:
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| Zinc Actor IOCs files - October 2022 |
Standalone Content:
In solution Attacker Tools Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Potential Impacket Execution |
In solution Cyborg Security HUNTER:
In solution Endpoint Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Backup Deletion | |
| Download of New File Using Curl | |
| Persisting via IFEO Registry Key | |
| Potential Microsoft Security Services Tampering | |
| Rare Windows Firewall Rule updates using Netsh | EventID == "1" |
| Remote Login Performed with WMI | EventID in "4624,4625" |
| Remote Scheduled Task Creation or Update using ATSVC Named Pipe | EventID == "5145" |
| Scheduled Task Creation or Update from User Writable Directory | EventID in "4698,4702" |
| Unicode Obfuscation in Command Line |
In solution Legacy IOC based Threat Protection:
In solution Threat Intelligence: EventID in "4648,4673,4688,8002"
| Hunting Query |
|---|
| TI Map File Entity to Security Event |
In solution Threat Intelligence (NEW): EventID in "4648,4673,4688,8002"
| Hunting Query |
|---|
| TI Map File Entity to Security Event |
In solution Windows Security Events:
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| External IP address in Command Line | EventID == "4688" |
| Failed Login Attempt by Expired account | EventID in "4625,4769,4776" |
| Tracking Password Changes | |
| Tracking Privileged Account Rare Activity | EventID in "4624,4625,4720,4726,4728,4732,4756,7045" |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| AD Account Lockout | EventID == "4740" |
| Critical user management operations followed by disabling of System Restore from admin account | |
| Download of New File Using Curl | |
| Fake computer account authentication attempt | EventID in "4624,4625" |
| Large Scale Malware Deployment via GPO Scheduled Task Modification | EventID == "5145" |
| Possible command injection attempts against Azure Integration Runtimes | |
| Potential Process Doppelganging | EventID == "4985" |
| RID Hijacking | EventID in "4624,4625" |
| Rare firewall rule changes using netsh | EventID == "1" |
| Recon Activity with Interactive Logon Correlation | EventID == "4624" |
| Remote Task Creation/Update using Schtasks Process | EventID == "4688" |
| Summary of failed user logons by reason of failure | EventID == "4740" |
| Suspicious command line tokens in LolBins or LolScripts | EventID == "4688" |
| Users Opening and Reading the Local Device Identity Key |
In solution AzureSecurityBenchmark: EventID in "2889,3000,4624,4768,4769,4776"
| Workbook |
|---|
| AzureSecurityBenchmark |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution DPDP Compliance:
| Workbook | Selection Criteria |
|---|---|
| DPDPCompliance |
In solution EatonForeseer: EventID in "4624,4625,4634,4647,4648,4675"
| Workbook |
|---|
| EatonForeseerHealthAndAccess |
In solution GDPR Compliance & Data Security:
| Workbook | Selection Criteria |
|---|---|
| GDPRComplianceAndDataSecurity |
In solution HIPAA Compliance: EventID in "4624,4625"
| Workbook |
|---|
| HIPAACompliance |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Exchange Security - Exchange On-Premises: EventID in "4624,4720,4722,4724,4725,4726,7036"
| Workbook |
|---|
| Microsoft Exchange Admin Activity |
In solution MicrosoftPurviewInsiderRiskManagement: EventID in "4723,4724"
| Workbook |
|---|
| InsiderRiskManagement |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution PCI DSS Compliance:
| Workbook | Selection Criteria |
|---|---|
| PCIDSSCompliance |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| InvestigationInsights | EventID in "1102,4624,4625,4688,4719,4720,4723,4724,4768,4771,4776" |
| SecurityStatus |
In solution SOX IT Compliance: EventID in "1100,1102,1104,1240,1241,1242,4656,4657,4660,4663,4670,4688,4719,4720,4726,4732,4739,4754,4907"
| Workbook |
|---|
| SOXITCompliance |
In solution Semperis Directory Services Protector:
| Workbook | Selection Criteria |
|---|---|
| SemperisDSPNotifications | |
| SemperisDSPQuickviewDashboard | EventID in "20000,20002,20012,9208,9211,9212" |
| SemperisDSPSecurityIndicators | EventID in "9208,9211,9212" |
| SemperisDSPWorkbook | EventID in "9208,9211,9212" |
In solution Windows Firewall: EventID in "4624,4625"
| Workbook |
|---|
| WindowsFirewall |
In solution Windows Security Events:
| Workbook | Selection Criteria |
|---|---|
| EventAnalyzer | EventID in "4656,4657,4658,4660,4661,4663,4664,4670,4671,4673,4674,4690,4691,4698,4699,4700,4701,4702,4715,4719,4817,4902,4904,4905,4906,4907,4908,4912,4985,5031,5039,5051,5140,5142,5143,5144,5148,5149,5150,5151,5154,5155,5156,5157,5158,5159,5168,5888,5889,5890" |
| IdentityAndAccess |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| AMAmigrationTracker | |
| AdvancedWorkbookConcepts | |
| DCR-Toolkit | EventID == "and test !has" |
| DataCollectionHealthMonitoring | |
| Data_Latency_Workbook | |
| DoDZeroTrustWorkbook | |
| EventAnalyzer | EventID in "4656,4657,4658,4660,4661,4663,4664,4670,4671,4673,4674,4690,4691,4698,4699,4700,4701,4702,4715,4719,4817,4902,4904,4905,4906,4907,4908,4912,4985,5031,5039,5051,5140,5142,5143,5144,5148,5149,5150,5151,5154,5155,5156,5157,5158,5159,5168,5888,5889,5890" |
| ExchangeCompromiseHunting | EventID in "3,4663,4688,5136" |
| IdentityAndAccess | |
| InsecureProtocols | EventID in "2889,3000,4624,4768,4769,4776,5827,5828,5829,5830,5831" |
| InvestigationInsights | EventID in "1102,4624,4625,4688,4719,4720,4723,4724,4768,4771,4776" |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| SecurityStatus | |
| SentinelWorkspaceReconTools | |
| SolarWindsPostCompromiseHunting | EventID in "17,18,4624,4662,4670,4688,5145,87" |
| SysmonThreatHunting | EventID in "1,10,11,12,13,17,18,22,3,4624,4625,4720,4722,4723,4724,4725,4726,4728,4729,4732,4733,4738,4740,4746,4747,4751,4752,4756,4761,4762,4767,4771,4781,7,8" |
| WindowsAuditChecker | EventID in "4624,4625,4768,4769,4771" |
| WindowsFirewall | EventID in "4624,4625" |
| WindowsFirewallViaAMA | EventID in "4624,4625" |
| WorkspaceUsage | |
| ZeroTrustStrategyWorkbook |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimAuditEventMicrosoftSecurityEvents | AuditEvent | Microsoft Windows | |
| ASimFileEventMicrosoftSecurityEvents | FileEvent | Microsoft Windows Events | EventID == "4663" |
| ASimProcessCreateMicrosoftSecurityEvents | ProcessEvent | Security Events | EventID == "4688" |
| ASimProcessTerminateMicrosoftSecurityEvents | ProcessEvent | Security Events | EventID == "4689" |
| ASimRegistryEventMicrosoftSecurityEvent | RegistryEvent | Security Events | EventID in "4657,4663" |
| ASimUserManagementMicrosoftSecurityEvent | UserManagement | Microsoft Security Event | EventID in "4744,4748,4749,4753,4759,4763" |
EventID in "9208,9211,9212"| Parser | Solution |
|---|---|
| dsp_parser | Semperis Directory Services Protector |
This table collects data from the following Azure resource types:
microsoft.securityinsights/securityinsightsmicrosoft.compute/virtualmachinesmicrosoft.conenctedvmwarevsphere/virtualmachinesmicrosoft.azurestackhci/virtualmachinesmicrosoft.scvmm/virtualmachinesmicrosoft.compute/virtualmachinescalesetsReferences by type: 1 connectors, 117 content items, 5 ASIM parsers, 1 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
EventID == "4688" |
- | 37 | 1 | - | 38 |
EventID in "4624,4625" |
- | 11 | - | - | 11 |
EventID in "9208,9211,9212" |
- | 7 | - | 1 | 8 |
EventID == "5136" |
- | 4 | - | - | 4 |
EventID == "4625" |
- | 3 | - | - | 3 |
EventID == "4657" |
- | 3 | - | - | 3 |
EventID == "1" |
- | 3 | - | - | 3 |
EventID == "5145" |
- | 3 | - | - | 3 |
EventID == "4740" |
- | 3 | - | - | 3 |
EventID in "4624,4625,4634,4647,4648,4675" |
- | 2 | - | - | 2 |
EventID in "4656,4663" |
- | 2 | - | - | 2 |
EventID == "4720" |
- | 2 | - | - | 2 |
EventID in "4648,4673,4688,8002" |
- | 2 | - | - | 2 |
EventID in "9211,9212" |
1 | - | - | - | 1 |
EventID == "5058" |
- | 1 | - | - | 1 |
EventID == "5059" |
- | 1 | - | - | 1 |
EventID == "4768" |
- | 1 | - | - | 1 |
EventID == "5143" |
- | 1 | - | - | 1 |
EventID == "20002" |
- | 1 | - | - | 1 |
EventID == "30001" |
- | 1 | - | - | 1 |
EventID == "20012" |
- | 1 | - | - | 1 |
EventID in "4663,4688" |
- | 1 | - | - | 1 |
EventID in "412,501,5156" |
- | 1 | - | - | 1 |
EventID in "4624,4688,4697,4698,4699,4700,4701,4702,5145" |
- | 1 | - | - | 1 |
EventID in "4624,4662" |
- | 1 | - | - | 1 |
EventID == "1102" |
- | 1 | - | - | 1 |
EventID in "4657,4688" |
- | 1 | - | - | 1 |
EventID in "4624,4656" |
- | 1 | - | - | 1 |
EventID in "1,4688" |
- | 1 | - | - | 1 |
EventID == "501" |
- | 1 | - | - | 1 |
EventID in "4698,4702" |
- | 1 | - | - | 1 |
EventID in "4727,4728,4731,4732,4754,4756" |
- | 1 | - | - | 1 |
EventID == "4648" |
- | 1 | - | - | 1 |
EventID in "4624,4688" |
- | 1 | - | - | 1 |
EventID in "4728,4732,4756" |
- | 1 | - | - | 1 |
EventID in "4720,4726" |
- | 1 | - | - | 1 |
EventID in "4728,4729,4732,4733,4746,4747,4751,4752,4756,4757,4761,4762" |
- | 1 | - | - | 1 |
EventID == "4616" |
- | 1 | - | - | 1 |
EventID in "4625,4769,4776" |
- | 1 | - | - | 1 |
EventID == "4624" |
- | 1 | - | - | 1 |
EventID in "4624,4625,4720,4726,4728,4732,4756,7045" |
- | 1 | - | - | 1 |
EventID == "4985" |
- | 1 | - | - | 1 |
EventID in "2889,3000,4624,4768,4769,4776" |
- | 1 | - | - | 1 |
EventID in "4624,4720,4722,4724,4725,4726,7036" |
- | 1 | - | - | 1 |
EventID in "4723,4724" |
- | 1 | - | - | 1 |
EventID in "20000,20002,20012,9208,9211,9212" |
- | 1 | - | - | 1 |
EventID in "1102,4624,4625,4688,4719,4720,4723,4724,4768,4771,4776" |
- | 1 | - | - | 1 |
EventID in "1100,1102,1104,1240,1241,1242,4656,4657,4660,4663,4670,4688,4719,4720,4726,4732,4739,4754,4907" |
- | 1 | - | - | 1 |
EventID in "4656,4657,4658,4660,4661,4663,4664,4670,4671,4673,4674,4690,4691,4698,4699,4700,4701,4702,4715,4719,4817,4902,4904,4905,4906,4907,4908,4912,4985,5031,5039,5051,5140,5142,5143,5144,5148,5149,5150,5151,5154,5155,5156,5157,5158,5159,5168,5888,5889,5890" |
- | 1 | - | - | 1 |
EventID == "4663" |
- | - | 1 | - | 1 |
EventID == "4689" |
- | - | 1 | - | 1 |
EventID in "4657,4663" |
- | - | 1 | - | 1 |
EventID in "4744,4748,4749,4753,4759,4763" |
- | - | 1 | - | 1 |
| Total | 1 | 117 | 5 | 1 | 124 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
4688 |
- | 46 | 1 | - | 47 |
4624 |
- | 22 | - | - | 22 |
4625 |
- | 19 | - | - | 19 |
9211 |
1 | 8 | - | 1 | 10 |
9212 |
1 | 8 | - | 1 | 10 |
9208 |
- | 8 | - | 1 | 9 |
4663 |
- | 5 | 2 | - | 7 |
4657 |
- | 6 | 1 | - | 7 |
4720 |
- | 7 | - | - | 7 |
4648 |
- | 5 | - | - | 5 |
4656 |
- | 5 | - | - | 5 |
4732 |
- | 5 | - | - | 5 |
5136 |
- | 4 | - | - | 4 |
5145 |
- | 4 | - | - | 4 |
1 |
- | 4 | - | - | 4 |
4728 |
- | 4 | - | - | 4 |
4756 |
- | 4 | - | - | 4 |
4726 |
- | 4 | - | - | 4 |
4768 |
- | 3 | - | - | 3 |
4698 |
- | 3 | - | - | 3 |
4702 |
- | 3 | - | - | 3 |
1102 |
- | 3 | - | - | 3 |
4673 |
- | 3 | - | - | 3 |
4740 |
- | 3 | - | - | 3 |
4776 |
- | 3 | - | - | 3 |
4724 |
- | 3 | - | - | 3 |
4719 |
- | 3 | - | - | 3 |
4634 |
- | 2 | - | - | 2 |
4647 |
- | 2 | - | - | 2 |
4675 |
- | 2 | - | - | 2 |
5143 |
- | 2 | - | - | 2 |
20002 |
- | 2 | - | - | 2 |
20012 |
- | 2 | - | - | 2 |
501 |
- | 2 | - | - | 2 |
5156 |
- | 2 | - | - | 2 |
4699 |
- | 2 | - | - | 2 |
4700 |
- | 2 | - | - | 2 |
4701 |
- | 2 | - | - | 2 |
8002 |
- | 2 | - | - | 2 |
4754 |
- | 2 | - | - | 2 |
4769 |
- | 2 | - | - | 2 |
4985 |
- | 2 | - | - | 2 |
4723 |
- | 2 | - | - | 2 |
4660 |
- | 2 | - | - | 2 |
4670 |
- | 2 | - | - | 2 |
4907 |
- | 2 | - | - | 2 |
5058 |
- | 1 | - | - | 1 |
5059 |
- | 1 | - | - | 1 |
30001 |
- | 1 | - | - | 1 |
412 |
- | 1 | - | - | 1 |
4697 |
- | 1 | - | - | 1 |
4662 |
- | 1 | - | - | 1 |
4727 |
- | 1 | - | - | 1 |
4731 |
- | 1 | - | - | 1 |
4729 |
- | 1 | - | - | 1 |
4733 |
- | 1 | - | - | 1 |
4746 |
- | 1 | - | - | 1 |
4747 |
- | 1 | - | - | 1 |
4751 |
- | 1 | - | - | 1 |
4752 |
- | 1 | - | - | 1 |
4757 |
- | 1 | - | - | 1 |
4761 |
- | 1 | - | - | 1 |
4762 |
- | 1 | - | - | 1 |
4616 |
- | 1 | - | - | 1 |
7045 |
- | 1 | - | - | 1 |
2889 |
- | 1 | - | - | 1 |
3000 |
- | 1 | - | - | 1 |
4722 |
- | 1 | - | - | 1 |
4725 |
- | 1 | - | - | 1 |
7036 |
- | 1 | - | - | 1 |
20000 |
- | 1 | - | - | 1 |
4771 |
- | 1 | - | - | 1 |
1100 |
- | 1 | - | - | 1 |
1104 |
- | 1 | - | - | 1 |
1240 |
- | 1 | - | - | 1 |
1241 |
- | 1 | - | - | 1 |
1242 |
- | 1 | - | - | 1 |
4739 |
- | 1 | - | - | 1 |
4658 |
- | 1 | - | - | 1 |
4661 |
- | 1 | - | - | 1 |
4664 |
- | 1 | - | - | 1 |
4671 |
- | 1 | - | - | 1 |
4674 |
- | 1 | - | - | 1 |
4690 |
- | 1 | - | - | 1 |
4691 |
- | 1 | - | - | 1 |
4715 |
- | 1 | - | - | 1 |
4817 |
- | 1 | - | - | 1 |
4902 |
- | 1 | - | - | 1 |
4904 |
- | 1 | - | - | 1 |
4905 |
- | 1 | - | - | 1 |
4906 |
- | 1 | - | - | 1 |
4908 |
- | 1 | - | - | 1 |
4912 |
- | 1 | - | - | 1 |
5031 |
- | 1 | - | - | 1 |
5039 |
- | 1 | - | - | 1 |
5051 |
- | 1 | - | - | 1 |
5140 |
- | 1 | - | - | 1 |
5142 |
- | 1 | - | - | 1 |
5144 |
- | 1 | - | - | 1 |
5148 |
- | 1 | - | - | 1 |
5149 |
- | 1 | - | - | 1 |
5150 |
- | 1 | - | - | 1 |
5151 |
- | 1 | - | - | 1 |
5154 |
- | 1 | - | - | 1 |
5155 |
- | 1 | - | - | 1 |
5157 |
- | 1 | - | - | 1 |
5158 |
- | 1 | - | - | 1 |
5159 |
- | 1 | - | - | 1 |
5168 |
- | 1 | - | - | 1 |
5888 |
- | 1 | - | - | 1 |
5889 |
- | 1 | - | - | 1 |
5890 |
- | 1 | - | - | 1 |
4689 |
- | - | 1 | - | 1 |
4744 |
- | - | 1 | - | 1 |
4748 |
- | - | 1 | - | 1 |
4749 |
- | - | 1 | - | 1 |
4753 |
- | - | 1 | - | 1 |
4759 |
- | - | 1 | - | 1 |
4763 |
- | - | 1 | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊