W3CIISLog
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Tables Index
Reference for W3CIISLog table in Azure Monitor Logs.
| Attribute |
Value |
| Category |
IT & Management Tools, Virtual Machines |
| Basic Logs Eligible |
✗ No (source) |
| Supports Transformations |
✓ Yes (source) |
| Ingestion API Supported |
✗ No |
| Lake-Only Ingestion |
✗ No (source) |
| Azure Monitor Tables Reference |
View Documentation |
Contents
Schema (44 columns)
Source: Azure Monitor documentation
| Column Name |
Type |
Description |
| _BilledSize |
real |
The record size in bytes |
| _IsBillable |
string |
Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| _ResourceId |
string |
A unique identifier for the resource that the record is associated with |
| _SubscriptionId |
string |
A unique identifier for the subscription that the record is associated with |
| AzureDeploymentID |
string |
Azure deployment ID of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent when data is pulled from Azure storage. |
| cIP |
string |
IP address of the client that accessed the web server. |
| Computer |
string |
Name of the computer that the event was collected from. |
| Confidence |
string |
Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension. |
| csBytes |
long |
Number of bytes that the server received. |
| csCookie |
string |
Content of the cookie sent or received if any. |
| csHost |
string |
Host header name if any. |
| csMethod |
string |
Method of the request such as GET or POST. |
| csReferer |
string |
Site that the user last visited. This site provided a link to the current site. |
| csUriQuery |
string |
The query if any that the client was trying to perform. A Universal Resource Identifier (URI) query is necessary only for dynamic pages. |
| csUriStem |
string |
Target of the action such as a web page for example Default.htm. |
| csUserAgent |
string |
Browser type of the client. |
| csUserName |
string |
Name of the authenticated user that accessed the server. Anonymous users are indicated by a hyphen. |
| csVersion |
string |
Protocol version that the client used. |
| Description |
string |
Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension). |
| FirstReportedDateTime |
string |
Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension). |
| IndicatorThreatType |
string |
Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension). |
| IsActive |
string |
Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension). |
| LastReportedDateTime |
string |
Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension). |
| MaliciousIP |
string |
Only populated for IIS logs collected from Azure Cloud Services (through Azure Diagnostics Extension). |
| ManagementGroupName |
string |
Name of the management group for Operations Manager agents. For other agents this is AOI-<workspace ID>. |
| RemoteIPCountry |
string |
Country/region of the IP address of the client. |
| RemoteIPLatitude |
real |
Latitude of the client IP address. |
| RemoteIPLongitude |
real |
Longitude of the client IP address. |
| Role |
string |
Role instance of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and data is pulled from Azure storage. |
| RoleInstance |
string |
Role of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and data is pulled from Azure storage. |
| scBytes |
long |
Number of bytes that the server sent. |
| scStatus |
string |
HTTP status code. |
| scSubStatus |
string |
Substatus error code. |
| scWin32Status |
string |
Windows status code. |
| Severity |
int |
Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension. |
| sIP |
string |
IP address of the server on which the log file entry was generated. |
| SourceSystem |
string |
The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| sPort |
int |
Server port number that is configured for the service. |
| sSiteName |
string |
Name of the IIS site. |
| StorageAccount |
string |
Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension. |
| TimeGenerated |
datetime |
Date and time the record was created. |
| TimeTaken |
long |
Length of time to process the request in milliseconds. |
| TLPLevel |
string |
Only populated for IIS logs collected from Azure Cloud Services through Azure Diagnostics Extension. |
| Type |
string |
The name of the table |
Solutions (7)
This table is used by the following solutions:
Connectors (2)
This table is ingested by the following connectors:
Content Items Using This Table (13)
Analytic Rules (7)
In solution Apache Log4j Vulnerability Detection:
In solution Network Threat Protection Essentials:
In solution Threat Intelligence: cIP !startswith "127."
cIP !startswith "::"
cIP !startswith "fe80"
In solution Threat Intelligence (NEW): cIP !startswith "127."
cIP !startswith "::"
cIP !startswith "fe80"
In solution Web Shells Threat Protection:
Hunting Queries (3)
In solution Network Threat Protection Essentials:
In solution Web Shells Threat Protection:
Workbooks (3)
In solution Apache Log4j Vulnerability Detection:
In solution Microsoft Exchange Security - Exchange On-Premises:
In solution SOC Handbook:
Parsers Using This Table (1)
ASIM Parsers (1)
| Parser |
Schema |
Product |
Selection Criteria |
| ASimWebSessionIIS |
WebSession |
Internet Information Services (IIS) |
|
Resource Types
This table collects data from the following Azure resource types:
microsoft.compute/virtualmachinesmicrosoft.conenctedvmwarevsphere/virtualmachinesmicrosoft.azurestackhci/virtualmachinesmicrosoft.scvmm/virtualmachinesmicrosoft.compute/virtualmachinescalesets
Selection Criteria Summary (3 criteria, 4 total references)
References by type: 0 connectors, 4 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
cIP !startswith "127."
cIP !startswith "::"
cIP !startswith "fe80" |
- |
2 |
- |
- |
2 |
csMethod == "GET"
csUriQuery contains "args"
csUriQuery contains "clazz"
csUriQuery contains "codes"
csUriQuery contains "method"
csUriStem contains "logoimagehandler.ashx" |
- |
1 |
- |
- |
1 |
csMethod == "GET"
csReferer has "whoami"
csUriQuery has "whoami"
csUriStem has "whoami" |
- |
1 |
- |
- |
1 |
| Total |
0 |
4 |
0 |
0 |
4 |
cIP
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
!startswith 127. |
- |
2 |
- |
- |
2 |
!startswith :: |
- |
2 |
- |
- |
2 |
!startswith fe80 |
- |
2 |
- |
- |
2 |
csMethod
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
GET |
- |
2 |
- |
- |
2 |
csReferer
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
has whoami |
- |
1 |
- |
- |
1 |
csUriQuery
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
contains args |
- |
1 |
- |
- |
1 |
contains clazz |
- |
1 |
- |
- |
1 |
contains codes |
- |
1 |
- |
- |
1 |
contains method |
- |
1 |
- |
- |
1 |
has whoami |
- |
1 |
- |
- |
1 |
csUriStem
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
contains logoimagehandler.ashx |
- |
1 |
- |
- |
1 |
has whoami |
- |
1 |
- |
- |
1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Tables Index