Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
| Attribute | Value |
|---|---|
| Type | Workbook |
| Solution | MicrosoftPurviewInsiderRiskManagement |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AADNonInteractiveUserSignInLogs |
✓ | ✗ | ✓ | |
AADUserRiskEvents |
✓ | ✗ | ✓ | |
Anomalies |
✓ | ✓ | ? | |
AuditLogs |
OperationName in "Add member to role,Add user,Consent to application,Create Deployment,Create or Update Virtual Machine,Create role assignment,List Storage Account Keys,Reset user password,Update user"OperationName in "Set domain authentication,Set federation settings on domain,Sign-in activity"OperationName != "Consent to application"OperationName contains "Create"OperationName contains "Delete"OperationName contains "Update"OperationName contains "delet"OperationName contains "delete"OperationName contains "remove"OperationName has "Create"OperationName has_any "Create,Update"OperationName has_any "Ip,Security Rule" |
✓ | ✗ | ✓ |
AzureActivity |
ActivityStatus in "Accepted,Succeeded"ActivitySubstatusValue in "Created,OK" |
✗ | ✗ | ✗ |
BehaviorAnalytics |
ActivityInsights has "True"ActivityType == "LogOn" |
✓ | ✗ | ? |
EmailEvents |
ActionType in "Add member to role,Add user,InteractiveLogon,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user" |
✓ | ✗ | ✓ |
IdentityInfo |
✓ | ✗ | ? | |
LAQueryLogs |
RequestClientApp != "Sentinel-General"ResponseCode != "200"ResponseRowCount == "5000" |
✓ | ✗ | ? |
MicrosoftPurviewInformationProtection |
✓ | ✗ | ✓ | |
OfficeActivity |
ClientInfoString == "Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client"Logon_Type != "Owner"OfficeObjectId has ".exe."OfficeWorkload == "Exchange"OfficeWorkload in "AzureActiveDirectory,MicrosoftTeams"OfficeWorkload has_any "Exchange,OneDrive"Parameters contains "ForwardTo"Parameters contains "ForwardingSmtpAddress"Parameters has "Deleted Items"Parameters has "Junk Email"RecordType in "ExchangeAdmin,SharePointFileOperation"SourceRelativeUrl has "Microsoft Teams Chat Files" |
✓ | ✗ | ✓ |
Operation |
? | ✗ | ? | |
SecurityAlert |
AlertName contains "PII"AlertName contains "anomal"AlertName contains "confidential"AlertName contains "data"AlertName contains "fusion"AlertName contains "intellectual"AlertName contains "leak"AlertName contains "sensitive"AlertName contains "spill"AlertName contains "steal"AlertName contains "theft"ProductName == "Microsoft 365 Insider Risk Management"ProviderName contains "anomal"ProviderName contains "fusion"Tactics contains "exfil" |
✓ | ✗ | ✓ |
SecurityEvent |
ErrorCode == "50126"EventID in "4723,4724" |
✓ | ✓ | ✓ |
SecurityIncident |
✓ | ✗ | ✓ | |
SigninLogs |
AppDisplayName contains "Portal" |
✓ | ✗ | ✓ |
Syslog |
Facility in "auth,authpriv" |
✓ | ✓ | ✓ |
Update |
✓ | ✗ | ? | |
Watchlist |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Workbooks · Back to MicrosoftPurviewInsiderRiskManagement