Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Files, IP addresses, URLs, users, or devices associated with alerts
| Attribute | Value |
|---|---|
| Category | Internal |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| AccountDomain | string | Domain of the account. |
| AccountName | string | User name of the account. |
| AccountObjectId | string | Unique identifier for the account in Azure Active Directory. |
| AccountSid | string | Security Identifier (SID) of the account. |
| AccountUpn | string | User principal name (UPN) of the account. |
| AdditionalFields | dynamic | Additional information about the event in JSON array format. |
| AlertId | string | Unique identifier for the alert. |
| Application | string | Application that performed the recorded action. |
| ApplicationId | int | Unique identifier for the application. |
| AttackTechniques | string | MITRE ATT&CK techniques associated with the activity that triggered the alert. |
| Categories | string | List of categories that the information belongs to, in JSON array format. |
| CloudPlatform | string | The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform. |
| CloudResource | string | Cloud resource name. |
| DetectionSource | string | Detection technology or sensor that identified the notable component or activity. |
| DeviceId | string | Unique identifier for the device in the service. |
| DeviceName | string | Fully qualified domain name (FQDN) of the machine. |
| EmailSubject | string | Subject of the email. |
| EntityType | string | Type of object, such as a file, a process, a device, or a user. |
| EvidenceDirection | string | Indicates whether the entity is the source or the destination of a network connection. |
| EvidenceRole | string | How the entity is involved in an alert, indicating whether it is impacted or is merely related. |
| FileName | string | Name of the file that the recorded action was applied to. |
| FileSize | long | Size of the file in bytes. |
| FolderPath | string | Folder containing the file that the recorded action was applied to. |
| LocalIP | string | IP address assigned to the local device used during communication. |
| NetworkMessageId | string | Unique identifier for the email, generated by Office 365. |
| OAuthApplicationId | string | Unique identifier of the third-party OAuth application. |
| ProcessCommandLine | string | Command line used to create the new process. |
| RegistryKey | string | Registry key that the recorded action was applied to. |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
| RemoteIP | string | IP address that was being connected to. |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
| ServiceSource | string | Product or service that provided the alert information. |
| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert. |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to. |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated-use the SHA1 column when available. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| ThreatFamily | string | Malware family that the suspicious or malicious file or process has been classified under. |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated. |
| Title | string | Title of the alert. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Defender XDR: ActionType == "BrowserLaunchedToOpenUrl"
| Analytic Rule |
|---|
| Possible Phishing with CSL and Network Sessions |
In solution Vectra XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| Defender Alert Evidence |
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| MDE_Evidenceforasingledevice |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Baseline Comparison | |
| Identify Microsoft Defender Antivirus detection related to EUROPIUM | |
| ImpersonatedUserFootprint | ActionType == "LogonSuccess" |
| KNOTWEED-AV Detections | |
| MDO daily detection summary report | |
| MDO daily detection summary report | |
| SuspiciousUrlClicked | ActionType == "BrowserLaunchedToOpenUrl" |
| URL click on ZAP email | |
| URL click on ZAP email | |
| URLClick details based on malicious URL click alert | |
| URLClick details based on malicious URL click alert |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Defender XDR: ActionType == "Automated Remediation"
| Workbook |
|---|
| MicrosoftDefenderForOffice365detectionsandinsights |
In solution NISTSP80053:
| Workbook | Selection Criteria |
|---|---|
| NISTSP80053 |
In solution ZeroTrust(TIC3.0):
| Workbook | Selection Criteria |
|---|---|
| ZeroTrustTIC3 |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| DoDZeroTrustWorkbook | |
| ZeroTrustStrategyWorkbook |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimAlertEventMicrosoftDefenderXDR | AlertEvent | Microsoft Defender XDR |
References by type: 0 connectors, 4 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType == "BrowserLaunchedToOpenUrl" |
- | 2 | - | - | 2 |
ActionType == "LogonSuccess" |
- | 1 | - | - | 1 |
ActionType == "Automated Remediation" |
- | 1 | - | - | 1 |
| Total | 0 | 4 | 0 | 0 | 4 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
BrowserLaunchedToOpenUrl |
- | 2 | - | - | 2 |
LogonSuccess |
- | 1 | - | - | 1 |
Automated Remediation |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊