AlertInfo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization

Attribute	Value
Category	Internal
Basic Logs Eligible	✓ Yes (source)
Supports Transformations	✓ Yes (source)
Ingestion API Supported	✗ No
Azure Monitor Tables Reference	View Documentation
Defender XDR Advanced Hunting Schema	View Documentation

Schema
Solutions
Content Items

Schema (13 columns)

Source: Azure Monitor documentation

Column Name	Type	Description
_BilledSize	real	The record size in bytes
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account
AlertId	string	Unique identifier for the alert.
AttackTechniques	string	MITRE ATT&CK techniques associated with the activity that triggered the alert.
Category	string	Type of threat indicator or breach activity identified by the alert.
DetectionSource	string	Detection technology or sensor that identified the notable component or activity.
ServiceSource	string	Product or service that provided the alert information.
Severity	string	Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert.
SourceSystem	string	The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Date and time (UTC) when the record was generated.
Title	string	Title of the alert.
Type	string	The name of the table

Solutions (1)

This table is used by the following solutions:

Microsoft Defender XDR

Content Items Using This Table (35)

Analytic Rules (1)

In solution Microsoft Defender XDR:

Analytic Rule	Selection Criteria
Potential Ransomware activity related to Cobalt Strike

Hunting Queries (32)

In solution Microsoft Defender XDR:

Hunting Query	Selection Criteria
Alerts Related to Log4j Vulnerability
Devices with Log4j vulnerability alerts and additional other alert related context
Microsoft Teams chat initiated by a suspicious external user
Potential Ransomware activity related to Cobalt Strike

GitHub Only:

Hunting Query	Selection Criteria
Alerts related to Log4j vulnerability
Antivirus detections (1)
Baseline Comparison
Cobalt Strike Lateral Movement
Devices with Log4j vulnerability alerts and additional other alert related context
Distribution from remote location
Events surrounding alert (1)
Events surrounding alert (3)
ExploitGuardBlockOfficeChildProcess (1)
ExploitGuardBlockOfficeChildProcess (3)
File Backup Deletion Alerts
Gootkit File Delivery
Gootkit-malware
ImpersonatedUserFootprint
Microsoft Teams chat initiated by a suspicious external user
Open email link
Potential ransomware activity related to Cobalt Strike
Ransomware hits healthcare - Backup deletion
Ransomware hits healthcare - Possible compromised accounts
Sticky Keys
SuspiciousUrlClicked
URL click on ZAP email
URL click on ZAP email
URLClick details based on malicious URL click alert
URLClick details based on malicious URL click alert
backup-deletion
cobalt-strike
identify-accounts-logged-on-to-endpoints-affected-by-cobalt-strike

Workbooks (2)

GitHub Only: ActionType in "Add member to role,Add user,InteractiveLogon,LogonSuccess,RemoteInteractiveLogon,Reset user password,ResourceAccess,Sign-in,Update user"

Workbook
DoDZeroTrustWorkbook
ZeroTrustStrategyWorkbook