Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for Anomalies table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Internal |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| ActivityInsights | dynamic | Insights about the activites corresponding to the generated anomaly as JSON. |
| AnomalyDetails | dynamic | JSON object containing general information about the rule and algorithm that generated the anomaly as well as explanations for the anomaly. |
| AnomalyReasons | dynamic | The detailed explanation of the generated anomaly as JSON. |
| AnomalyTemplateId | string | The ID of the Anomaly template that generated this anomaly. |
| AnomalyTemplateName | string | The name of the Anomaly template that generated this anomaly. |
| AnomalyTemplateVersion | string | The version of the Anomaly template that generated this anomaly. |
| Description | string | The description of the anomaly. |
| DestinationDevice | string | The destination device for which the anomaly was generated. |
| DestinationIpAddress | string | The destination ip address for which the anomaly was generated. |
| DestinationLocation | dynamic | Info about the destination location for which the anomaly was generated as JSON. |
| DeviceInsights | dynamic | Insights about the devices corresponding to the generated anomaly as JSON. |
| EndTime | datetime | The time (UTC) when the anomaly ended. |
| Entities | dynamic | JSON object containing all entities involved in the generated anomaly. |
| ExtendedLinks | dynamic | List of links pointing to the data that generated the anomaly. |
| ExtendedProperties | dynamic | JSON object with additional data on the anomaly as key-value pairs. |
| Id | string | The ID of the generated anomaly. |
| RuleConfigVersion | string | The configuration version of the Anomaly analytics rule that generated this anomaly. |
| RuleId | string | The ID of the Anomaly analytics rule that generated this anomaly. |
| RuleName | string | The name of the Anomaly analytics rule that generated this anomaly. |
| RuleStatus | string | The status (Flighting/Production) of the Anomaly analytics rule that generated this anomaly. |
| Score | real | The score of the anomaly. |
| SourceDevice | string | The source device for which the anomaly was generated. |
| SourceIpAddress | string | The source ip address for which the anomaly was generated. |
| SourceLocation | dynamic | Info about the source location for which the anomaly was generated as JSON. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| StartTime | datetime | The time (UTC) when the anomaly started. |
| Tactics | string | List of MITRE ATT&CK tactics (strings) corresponding to the anomaly. |
| Techniques | string | List MITRE ATT&CK techniques (strings) corresponding to the anomaly. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC) of when the anomaly was generated. |
| Type | string | The name of the table |
| UserInsights | dynamic | Insights about the users corresponding to the generated anomaly as JSON. |
| UserName | string | The username for which the anomaly was generated. |
| UserPrincipalName | string | The UPN of the user for which the anomaly was generated. |
| VendorName | string | The name of the vendor that generated this anomaly. |
| WorkspaceId | string | The ID of the Sentinel workspace. |
This table is used by the following solutions:
In solution DNS Essentials:
In solution Microsoft Entra ID:
In solution Network Session Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Anomaly found in Network Session Traffic (ASIM Network Session schema) | |
| Detect port misuse by anomaly based detection (ASIM Network Session schema) |
In solution SecurityThreatEssentialSolution:
| Analytic Rule | Selection Criteria |
|---|---|
| Threat Essentials - Time series anomaly for data size transferred to public internet |
In solution Web Session Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session) |
In solution DNS Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| [Anomaly] Anomalous Increase in DNS activity by clients (ASIM DNS Solution) |
In solution Network Session Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Detect port misuse by anomaly (ASIM Network Session schema) |
In solution UEBA Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Anomalous High-Score Activity Triage | |
| Anomaly Detection Trend Analysis | |
| Anomaly Template Distribution by Tactics and Techniques | |
| Top Anomalous Source IP Triage | |
| UEBA Multi-Source Anomalous Activity Overview | AnomalyTemplateName in "UEBA Anomalous Activity in GCP Audit Logs,UEBA Anomalous Activity in Okta_CL,UEBA Anomalous Authentication,UEBA Anomalous Logon in AwsCloudTrail,UEBA Anomalous MFA Failures in Okta_CL" |
| User-Centric Anomaly Investigation | UserPrincipalName == "myuser@mydomain.com" |
In solution DPDP Compliance:
| Workbook | Selection Criteria |
|---|---|
| DPDPCompliance |
In solution GDPR Compliance & Data Security:
| Workbook | Selection Criteria |
|---|---|
| GDPRComplianceAndDataSecurity |
In solution MicrosoftPurviewInsiderRiskManagement:
| Workbook | Selection Criteria |
|---|---|
| InsiderRiskManagement |
In solution PCI DSS Compliance:
| Workbook | Selection Criteria |
|---|---|
| PCIDSSCompliance |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| AnomaliesVisualization | |
| AnomalyData |
References by type: 0 connectors, 2 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
AnomalyTemplateName in "UEBA Anomalous Activity in GCP Audit Logs,UEBA Anomalous Activity in Okta_CL,UEBA Anomalous Authentication,UEBA Anomalous Logon in AwsCloudTrail,UEBA Anomalous MFA Failures in Okta_CL" |
- | 1 | - | - | 1 |
UserPrincipalName == "myuser@mydomain.com" |
- | 1 | - | - | 1 |
| Total | 0 | 2 | 0 | 0 | 2 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
UEBA Anomalous Activity in GCP Audit Logs |
- | 1 | - | - | 1 |
UEBA Anomalous Activity in Okta_CL |
- | 1 | - | - | 1 |
UEBA Anomalous Authentication |
- | 1 | - | - | 1 |
UEBA Anomalous Logon in AwsCloudTrail |
- | 1 | - | - | 1 |
UEBA Anomalous MFA Failures in Okta_CL |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
myuser@mydomain.com |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊