Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for Anomalies table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Internal |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| ActivityInsights | dynamic | Insights about the activites corresponding to the generated anomaly as JSON. |
| AnomalyDetails | dynamic | JSON object containing general information about the rule and algorithm that generated the anomaly as well as explanations for the anomaly. |
| AnomalyReasons | dynamic | The detailed explanation of the generated anomaly as JSON. |
| AnomalyTemplateId | string | The ID of the Anomaly template that generated this anomaly. |
| AnomalyTemplateName | string | The name of the Anomaly template that generated this anomaly. |
| AnomalyTemplateVersion | string | The version of the Anomaly template that generated this anomaly. |
| Description | string | The description of the anomaly. |
| DestinationDevice | string | The destination device for which the anomaly was generated. |
| DestinationIpAddress | string | The destination ip address for which the anomaly was generated. |
| DestinationLocation | dynamic | Info about the destination location for which the anomaly was generated as JSON. |
| DeviceInsights | dynamic | Insights about the devices corresponding to the generated anomaly as JSON. |
| EndTime | datetime | The time (UTC) when the anomaly ended. |
| Entities | dynamic | JSON object containing all entities involved in the generated anomaly. |
| ExtendedLinks | dynamic | List of links pointing to the data that generated the anomaly. |
| ExtendedProperties | dynamic | JSON object with additional data on the anomaly as key-value pairs. |
| Id | string | The ID of the generated anomaly. |
| RuleConfigVersion | string | The configuration version of the Anomaly analytics rule that generated this anomaly. |
| RuleId | string | The ID of the Anomaly analytics rule that generated this anomaly. |
| RuleName | string | The name of the Anomaly analytics rule that generated this anomaly. |
| RuleStatus | string | The status (Flighting/Production) of the Anomaly analytics rule that generated this anomaly. |
| Score | real | The score of the anomaly. |
| SourceDevice | string | The source device for which the anomaly was generated. |
| SourceIpAddress | string | The source ip address for which the anomaly was generated. |
| SourceLocation | dynamic | Info about the source location for which the anomaly was generated as JSON. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| StartTime | datetime | The time (UTC) when the anomaly started. |
| Tactics | string | List of MITRE ATT&CK tactics (strings) corresponding to the anomaly. |
| Techniques | string | List MITRE ATT&CK techniques (strings) corresponding to the anomaly. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC) of when the anomaly was generated. |
| Type | string | The name of the table |
| UserInsights | dynamic | Insights about the users corresponding to the generated anomaly as JSON. |
| UserName | string | The username for which the anomaly was generated. |
| UserPrincipalName | string | The UPN of the user for which the anomaly was generated. |
| VendorName | string | The name of the vendor that generated this anomaly. |
| WorkspaceId | string | The ID of the Sentinel workspace. |
This table is used by the following solutions:
In solution DNS Essentials:
In solution Microsoft Entra ID:
In solution Network Session Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Anomaly found in Network Session Traffic (ASIM Network Session schema) | |
| Detect port misuse by anomaly based detection (ASIM Network Session schema) |
In solution SecurityThreatEssentialSolution:
| Analytic Rule | Selection Criteria |
|---|---|
| Threat Essentials - Time series anomaly for data size transferred to public internet |
In solution Web Session Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Detect unauthorized data transfers using timeseries anomaly (ASIM Web Session) |
Standalone Content:
| Analytic Rule | Selection Criteria |
|---|---|
| Time series anomaly for data size transferred to public internet |
GitHub Only:
| Analytic Rule | Selection Criteria |
|---|---|
| Unusual Anomaly |
In solution DNS Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| [Anomaly] Anomalous Increase in DNS activity by clients (ASIM DNS Solution) |
In solution Network Session Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Detect port misuse by anomaly (ASIM Network Session schema) |
In solution UEBA Essentials:
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| User Accounts - Successful Sign in Spikes |
In solution DPDP Compliance:
| Workbook | Selection Criteria |
|---|---|
| DPDPCompliance |
In solution GDPR Compliance & Data Security:
| Workbook | Selection Criteria |
|---|---|
| GDPRComplianceAndDataSecurity |
In solution MicrosoftPurviewInsiderRiskManagement:
| Workbook | Selection Criteria |
|---|---|
| InsiderRiskManagement |
In solution PCI DSS Compliance:
| Workbook | Selection Criteria |
|---|---|
| PCIDSSCompliance |
In solution SOC Handbook:
| Workbook | Selection Criteria |
|---|---|
| AnomaliesVisualization | |
| AnomalyData |
GitHub Only:
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊