AzureDiagnostics

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Reference for AzureDiagnostics table in Azure Monitor Logs.

Attribute	Value
Category	Various
Custom Log V1	Yes 🔶 — uses type-suffixed column names
Ingestion API Supported	✗ No
Azure Monitor Tables Reference	View Documentation

Schema
Solutions
Connectors
Content Items
Parsers

Schema (169 columns)

Source: Azure Monitor documentation

Column Name	Type	Description
_ResourceId	String	A unique identifier for the resource that the record is associated with
action_id_s	String
action_name_s	String
action_s	String
ActivityId_g	Guid
AdditionalFields
AdHocOrScheduledJob_s	String
application_name_s	String
audit_schema_version_d	Double
avg_cpu_percent_s	String
avg_mean_time_s	String
backendHostname_s	String
Caller_s	String
callerId_s	String
CallerIPAddress	String
calls_s	String
Category	String
client_ip_s	String
clientInfo_s	String
clientIP_s	String
clientIpAddress_s	String
clientPort_d	Double
code_s	String
collectionName_s	String
conditions_destinationIP_s	String
conditions_destinationPortRange_s	String
conditions_None_s	String
conditions_protocols_s	String
conditions_sourceIP_s	String
conditions_sourcePortRange_s	String
CorrelationId	String
count_executions_d	Double
cpu_time_d	Double
database_name_s	String
database_principal_name_s	String
DatabaseName_s	String
db_id_s	String
direction_s	String
dop_d	Double
duration_d	Double
duration_milliseconds_d	Double
DurationMs	BigInt
ElasticPoolName_s	String
endTime_t	DateTime
Environment_s	String
error_code_s	String
error_message_s	String
errorLevel_s	String
event_class_s	String
event_s	String
event_subclass_s	String
event_time_t	DateTime
EventName_s	String
execution_type_d	Double
executionInfo_endTime_t	DateTime
executionInfo_exitCode_d	Double
executionInfo_startTime_t	DateTime
host_s	String
httpMethod_s	String
httpStatus_d	Double
httpStatusCode_d	Double
httpStatusCode_s	String
httpVersion_s	String
id_s	String
identity_claim_appid_g	Guid
identity_claim_ipaddr_s	String
instanceId_s	String
interval_end_time_d	Double
interval_start_time_d	Double
ip_s	String
is_column_permission_s	String
isAccessPolicyMatch_b	Bool
JobDurationInSecs_s	String
JobFailureCode_s	String
JobId_g	Guid
jobId_s	String
JobOperation_s	String
JobOperationSubType_s	String
JobStartDateTime_s	String
JobStatus_s	String
JobUniqueId_g	Guid
Level	String
log_bytes_used_d	Double
logical_io_reads_d	Double
logical_io_writes_d	Double
LogicalServerName_s	String
macAddress_s	String
matchedConnections_d	Double
max_cpu_time_d	Double
max_dop_d	Double
max_duration_d	Double
max_log_bytes_used_d	Double
max_logical_io_reads_d	Double
max_logical_io_writes_d	Double
max_num_physical_io_reads_d	Double
max_physical_io_reads_d	Double
max_query_max_used_memory_d	Double
max_rowcount_d	Double
max_time_s	String
mean_time_s	String
Message	String
min_time_s	String
msg_s	String
num_physical_io_reads_d	Double
object_id_d	Double
object_name_s	String
OperationName	String
OperationVersion	String
partitionKey_s	String
physical_io_reads_d	Double
plan_id_d	Double
policy_s	String
policyMode_s	String
primaryIPv4Address_s	String
priority_d	Double
properties_enabledForDeployment_b	Bool
properties_enabledForDiskEncryption_b	Bool
properties_enabledForTemplateDeployment_b	Bool
properties_s	String
properties_sku_Family_s	String
properties_sku_Name_s	String
properties_tenantId_g	Guid
query_hash_s	String
query_id_d	Double
query_max_used_memory_d	Double
query_plan_hash_s	String
query_time_d	Double
querytext_s	String
receivedBytes_d	Double
Region_s	String
requestCharge_s	String
requestQuery_s	String
requestResourceId_s	String
requestResourceType_s	String
requestUri_s	String
reserved_storage_mb_s	String
Resource	String
resource_actionName_s	String
resource_location_s	String
resource_originRunId_s	String
resource_resourceGroupName_s	String
resource_runId_s	String
resource_subscriptionId_g	Guid
resource_triggerName_s	String
resource_workflowId_g	Guid
resource_workflowName_s	String
ResourceGroup	String
ResourceProvider	String
ResourceType	String
response_rows_d	Double
resultCode_s	String
ResultDescription	String
resultDescription_ChildJobs_s	String
resultDescription_ErrorJobs_s	String
resultMessage_s	String
ResultSignature	String
ResultType	String
rootCauseAnalysis_s	String
routingRuleName_s	String
rowcount_d	Double
ruleName_s	String
RunbookName_s	String
RunOn_s	String
schema_name_s	String
sentBytes_d	Double
sequence_group_id_g	Guid
sequence_number_d	Double
server_principal_sid_s	String
session_id_d	Double

Solutions (36)

This table is used by the following solutions:

Connectors (15)

This table is ingested by the following connectors:

Connector	Selection Criteria
Azure Batch Account	`ResourceProvider == "MICROSOFT.BATCH"`
Azure Cognitive Search	`ResourceProvider == "MICROSOFT.SEARCH"`
Azure Data Lake Storage Gen1	`ResourceProvider == "MICROSOFT.DATALAKESTORE"`
Azure Event Hub	`ResourceProvider == "MICROSOFT.EVENTHUB"`
Azure Firewall	`ResourceType == "AZUREFIREWALLS"`
Azure Key Vault	`ResourceProvider == "MICROSOFT.KEYVAULT"`
Azure Kubernetes Service (AKS)	`Category in "cluster-autoscaler,guard,kube-apiserver,kube-audit,kube-audit-admin,kube-controller-manager,kube-scheduler"`
Azure Logic Apps	`ResourceProvider == "MICROSOFT.LOGIC"`
Network Security Groups	`Category in "NetworkSecurityGroupEvent,NetworkSecurityGroupRuleCounter"`
Azure Service Bus	`ResourceProvider == "MICROSOFT.SERVICEBUS"`
Azure SQL Databases	`Category in "AutomaticTuning,Basic,Blocks,DatabaseWaitStatistics,Deadlocks,DevOpsOperationsAudit,Errors,InstanceAndAppAdvanced,QueryStoreWaitStatistics,SQLInsights,SQLSecurityAuditEvents,Timeouts,WorkloadManagement"` `Category contains "SQLSecurityAuditEvents"` `ResourceProvider == "MICROSOFT.SQL"` `ResourceType == "SERVERS/DATABASES"`
Azure Stream Analytics	`ResourceProvider == "MICROSOFT.STREAMANALYTICS"`
Azure DDoS Protection	`Category == "DDoSMitigationReports"` `ResourceType == "PUBLICIPADDRESSES"`
SlashNext Function App	`Resource == "SlashnextFunctionApp"`
Azure Web Application Firewall (WAF)	`ResourceType in "APPLICATIONGATEWAYS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS"`

Content Items Using This Table (107)

Analytic Rules (42)

In solution Apache Log4j Vulnerability Detection:

Analytic Rule	Selection Criteria
Azure WAF matching for Log4j vuln(CVE-2021-44228)	`Category in "ApplicationGatewayFirewallLog,FrontdoorWebApplicationFirewallLog"` `ResourceProvider == "MICROSOFT.NETWORK"`
Log4j vulnerability exploit aka Log4Shell IP IOC	`Category in "AzureFirewallApplicationRule,AzureFirewallNetworkRule"` `ResourceType == "AZUREFIREWALLS"`
User agent search for log4j exploitation attempt

In solution Azure DDoS Protection: Category == "DDoSMitigationFlowLogs"
ResourceType == "PUBLICIPADDRESSES"

Analytic Rule
DDoS Attack IP Addresses - PPS Threshold
DDoS Attack IP Addresses - Percent Threshold

In solution Azure Firewall:

Analytic Rule	Selection Criteria
Abnormal Deny Rate for Source IP
Abnormal Port to Protocol
Multiple Sources Affected by the Same TI Destination
Port Scan
Port Sweep
Several deny actions registered

In solution Azure Key Vault: ResourceType == "VAULTS"

Analytic Rule
Azure Key Vault access TimeSeries anomaly
Mass secret retrieval from Azure Key Vault
NRT Sensitive Azure Key Vault operations
Sensitive Azure Key Vault operations

In solution Azure SQL Database solution for sentinel: Category == "SQLSecurityAuditEvents"

Analytic Rule
Affected rows stateful anomaly on database
Credential errors stateful anomaly on database
Drop attempts stateful anomaly on database
Execution attempts stateful anomaly on database
Firewall errors stateful anomaly on database
Firewall rule manipulation attempts stateful anomaly on database
OLE object manipulation attempts stateful anomaly on database
Outgoing connection attempts stateful anomaly on database
Response rows stateful anomaly on database
Syntax errors stateful anomaly on database

In solution Azure Web Application Firewall (WAF): Category == "FrontDoorWebApplicationFirewallLog"

Analytic Rule
AFD WAF - Code Injection
AFD WAF - Path Traversal Attack
Front Door Premium WAF - SQLi Detection
Front Door Premium WAF - XSS Detection

In solution Threat Intelligence:

Analytic Rule	Selection Criteria
TI Map IP Entity to Azure SQL Security Audit Events	`Category == "SQLSecurityAuditEvents"` `ResourceProvider == "MICROSOFT.SQL"`
TI map IP entity to Azure Key Vault logs	`ResourceType == "VAULTS"`
TI map IP entity to AzureFirewall

In solution Threat Intelligence (NEW):

Analytic Rule	Selection Criteria
TI Map IP Entity to Azure SQL Security Audit Events	`Category == "SQLSecurityAuditEvents"` `ResourceProvider == "MICROSOFT.SQL"`
TI map IP entity to Azure Key Vault logs	`ResourceType == "VAULTS"`
TI map IP entity to AzureFirewall

In solution Zinc Open Source:

Analytic Rule	Selection Criteria
[Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022

Standalone Content:

Analytic Rule	Selection Criteria
Application Gateway WAF - SQLi Detection	`Category == "ApplicationGatewayFirewallLog"`
Application Gateway WAF - XSS Detection	`Category == "ApplicationGatewayFirewallLog"`
Known Forest Blizzard group domains - July 2019
Malformed user agent
Mercury - Domain, Hash and IP IOCs - August 2022
Star Blizzard C2 Domains August 2022

Hunting Queries (21)

In solution Apache Log4j Vulnerability Detection: Category in "ApplicationGatewayAccessLog,ApplicationGatewayFirewallLog,FrontdoorAccessLog,FrontdoorWebApplicationFirewallLog"

Hunting Query
Azure WAF Log4j CVE-2021-44228 hunting

In solution Azure Firewall:

Hunting Query	Selection Criteria
First Time Source IP to Destination
First Time Source IP to Destination Using Port
Source IP Abnormally Connects to Multiple Destinations
Uncommon Port for Organization
Uncommon Port to IP

In solution Azure SQL Database solution for sentinel:

Hunting Query	Selection Criteria
Affected rows stateful anomaly on database - hunting query	`Category == "SQLSecurityAuditEvents"`
Anomalous Query Execution Time	`Category == "SQLSecurityAuditEvents"`
Anomalous Query Execution Time	`Category == "SQLSecurityAuditEvents"`
Boolean Blind SQL Injection	`Category == "SQLSecurityAuditEvents"`
Prevalence Based SQL Query Size Anomaly	`Category == "SQLSecurityAuditEvents"`
Response rows stateful anomaly on database - hunting query	`Category == "SQLSecurityAuditEvents"`
Suspicious SQL Stored Procedures	`Category == "SQLSecurityAuditEvents"`
Time Based SQL Query Size Anomaly	`Category == "SQLSecurityAuditEvents"`

In solution Azure kubernetes Service:

Hunting Query	Selection Criteria
Azure RBAC AKS created role details	`Category == "kube-audit"`
Determine users with cluster admin role	`Category == "kube-audit"` `Resource == "ClusterRoleBinding"`

In solution Cloud Service Threat Protection Essentials: ResourceType == "VAULTS"

Hunting Query
Azure Key Vault Access Policy Manipulation

In solution Legacy IOC based Threat Protection: Category == "AzureFirewallNetworkRule"

Hunting Query
Connection from external IP to OMI related Ports

In solution Web Shells Threat Protection: Category in "ApplicationGatewayAccessLog,ApplicationGatewayFirewallLog,FrontdoorAccessLog,FrontdoorWebApplicationFirewallLog"

Hunting Query
Possible Webshell usage attempt related to SpringShell(CVE-2022-22965)

Standalone Content: Category == "NetworkSecurityGroupEvent"

Hunting Query
Check critical ports opened to the entire internet

GitHub Only: Category in "ApplicationGatewayAccessLog,ApplicationGatewayFirewallLog,FrontdoorAccessLog,FrontdoorWebApplicationFirewallLog"

Hunting Query
Possible SpringShell Exploitation Attempt (CVE-2022-22965)

Workbooks (44)

In solution Apache Log4j Vulnerability Detection: Category in "ApplicationGatewayAccessLog,ApplicationGatewayFirewallLog,FrontdoorAccessLog,FrontdoorWebApplicationFirewallLog"

Workbook
Log4jPostCompromiseHunting

In solution Azure DDoS Protection: Category in "DDoSMitigationFlowLogs,DDoSMitigationReports,DDoSProtectionNotifications"
Resource in ",{Resource:label}"

Workbook
AzDDoSStandardWorkbook

In solution Azure Firewall: Category in "AzureFirewallApplicationRule,AzureFirewallDnsProxy,AzureFirewallNetworkRule"
Resource in ",{Resource:label}"
ResourceType == "AZUREFIREWALLS"

Workbook
AzureFirewallWorkbook

In solution Azure Key Vault: Category == "AuditEvent"
ResourceType == "VAULTS"

Workbook
AzureKeyVaultWorkbook

In solution Azure SQL Database solution for sentinel: Category == "SQLSecurityAuditEvents"
ResourceType == "SERVERS/DATABASES"

Workbook
Workbook-AzureSQLSecurity

In solution Azure Web Application Firewall (WAF):

Workbook	Selection Criteria
WebApplicationFirewallFirewallEvents	`ResourceType == "APPLICATIONGATEWAYS"`
WebApplicationFirewallGatewayAccessEvents	`ResourceType == "APPLICATIONGATEWAYS"`
WebApplicationFirewallOverview	`ResourceType == "APPLICATIONGATEWAYS"`
WebApplicationFirewallWAFTypeEvents

In solution Azure kubernetes Service: Category == "kube-audit"
Resource in "clusterrolebindings,events,pods,secrets"

Workbook
AksSecurity

In solution AzureSecurityBenchmark: Category in "All,AzureFirewallNetworkRule,NetworkSecurityGroupRuleCounter"
ResourceProvider == "MICROSOFT.KEYVAULT"
ResourceType == "AZUREFIREWALLS"

Workbook
AzureSecurityBenchmark

In solution ContinuousDiagnostics&Mitigation: Category in "NetworkSecurityGroupEvent,kube-audit"
Category contains "SQL"
ResourceProvider == "MICROSOFT.KEYVAULT"
ResourceType in "APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES"

Workbook
ContinuousDiagnostics&Mitigation

In solution CybersecurityMaturityModelCertification(CMMC)2.0: Category == "AzureFirewallApplicationRule"

Workbook
CybersecurityMaturityModelCertification_CMMCV2

In solution DPDP Compliance: Category == "SQLSecurityAuditEvents"
ResourceType == "SERVERS/DATABASES"

Workbook
DPDPCompliance

In solution GDPR Compliance & Data Security: Category == "SQLSecurityAuditEvents"
ResourceType == "SERVERS/DATABASES"

Workbook
GDPRComplianceAndDataSecurity

In solution HIPAA Compliance: Category == "AzureFirewallNetworkRule"
Category == "SQLSecurityAuditEvents"

Workbook
HIPAACompliance

In solution MaturityModelForEventLogManagementM2131: Category in "AzureFirewallApplicationRule,AzureFirewallNetworkRule,EntitlementManagement,FrontdoorWebApplicationFirewallLog,GatewayDiagnosticLog,GroupManagement,IKEDiagnosticLog,NetworkSecurityGroupEvent,RouteDiagnosticLog,TunnelDiagnosticLog,UserManagement,WebApplicationFirewallLogs,kube-audit"
Category contains "SQL"
Resource == "SOC-NS-AG-WAFV2"
ResourceProvider in "MICROSOFT.CONTAINERSERVICE,MICROSOFT.KEYVAULT"
ResourceType in "APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES,SERVERS/DATABASES"

Workbook
MaturityModelForEventLogManagement_M2131

In solution NISTSP80053: Category in "NetworkSecurityGroupEvent,kube-audit"
Category contains "SQL"
ResourceProvider == "MICROSOFT.KEYVAULT"
ResourceType in "APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES"

Workbook
NISTSP80053

In solution PCI DSS Compliance:

Workbook	Selection Criteria
PCIDSSCompliance

In solution SOC Handbook:

Workbook	Selection Criteria
AzureSentinelCost

In solution SentinelSOARessentials: ResourceProvider == "MICROSOFT.LOGIC"

Workbook
AutomationHealth

In solution ThreatAnalysis&Response: ResourceType == "PUBLICIPADDRESSES"

Workbook
DynamicThreatModeling&Response

In solution ZeroTrust(TIC3.0): Category in "ApplicationGatewayFirewallLog,AzureFirewallApplicationRule,AzureFirewallDnsProxy,AzureFirewallNetworkRule,DDoSMitigationReports,FrontdoorWebApplicationFirewallLog,NetworkSecurityGroupEvent,WebApplicationFirewallLogs,kube-audit"
Category contains "SQL"
Resource == "SOC-NS-AG-WAFV2"
ResourceProvider == "MICROSOFT.KEYVAULT"
ResourceType in "APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES"

Workbook
ZeroTrustTIC3

GitHub Only:

Workbook	Selection Criteria
AksSecurity	`Category == "kube-audit"` `Resource in "clusterrolebindings,events,pods,secrets"`
AutomationHealth	`ResourceProvider == "MICROSOFT.LOGIC"`
AzDDoSStandardWorkbook	`Category in "DDoSMitigationFlowLogs,DDoSMitigationReports,DDoSProtectionNotifications"` `Resource in ",{Resource:label}"`
AzureFirewall	`Category in "AzureFirewallApplicationRule,AzureFirewallNetworkRule"` `ResourceType == "AZUREFIREWALLS"`
AzureFirewallWorkbook	`Category in "AzureFirewallApplicationRule,AzureFirewallDnsProxy,AzureFirewallNetworkRule"` `Resource in ",{Resource:label}"` `ResourceType == "AZUREFIREWALLS"`
AzureKeyVaultWorkbook	`Category == "AuditEvent"` `ResourceType == "VAULTS"`
AzureLogCoverage
AzureOpenAIMonitoring	`Category == "RequestResponse"` `Resource contains "GPT3"` `ResourceProvider in "MICROSOFT.COGNITIVESERVICES,MICROSOFT.LOGIC"`
AzureSentinelCost
DataCollectionHealthMonitoring
DoDZeroTrustWorkbook	`Category in "Device,NetworkSecurityGroupEvent,kube-audit"` `Category contains "Device"` `Category contains "SQL"` `ResourceProvider == "MICROSOFT.KEYVAULT"` `ResourceType in "APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES"`
Log4jPostCompromiseHunting	`Category in "ApplicationGatewayAccessLog,ApplicationGatewayFirewallLog,FrontdoorAccessLog,FrontdoorWebApplicationFirewallLog"`
MicrosoftSentinelCostEUR
MicrosoftSentinelCostGBP
PlaybookHealth	`Resource == "Microsoft.EmptyWorkflow"` `ResourceProvider == "MICROSOFT.LOGIC"`
UserMap	`Category in "ApplicationGatewayFirewallLog,FrontdoorWebApplicationFirewallLog"` `ResourceProvider == "MICROSOFT.NETWORK"` `ResourceType == "FRONTDOORS"`
WebApplicationFirewallFirewallEvents	`ResourceType == "APPLICATIONGATEWAYS"`
WebApplicationFirewallGatewayAccessEvents	`ResourceType == "APPLICATIONGATEWAYS"`
WebApplicationFirewallOverview	`ResourceType == "APPLICATIONGATEWAYS"`
WebApplicationFirewallWAFTypeEvents
ZeroTrustStrategyWorkbook	`Category in "Device,NetworkSecurityGroupEvent,kube-audit"` `Category contains "Device"` `Category contains "SQL"` `ResourceProvider == "MICROSOFT.KEYVAULT"` `ResourceType in "APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES"`

Parsers Using This Table (2)

Other Parsers (2)

Parser	Solution	Selection Criteria
AzureFirewallApplicationRule	(Legacy)
AzureFirewallNetworkRule	(Legacy)	`Category == "AzureFirewallNetworkRule"`

Selection Criteria Summary (41 criteria, 80 total references)

References by type: 15 connectors, 64 content items, 0 ASIM parsers, 1 other parsers.

Selection Criteria	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`Category == "SQLSecurityAuditEvents"`	-	18	-	-	18
`ResourceType == "VAULTS"`	-	7	-	-	7
`Category == "FrontDoorWebApplicationFirewallLog"`	-	4	-	-	4
`Category in "ApplicationGatewayAccessLog,ApplicationGatewayFirewallLog,FrontdoorAccessLog,FrontdoorWebApplicationFirewallLog"`	-	4	-	-	4
`Category == "SQLSecurityAuditEvents"` `ResourceType == "SERVERS/DATABASES"`	-	3	-	-	3
`ResourceType == "APPLICATIONGATEWAYS"`	-	3	-	-	3
`ResourceProvider == "MICROSOFT.LOGIC"`	1	1	-	-	2
`Category == "DDoSMitigationFlowLogs"` `ResourceType == "PUBLICIPADDRESSES"`	-	2	-	-	2
`Category == "SQLSecurityAuditEvents"` `ResourceProvider == "MICROSOFT.SQL"`	-	2	-	-	2
`Category == "ApplicationGatewayFirewallLog"`	-	2	-	-	2
`Category == "AzureFirewallNetworkRule"`	-	1	-	1	2
`Category in "NetworkSecurityGroupEvent,kube-audit"` `Category contains "SQL"` `ResourceProvider == "MICROSOFT.KEYVAULT"` `ResourceType in "APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES"`	-	2	-	-	2
`Category in "AutomaticTuning,Basic,Blocks,DatabaseWaitStatistics,Deadlocks,DevOpsOperationsAudit,Errors,InstanceAndAppAdvanced,QueryStoreWaitStatistics,SQLInsights,SQLSecurityAuditEvents,Timeouts,WorkloadManagement"` `Category contains "SQLSecurityAuditEvents"` `ResourceProvider == "MICROSOFT.SQL"` `ResourceType == "SERVERS/DATABASES"`	1	-	-	-	1
`Category in "cluster-autoscaler,guard,kube-apiserver,kube-audit,kube-audit-admin,kube-controller-manager,kube-scheduler"`	1	-	-	-	1
`ResourceProvider == "MICROSOFT.KEYVAULT"`	1	-	-	-	1
`ResourceProvider == "MICROSOFT.SERVICEBUS"`	1	-	-	-	1
`Category in "NetworkSecurityGroupEvent,NetworkSecurityGroupRuleCounter"`	1	-	-	-	1
`Resource == "SlashnextFunctionApp"`	1	-	-	-	1
`ResourceProvider == "MICROSOFT.BATCH"`	1	-	-	-	1
`Category == "DDoSMitigationReports"` `ResourceType == "PUBLICIPADDRESSES"`	1	-	-	-	1
`ResourceProvider == "MICROSOFT.EVENTHUB"`	1	-	-	-	1
`ResourceType in "APPLICATIONGATEWAYS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS"`	1	-	-	-	1
`ResourceProvider == "MICROSOFT.SEARCH"`	1	-	-	-	1
`ResourceProvider == "MICROSOFT.DATALAKESTORE"`	1	-	-	-	1
`ResourceType == "AZUREFIREWALLS"`	1	-	-	-	1
`ResourceProvider == "MICROSOFT.STREAMANALYTICS"`	1	-	-	-	1
`Category in "ApplicationGatewayFirewallLog,FrontdoorWebApplicationFirewallLog"` `ResourceProvider == "MICROSOFT.NETWORK"`	-	1	-	-	1
`Category in "AzureFirewallApplicationRule,AzureFirewallNetworkRule"` `ResourceType == "AZUREFIREWALLS"`	-	1	-	-	1
`Category == "kube-audit"` `Resource == "ClusterRoleBinding"`	-	1	-	-	1
`Category == "kube-audit"`	-	1	-	-	1
`Category == "NetworkSecurityGroupEvent"`	-	1	-	-	1
`Category in "DDoSMitigationFlowLogs,DDoSMitigationReports,DDoSProtectionNotifications"` `Resource in ",{Resource:label}"`	-	1	-	-	1
`Category in "AzureFirewallApplicationRule,AzureFirewallDnsProxy,AzureFirewallNetworkRule"` `Resource in ",{Resource:label}"` `ResourceType == "AZUREFIREWALLS"`	-	1	-	-	1
`Category == "AuditEvent"` `ResourceType == "VAULTS"`	-	1	-	-	1
`Category == "kube-audit"` `Resource in "clusterrolebindings,events,pods,secrets"`	-	1	-	-	1
`Category in "All,AzureFirewallNetworkRule,NetworkSecurityGroupRuleCounter"` `ResourceProvider == "MICROSOFT.KEYVAULT"` `ResourceType == "AZUREFIREWALLS"`	-	1	-	-	1
`Category == "AzureFirewallApplicationRule"`	-	1	-	-	1
`Category == "AzureFirewallNetworkRule"` `Category == "SQLSecurityAuditEvents"`	-	1	-	-	1
`Category in "AzureFirewallApplicationRule,AzureFirewallNetworkRule,EntitlementManagement,FrontdoorWebApplicationFirewallLog,GatewayDiagnosticLog,GroupManagement,IKEDiagnosticLog,NetworkSecurityGroupEvent,RouteDiagnosticLog,TunnelDiagnosticLog,UserManagement,WebApplicationFirewallLogs,kube-audit"` `Category contains "SQL"` `Resource == "SOC-NS-AG-WAFV2"` `ResourceProvider in "MICROSOFT.CONTAINERSERVICE,MICROSOFT.KEYVAULT"` `ResourceType in "APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES,SERVERS/DATABASES"`	-	1	-	-	1
`ResourceType == "PUBLICIPADDRESSES"`	-	1	-	-	1
`Category in "ApplicationGatewayFirewallLog,AzureFirewallApplicationRule,AzureFirewallDnsProxy,AzureFirewallNetworkRule,DDoSMitigationReports,FrontdoorWebApplicationFirewallLog,NetworkSecurityGroupEvent,WebApplicationFirewallLogs,kube-audit"` `Category contains "SQL"` `Resource == "SOC-NS-AG-WAFV2"` `ResourceProvider == "MICROSOFT.KEYVAULT"` `ResourceType in "APPLICATIONGATEWAYS,AZUREFIREWALLS,CDNWEBAPPLICATIONFIREWALLPOLICIES,FRONTDOORS,PROFILES,PUBLICIPADDRESSES"`	-	1	-	-	1
Total	15	64	0	1	80

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`SQLSecurityAuditEvents`	1	24	-	-	25
`kube-audit`	1	7	-	-	8
`ApplicationGatewayFirewallLog`	-	8	-	-	8
`AzureFirewallNetworkRule`	-	7	-	1	8
`FrontdoorWebApplicationFirewallLog`	-	7	-	-	7
`NetworkSecurityGroupEvent`	1	5	-	-	6
`AzureFirewallApplicationRule`	-	5	-	-	5
`FrontDoorWebApplicationFirewallLog`	-	4	-	-	4
`ApplicationGatewayAccessLog`	-	4	-	-	4
`FrontdoorAccessLog`	-	4	-	-	4
`contains SQL`	-	4	-	-	4
`DDoSMitigationReports`	1	2	-	-	3
`DDoSMitigationFlowLogs`	-	3	-	-	3
`NetworkSecurityGroupRuleCounter`	1	1	-	-	2
`AzureFirewallDnsProxy`	-	2	-	-	2
`WebApplicationFirewallLogs`	-	2	-	-	2
`AutomaticTuning`	1	-	-	-	1
`Basic`	1	-	-	-	1
`Blocks`	1	-	-	-	1
`DatabaseWaitStatistics`	1	-	-	-	1
`Deadlocks`	1	-	-	-	1
`DevOpsOperationsAudit`	1	-	-	-	1
`Errors`	1	-	-	-	1
`InstanceAndAppAdvanced`	1	-	-	-	1
`QueryStoreWaitStatistics`	1	-	-	-	1
`SQLInsights`	1	-	-	-	1
`Timeouts`	1	-	-	-	1
`WorkloadManagement`	1	-	-	-	1
`contains SQLSecurityAuditEvents`	1	-	-	-	1
`cluster-autoscaler`	1	-	-	-	1
`guard`	1	-	-	-	1
`kube-apiserver`	1	-	-	-	1
`kube-audit-admin`	1	-	-	-	1
`kube-controller-manager`	1	-	-	-	1
`kube-scheduler`	1	-	-	-	1
`DDoSProtectionNotifications`	-	1	-	-	1
`AuditEvent`	-	1	-	-	1
`All`	-	1	-	-	1
`EntitlementManagement`	-	1	-	-	1
`GatewayDiagnosticLog`	-	1	-	-	1
`GroupManagement`	-	1	-	-	1
`IKEDiagnosticLog`	-	1	-	-	1
`RouteDiagnosticLog`	-	1	-	-	1
`TunnelDiagnosticLog`	-	1	-	-	1
`UserManagement`	-	1	-	-	1

Resource

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`{Resource:label}`	-	2	-	-	2
`SOC-NS-AG-WAFV2`	-	2	-	-	2
`SlashnextFunctionApp`	1	-	-	-	1
`ClusterRoleBinding`	-	1	-	-	1
`clusterrolebindings`	-	1	-	-	1
`events`	-	1	-	-	1
`pods`	-	1	-	-	1
`secrets`	-	1	-	-	1

ResourceProvider

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`MICROSOFT.KEYVAULT`	1	5	-	-	6
`MICROSOFT.SQL`	1	2	-	-	3
`MICROSOFT.LOGIC`	1	1	-	-	2
`MICROSOFT.SERVICEBUS`	1	-	-	-	1
`MICROSOFT.BATCH`	1	-	-	-	1
`MICROSOFT.EVENTHUB`	1	-	-	-	1
`MICROSOFT.SEARCH`	1	-	-	-	1
`MICROSOFT.DATALAKESTORE`	1	-	-	-	1
`MICROSOFT.STREAMANALYTICS`	1	-	-	-	1
`MICROSOFT.NETWORK`	-	1	-	-	1
`MICROSOFT.CONTAINERSERVICE`	-	1	-	-	1

ResourceType

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`PUBLICIPADDRESSES`	1	7	-	-	8
`APPLICATIONGATEWAYS`	1	7	-	-	8
`AZUREFIREWALLS`	1	7	-	-	8
`VAULTS`	-	8	-	-	8
`SERVERS/DATABASES`	1	4	-	-	5
`CDNWEBAPPLICATIONFIREWALLPOLICIES`	1	4	-	-	5
`FRONTDOORS`	1	4	-	-	5
`PROFILES`	-	4	-	-	4