Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection
| Attribute | Value |
|---|---|
| Category | MDE |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| AccountDomain | string | Domain of the account. |
| AccountName | string | User name of the account. |
| AccountSid | string | Security identifier (SID) of the account. |
| ActionType | string | Type of activity that triggered the event. |
| AdditionalFields | dynamic | Additional information about the entity or event. |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity. |
| CreatedProcessSessionId | long | Windows session ID of the created process. |
| DeviceId | string | Unique identifier for the device in the service. |
| DeviceName | string | Fully qualified domain name (FQDN) of the device. |
| FileName | string | Domain of the account. |
| FileOriginIP | string | IP address where the file was downloaded from. |
| FileOriginUrl | string | URL where the file was downloaded from. |
| FileSize | long | Size of the file in bytes. |
| FolderPath | string | Domain of the account. |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event. |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event. |
| InitiatingProcessAccountObjectId | string | Azure AD object ID of the user account that ran the process responsible for the event. |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event. |
| InitiatingProcessAccountUpn | string | User principal name (UPN) of the account that ran the process responsible for the event. |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event. |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
| InitiatingProcessFileName | string | Name of the process that initiated the event. |
| InitiatingProcessFileSize | long | Size in bytes of the file that ran the process responsible for the event. |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event. |
| InitiatingProcessId | long | Process ID (PID) of the process that initiated the event. |
| InitiatingProcessLogonId | long | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event. |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started. |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event. |
| InitiatingProcessParentId | long | Process ID (PID) of the parent process that spawned the process responsible for the event. |
| InitiatingProcessRemoteSessionDeviceName | string | Device name of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessRemoteSessionIP | string | IP address of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessSessionId | long | Windows session ID of the initiating process. |
| InitiatingProcessSHA1 | string | SHA-1 hash of the process (image file) that initiated the event. |
| InitiatingProcessSHA256 | string | SHA-256 hash of the process (image file) that initiated the event. This field is usually not populated - use the SHA1 column when available. |
| InitiatingProcessUniqueId | string | Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices. |
| InitiatingProcessVersionInfoCompanyName | string | Company name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoFileDescription | string | Description from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoInternalFileName | string | Internal file name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoOriginalFileName | string | Original file name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductName | string | Product name from the version information of the process (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductVersion | string | Product version from the version information of the process (image file) responsible for the event. |
| IsInitiatingProcessRemoteSession | bool | Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false). |
| IsProcessRemoteSession | bool | Indicates whether the created process was run under a remote desktop protocol (RDP) session (true) or locally (false). |
| LocalIP | string | IP address assigned to the local machine used during communication. |
| LocalPort | int | TCP port on the local machine used during communication. |
| LogonId | long | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
| MD5 | string | MD5 hash of the file that the recorded action was applied to. |
| ProcessCommandLine | string | Command line used to create the new process. |
| ProcessCreationTime | datetime | Date and time the process was created. |
| ProcessId | long | Process ID (PID) of the newly created process. |
| ProcessRemoteSessionDeviceName | string | Device name of the remote device from which the created process's RDP session was initiated. |
| ProcessRemoteSessionIP | string | IP address of the remote device from which the created process's RDP session was initiated. |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process. |
| RegistryKey | string | Registry key that the recorded action was applied to. |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
| RemoteDeviceName | string | Name of the device that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information.. |
| RemoteIP | string | IP address that was being connected to. |
| RemotePort | int | TCP port on the remote device that was being connected to. |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
| SHA1 | string | SHA-1 hash of the file that the recorded action was applied to. |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time the event was recorded by the MDE agent on the endpoint. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Endpoint Threat Protection Essentials: ActionType == "PowerShellCommand"
| Analytic Rule |
|---|
| Suspicious Powershell Commandlet Executed |
In solution FalconFriday:
| Analytic Rule | Selection Criteria |
|---|---|
| Office ASR rule triggered from browser spawned office process. | ActionType contains "Office" |
| Suspicious Process Injection from Office application | ActionType in "CreateRemoteThreadApiCall,QueueUserApcRemoteApiCall,SetThreadContextRemoteApiCall" |
| Suspicious named pipes | ActionType == "NamedPipeEvent" |
In solution Lumen Defender Threat Feed:
| Analytic Rule | Selection Criteria |
|---|---|
| Lumen TI IPAddress in DeviceEvents |
In solution Microsoft Business Applications:
| Analytic Rule | Selection Criteria |
|---|---|
| Dataverse - Terminated employee exfiltration to USB drive |
In solution Microsoft Defender XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| C2-NamedPipe | ActionType == "NamedPipeEvent" |
| Deimos Component Execution | ActionType == "AmsiScriptContent" |
| Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 | |
| Files Copied to USB Drives | ActionType in "FileCreated,UsbDriveMounted" |
| Local Admin Group Changes | ActionType == "UserAccountAddedToLocalGroup"ActionType contains "UserAccountCreated"ActionType contains "UserAccountModified" |
| Possible Phishing with CSL and Network Sessions | |
| SUNSPOT malware hashes | |
| TEARDROP memory-only dropper | ActionType has "ExploitGuardNonMicrosoftSignedBlocked" |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| Zinc Actor IOCs files - October 2022 | |
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
Standalone Content:
| Analytic Rule | Selection Criteria |
|---|---|
| ADFS DKM Master Key Export | |
| Azure VM Run Command operations executing a unique PowerShell script | |
| Mass Download & copy to USB device by single user | ActionType in "FileCreated,FileDownloaded,FileRenamed,UsbDriveMounted" |
| Prestige ransomware IOCs Oct 2022 | |
| Windows host username encoded in base64 web request |
In solution Endpoint Threat Protection Essentials: ActionType == "PowerShellCommand"
| Hunting Query |
|---|
| Suspicious Powershell Commandlet Execution |
In solution Microsoft Business Applications:
| Hunting Query | Selection Criteria |
|---|---|
| Dataverse - Dataverse export copied to USB devices |
In solution Microsoft Defender XDR:
| Hunting Query | Selection Criteria |
|---|---|
| Anomalous Payload Delivered from ISO files | ActionType == "BrowserLaunchedToOpenUrl" |
| C2-NamedPipe | ActionType == "NamedPipeEvent" |
| Deimos Component Execution | ActionType == "AmsiScriptContent" |
| Files Copied to USB Drives | ActionType in "FileCreated,UsbDriveMounted" |
| LemonDuck Registration Function | ActionType == "PowerShellCommand" |
| Local Admin Group Changes | ActionType == "UserAccountAddedToLocalGroup"ActionType contains "UserAccountCreated"ActionType contains "UserAccountModified" |
| Scheduled Task Creation | ActionType == "ScheduledTaskCreated" |
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| MDE_AVScanTimesAndType | ActionType in "AntivirusScanCancelled,AntivirusScanCompleted" |
| MDE_BlockingASRRules | ActionType startswith "ASR" |
| MDE_ListAlPnPDevicesAllowedorBlocked | ActionType in "PnpDeviceAllowed,PnpDeviceBlocked" |
| MDE_ShowUSBMountedDevicesAndDriveLetter | ActionType contains "USB" |
| MDE_ShowUSBMountedandfilescopied | ActionType == "FileCreated"ActionType contains "USB" |
| MDE_SmartScreenCheck |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| ARS Ransomware Event triggered | ActionType has_any "AsrRansomwareAudited,AsrRansomwareBlocked" |
| ASR rules categorized detection graph | ActionType in "AsrAdobeReaderChildProcessBlocked,AsrExecutableEmailContentBlocked,AsrExecutableOfficeContentBlocked,AsrLsassCredentialTheftBlocked,AsrObfuscatedScriptBlocked,AsrOfficeChildProcessBlocked,AsrOfficeCommAppChildProcessBlocked,AsrOfficeMacroWin32ApiCallsBlocked,AsrOfficeProcessInjectionBlocked,AsrPersistenceThroughWmiBlocked,AsrPsexecWmiChildProcessBlocked,AsrRansomwareBlocked,AsrScriptExecutableDownloadBlocked,AsrUntrustedExecutableBlocked,AsrUntrustedUsbProcessBlocked,AsrVulnerableSignedDriverBlocked"ActionType startswith "asr" |
| AV Detections with Source | ActionType == "AntivirusDetection" |
| AV Detections with USB Disk Drive | ActionType in "AntivirusDetection,PnpDeviceConnected" |
| Antivirus detections | ActionType == "AntivirusDetection" |
| Azure VM Run Command linked with MDE | |
| Baseline Comparison | |
| C2-NamedPipe | ActionType == "NamedPipeEvent" |
| Create account (1) | ActionType == "UserAccountCreated" |
| DNSPattern [Nobelium] | |
| Doc attachment with link to download | ActionType == "BrowserLaunchedToOpenUrl" |
| Email link + download + SmartScreen warning | ActionType in "BrowserLaunchedToOpenUrl,SmartScreenAppWarning,SmartScreenUserOverride" |
| EncodedDomainURL [Nobelium] | |
| ExploitGuardASRStats | ActionType endswith "Audited"ActionType startswith "Asr" |
| ExploitGuardASRStats (1) | ActionType endswith "Blocked"ActionType startswith "Asr" |
| ExploitGuardASRStats (2) | ActionType endswith "Audited"ActionType startswith "ASR" |
| ExploitGuardAsrDescriptions | ActionType startswith "Asr" |
| ExploitGuardBlockOfficeChildProcess | ActionType == "AsrOfficeChildProcessBlocked" |
| ExploitGuardBlockOfficeChildProcess (2) | ActionType == "AsrOfficeChildProcessBlocked" |
| ExploitGuardControlledFolderAccess | ActionType startswith "ControlledFolderAccess" |
| ExploitGuardControlledFolderAccess (1) | ActionType startswith "ControlledFolderAccess" |
| ExploitGuardControlledFolderAccess (2) | ActionType contains "ControlledFolderAccess" |
| ExploitGuardNetworkProtectionEvents | ActionType == "ExploitGuardNetworkProtectionBlocked" |
| ExploitGuardStats | ActionType endswith "Blocked"ActionType startswith "ExploitGuard" |
| ExploitGuardStats (1) | ActionType endswith "Audited"ActionType startswith "ExploitGuard" |
| Files copied to USB drives | ActionType in "FileCreated,UsbDriveMounted" |
| LemonDuck-registration-function | ActionType == "PowerShellCommand" |
| LocalAdminGroupChanges | ActionType == "UserAccountAddedToLocalGroup"ActionType contains "UserAccountCreated"ActionType contains "UserAccountModified" |
| Map external devices | ActionType == "PnpDeviceConnected" |
| Map external devices (1) | ActionType == "PnpDeviceConnected" |
| Open email link | ActionType == "BrowserLaunchedToOpenUrl" |
| PUA ThreatName per Computer | ActionType == "AntivirusDetection" |
| Pivot from detections to related downloads | ActionType == "AntivirusDetection" |
| Possible File Copy to USB Drive | ActionType == "PnpDeviceConnected" |
| PowershellCommand - uncommon commands on machine | ActionType == "PowerShellCommand" |
| PowershellCommand footprint | ActionType == "PowerShellCommand" |
| SmartScreen URL block ignored by user | ActionType in "SmartScreenUrlWarning,SmartScreenUserOverride" |
| SmartScreen app block ignored by user | ActionType in "SmartScreenAppWarning,SmartScreenUserOverride" |
| SuspiciousUrlClicked | |
| System Guard Security Level Baseline | ActionType == "DeviceBootAttestationInfo" |
| System Guard Security Level Drop | ActionType == "DeviceBootAttestationInfo" |
| User navigation to redirected URL | ActionType == "BrowserLaunchedToOpenUrl" |
| Web Content Filtering Events | ActionType in "ExploitGuardNetworkProtectionAudited,ExploitGuardNetworkProtectionBlocked"ActionType startswith "SmartScreenUrl" |
| Windows filtering events (Firewall) | ActionType in "FirewallInboundConnectionBlocked,FirewallInboundConnectionToAppBlocked,FirewallOutboundConnectionBlocked" |
| anomalous-payload-delivered-from-iso-file | ActionType == "BrowserLaunchedToOpenUrl" |
| c2-lookup-from-nonbrowser[Nobelium] | ActionType == "DnsQueryResponse" |
| c2-lookup-response[Nobelium] | ActionType == "DnsQueryResponse" |
| deimos-component-execution | ActionType == "AmsiScriptContent" |
| detect-impacket-atexec | |
| detect-impacket-psexec-module | ActionType == "FileCreated" |
| detect-impacket-wmiexec | |
| detect-impacket-wmiexec | |
| detect-impacket-wmiexec | |
| detect-impacket-wmipersist | ActionType == "WmiBindEventFilterToConsumer" |
| insider-threat-detection-queries (12) | ActionType == "UserAccountCreated" |
| insider-threat-detection-queries (19) | ActionType == "UserAccountCreated" |
| insider-threat-detection-queries (4) | ActionType startswith "ScreenshotTaken" |
| lsass-credential-dumping | ActionType in "FileCreated,OpenProcessApiCall" |
| rare_sch_task_with_activity | |
| scheduled task creation | ActionType == "ScheduledTaskCreated" |
| snip3-detectsanboxie-function-call | ActionType == "PowerShellCommand" |
In solution ContinuousDiagnostics&Mitigation:
| Workbook | Selection Criteria |
|---|---|
| ContinuousDiagnostics&Mitigation |
In solution CybersecurityMaturityModelCertification(CMMC)2.0: ActionType in "FileCreated,UsbDriveMounted"
| Workbook |
|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution Microsoft Defender XDR: ActionType in "AntivirusDetection,PnpDeviceConnected"ActionType endswith "Audited"ActionType endswith "Blocked"ActionType startswith "Asr"
| Workbook |
|---|
| MicrosoftDefenderForEndPoint |
In solution SOC Handbook: ActionType startswith "Asr"
| Workbook |
|---|
| AttackSurfaceReduction |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| AttackSurfaceReduction | ActionType startswith "Asr" |
| DoDZeroTrustWorkbook | ActionType startswith "Asr" |
| ExchangeCompromiseHunting | |
| MicrosoftDefenderForEndPoint | ActionType in "AntivirusDetection,PnpDeviceConnected"ActionType endswith "Audited"ActionType endswith "Blocked"ActionType startswith "Asr" |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| SolarWindsPostCompromiseHunting | ActionType contains "ExploitGuardNonMicrosoftSignedBlocked" |
| ZeroTrustStrategyWorkbook | ActionType startswith "Asr" |
References by type: 0 connectors, 77 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType == "PowerShellCommand" |
- | 7 | - | - | 7 |
ActionType == "BrowserLaunchedToOpenUrl" |
- | 5 | - | - | 5 |
ActionType == "NamedPipeEvent" |
- | 4 | - | - | 4 |
ActionType in "FileCreated,UsbDriveMounted" |
- | 4 | - | - | 4 |
ActionType == "AntivirusDetection" |
- | 4 | - | - | 4 |
ActionType == "UserAccountAddedToLocalGroup"ActionType contains "UserAccountCreated"ActionType contains "UserAccountModified" |
- | 3 | - | - | 3 |
ActionType == "AmsiScriptContent" |
- | 3 | - | - | 3 |
ActionType == "PnpDeviceConnected" |
- | 3 | - | - | 3 |
ActionType == "UserAccountCreated" |
- | 3 | - | - | 3 |
ActionType == "ScheduledTaskCreated" |
- | 2 | - | - | 2 |
ActionType == "DnsQueryResponse" |
- | 2 | - | - | 2 |
ActionType == "DeviceBootAttestationInfo" |
- | 2 | - | - | 2 |
ActionType startswith "Asr" |
- | 2 | - | - | 2 |
ActionType == "AsrOfficeChildProcessBlocked" |
- | 2 | - | - | 2 |
ActionType startswith "ControlledFolderAccess" |
- | 2 | - | - | 2 |
ActionType contains "Office" |
- | 1 | - | - | 1 |
ActionType in "CreateRemoteThreadApiCall,QueueUserApcRemoteApiCall,SetThreadContextRemoteApiCall" |
- | 1 | - | - | 1 |
ActionType has "ExploitGuardNonMicrosoftSignedBlocked" |
- | 1 | - | - | 1 |
ActionType in "FileCreated,FileDownloaded,FileRenamed,UsbDriveMounted" |
- | 1 | - | - | 1 |
ActionType in "AsrAdobeReaderChildProcessBlocked,AsrExecutableEmailContentBlocked,AsrExecutableOfficeContentBlocked,AsrLsassCredentialTheftBlocked,AsrObfuscatedScriptBlocked,AsrOfficeChildProcessBlocked,AsrOfficeCommAppChildProcessBlocked,AsrOfficeMacroWin32ApiCallsBlocked,AsrOfficeProcessInjectionBlocked,AsrPersistenceThroughWmiBlocked,AsrPsexecWmiChildProcessBlocked,AsrRansomwareBlocked,AsrScriptExecutableDownloadBlocked,AsrUntrustedExecutableBlocked,AsrUntrustedUsbProcessBlocked,AsrVulnerableSignedDriverBlocked"ActionType startswith "asr" |
- | 1 | - | - | 1 |
ActionType in "FileCreated,OpenProcessApiCall" |
- | 1 | - | - | 1 |
ActionType in "BrowserLaunchedToOpenUrl,SmartScreenAppWarning,SmartScreenUserOverride" |
- | 1 | - | - | 1 |
ActionType in "AntivirusScanCancelled,AntivirusScanCompleted" |
- | 1 | - | - | 1 |
ActionType startswith "ASR" |
- | 1 | - | - | 1 |
ActionType in "PnpDeviceAllowed,PnpDeviceBlocked" |
- | 1 | - | - | 1 |
ActionType == "FileCreated"ActionType contains "USB" |
- | 1 | - | - | 1 |
ActionType contains "USB" |
- | 1 | - | - | 1 |
ActionType == "FileCreated" |
- | 1 | - | - | 1 |
ActionType startswith "ScreenshotTaken" |
- | 1 | - | - | 1 |
ActionType == "WmiBindEventFilterToConsumer" |
- | 1 | - | - | 1 |
ActionType in "AntivirusDetection,PnpDeviceConnected" |
- | 1 | - | - | 1 |
ActionType endswith "Blocked"ActionType startswith "Asr" |
- | 1 | - | - | 1 |
ActionType endswith "Audited"ActionType startswith "ASR" |
- | 1 | - | - | 1 |
ActionType endswith "Audited"ActionType startswith "Asr" |
- | 1 | - | - | 1 |
ActionType contains "ControlledFolderAccess" |
- | 1 | - | - | 1 |
ActionType == "ExploitGuardNetworkProtectionBlocked" |
- | 1 | - | - | 1 |
ActionType endswith "Audited"ActionType startswith "ExploitGuard" |
- | 1 | - | - | 1 |
ActionType endswith "Blocked"ActionType startswith "ExploitGuard" |
- | 1 | - | - | 1 |
ActionType in "SmartScreenAppWarning,SmartScreenUserOverride" |
- | 1 | - | - | 1 |
ActionType in "SmartScreenUrlWarning,SmartScreenUserOverride" |
- | 1 | - | - | 1 |
ActionType in "FirewallInboundConnectionBlocked,FirewallInboundConnectionToAppBlocked,FirewallOutboundConnectionBlocked" |
- | 1 | - | - | 1 |
ActionType has_any "AsrRansomwareAudited,AsrRansomwareBlocked" |
- | 1 | - | - | 1 |
ActionType in "ExploitGuardNetworkProtectionAudited,ExploitGuardNetworkProtectionBlocked"ActionType startswith "SmartScreenUrl" |
- | 1 | - | - | 1 |
ActionType in "AntivirusDetection,PnpDeviceConnected"ActionType endswith "Audited"ActionType endswith "Blocked"ActionType startswith "Asr" |
- | 1 | - | - | 1 |
| Total | 0 | 77 | 0 | 0 | 77 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
FileCreated |
- | 8 | - | - | 8 |
PowerShellCommand |
- | 7 | - | - | 7 |
BrowserLaunchedToOpenUrl |
- | 6 | - | - | 6 |
AntivirusDetection |
- | 6 | - | - | 6 |
UsbDriveMounted |
- | 5 | - | - | 5 |
PnpDeviceConnected |
- | 5 | - | - | 5 |
startswith Asr |
- | 5 | - | - | 5 |
NamedPipeEvent |
- | 4 | - | - | 4 |
endswith Audited |
- | 4 | - | - | 4 |
UserAccountAddedToLocalGroup |
- | 3 | - | - | 3 |
contains UserAccountCreated |
- | 3 | - | - | 3 |
contains UserAccountModified |
- | 3 | - | - | 3 |
AmsiScriptContent |
- | 3 | - | - | 3 |
AsrOfficeChildProcessBlocked |
- | 3 | - | - | 3 |
SmartScreenUserOverride |
- | 3 | - | - | 3 |
UserAccountCreated |
- | 3 | - | - | 3 |
endswith Blocked |
- | 3 | - | - | 3 |
ScheduledTaskCreated |
- | 2 | - | - | 2 |
DnsQueryResponse |
- | 2 | - | - | 2 |
SmartScreenAppWarning |
- | 2 | - | - | 2 |
startswith ASR |
- | 2 | - | - | 2 |
contains USB |
- | 2 | - | - | 2 |
DeviceBootAttestationInfo |
- | 2 | - | - | 2 |
startswith ControlledFolderAccess |
- | 2 | - | - | 2 |
ExploitGuardNetworkProtectionBlocked |
- | 2 | - | - | 2 |
startswith ExploitGuard |
- | 2 | - | - | 2 |
contains Office |
- | 1 | - | - | 1 |
CreateRemoteThreadApiCall |
- | 1 | - | - | 1 |
QueueUserApcRemoteApiCall |
- | 1 | - | - | 1 |
SetThreadContextRemoteApiCall |
- | 1 | - | - | 1 |
has ExploitGuardNonMicrosoftSignedBlocked |
- | 1 | - | - | 1 |
FileDownloaded |
- | 1 | - | - | 1 |
FileRenamed |
- | 1 | - | - | 1 |
AsrAdobeReaderChildProcessBlocked |
- | 1 | - | - | 1 |
AsrExecutableEmailContentBlocked |
- | 1 | - | - | 1 |
AsrExecutableOfficeContentBlocked |
- | 1 | - | - | 1 |
AsrLsassCredentialTheftBlocked |
- | 1 | - | - | 1 |
AsrObfuscatedScriptBlocked |
- | 1 | - | - | 1 |
AsrOfficeCommAppChildProcessBlocked |
- | 1 | - | - | 1 |
AsrOfficeMacroWin32ApiCallsBlocked |
- | 1 | - | - | 1 |
AsrOfficeProcessInjectionBlocked |
- | 1 | - | - | 1 |
AsrPersistenceThroughWmiBlocked |
- | 1 | - | - | 1 |
AsrPsexecWmiChildProcessBlocked |
- | 1 | - | - | 1 |
AsrRansomwareBlocked |
- | 1 | - | - | 1 |
AsrScriptExecutableDownloadBlocked |
- | 1 | - | - | 1 |
AsrUntrustedExecutableBlocked |
- | 1 | - | - | 1 |
AsrUntrustedUsbProcessBlocked |
- | 1 | - | - | 1 |
AsrVulnerableSignedDriverBlocked |
- | 1 | - | - | 1 |
startswith asr |
- | 1 | - | - | 1 |
OpenProcessApiCall |
- | 1 | - | - | 1 |
AntivirusScanCancelled |
- | 1 | - | - | 1 |
AntivirusScanCompleted |
- | 1 | - | - | 1 |
PnpDeviceAllowed |
- | 1 | - | - | 1 |
PnpDeviceBlocked |
- | 1 | - | - | 1 |
startswith ScreenshotTaken |
- | 1 | - | - | 1 |
WmiBindEventFilterToConsumer |
- | 1 | - | - | 1 |
contains ControlledFolderAccess |
- | 1 | - | - | 1 |
SmartScreenUrlWarning |
- | 1 | - | - | 1 |
FirewallInboundConnectionBlocked |
- | 1 | - | - | 1 |
FirewallInboundConnectionToAppBlocked |
- | 1 | - | - | 1 |
FirewallOutboundConnectionBlocked |
- | 1 | - | - | 1 |
has_any AsrRansomwareAudited |
- | 1 | - | - | 1 |
has_any AsrRansomwareBlocked |
- | 1 | - | - | 1 |
ExploitGuardNetworkProtectionAudited |
- | 1 | - | - | 1 |
startswith SmartScreenUrl |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊