Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Network connection and related events
| Attribute | Value |
|---|---|
| Category | MDE |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| ActionType | string | Type of activity that triggered the event. |
| AdditionalFields | dynamic | Additional information about the entity or event. |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity. |
| DeviceId | string | Unique identifier for the device in the service. |
| DeviceName | string | Fully qualified domain name (FQDN) of the device. |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the initiating process. |
| InitiatingProcessAccountName | string | User name of the account that ran the initiating process. |
| InitiatingProcessAccountObjectId | string | Azure AD object ID of the user account that ran the initiating process. |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the initiating process. |
| InitiatingProcessAccountUpn | string | User principal name (UPN) of the account that ran the initiating process. |
| InitiatingProcessCommandLine | string | Command line used to run the initiating process. |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started. |
| InitiatingProcessFileName | string | Name of the initiating process. |
| InitiatingProcessFileSize | long | Size of the file (bytes) that ran the process responsible for the event. |
| InitiatingProcessFolderPath | string | Folder containing the initiating process (image file). |
| InitiatingProcessId | long | Process ID (PID) of the initiating process. |
| InitiatingProcessIntegrityLevel | string | Integrity level of the initiating process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources.. |
| InitiatingProcessMD5 | string | MD5 hash of the initiating process (image file). |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started. |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the initiating process. |
| InitiatingProcessParentId | long | Process ID (PID) of the parent process that spawned the initiating process. |
| InitiatingProcessRemoteSessionDeviceName | string | Device name of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessRemoteSessionIP | string | IP address of the remote device from which the initiating process's RDP session was initiated. |
| InitiatingProcessSessionId | long | Windows session ID of the initiating process. |
| InitiatingProcessSHA1 | string | SHA-1 hash of the initiating process (image file). |
| InitiatingProcessSHA256 | string | SHA-256 hash of the initiating process (image file). In some cases this column may not be populated - please use the InitiatingProcessSHA1 column instead. |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the initiating process. |
| InitiatingProcessUniqueId | string | Unique identifier of the initiating process; this is equal to the Process Start Key in Windows devices. |
| InitiatingProcessVersionInfoCompanyName | string | The company name in version information (image file) responsible for the event. |
| InitiatingProcessVersionInfoFileDescription | string | The description in version information (image file) responsible for the event. |
| InitiatingProcessVersionInfoInternalFileName | string | The internal file name in version information (image file) responsible for the event. |
| InitiatingProcessVersionInfoOriginalFileName | string | The original file name in version information (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductName | string | The product name in version information (image file) responsible for the event. |
| InitiatingProcessVersionInfoProductVersion | string | The product version in version information (image file) responsible for the event. |
| IsInitiatingProcessRemoteSession | bool | Indicates whether the initiating process was run under a remote desktop protocol (RDP) session (true) or locally (false). |
| LocalIP | string | IP address assigned to the local machine used during communication. |
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast. |
| LocalPort | int | TCP port on the local machine used during communication. |
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
| Protocol | string | IP protocol used, whether TCP or UDP. |
| RemoteIP | string | IP address that was being connected to. |
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast. |
| RemotePort | int | TCP port on the remote device that was being connected to. |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time the event was recorded by the MDE agent on the endpoint. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Apache Log4j Vulnerability Detection: ActionType == "InboundConnectionAccepted"
| Analytic Rule |
|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC |
In solution FalconFriday:
| Analytic Rule | Selection Criteria |
|---|---|
| DCOM Lateral Movement | |
| SMB/Windows Admin Shares |
In solution Microsoft Defender XDR:
| Analytic Rule | Selection Criteria |
|---|---|
| Execution of software vulnerable to webp buffer overflow of CVE-2023-4863 | |
| Rare Process as a Service | |
| Regsvr32 Rundll32 Image Loads Abnormal Extension | |
| Regsvr32 Rundll32 with Anomalous Parent Process | |
| SUNBURST network beacons | ActionType == "ConnectionSuccess" |
In solution Threat Intelligence: ActionType !has "ConnectionFailed"
| Analytic Rule |
|---|
| TI Map Domain Entity to DeviceNetworkEvents |
| TI Map IP Entity to DeviceNetworkEvents |
| TI Map URL Entity to DeviceNetworkEvents |
In solution Threat Intelligence (NEW): ActionType !has "ConnectionFailed"
| Analytic Rule |
|---|
| TI Map Domain Entity to DeviceNetworkEvents |
| TI Map IP Entity to DeviceNetworkEvents |
| TI Map URL Entity to DeviceNetworkEvents |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| Zinc Actor IOCs files - October 2022 | |
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
Standalone Content:
In solution Apache Log4j Vulnerability Detection:
| Hunting Query | Selection Criteria |
|---|---|
| Malicious Connection to LDAP port for CVE-2021-44228 vulnerability |
In solution Cyware:
| Hunting Query | Selection Criteria |
|---|---|
| Detecting Suspicious PowerShell Command Executions |
In solution Endpoint Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Download of New File Using Curl |
In solution Microsoft Defender XDR:
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| MDE_Networktrafficgoingtoport | |
| MDE_Networktrafficgoingtoport-DNS | |
| MDE_SmartScreenCheck | ActionType in "ExploitGuardNetworkProtectionBlocked,SmartScreenUrlWarning" |
GitHub Only:
In solution DORA Compliance:
| Workbook | Selection Criteria |
|---|---|
| DORACompliance |
In solution HIPAA Compliance: ActionType == "ConnectionSuccess"
| Workbook |
|---|
| HIPAACompliance |
In solution Lumen Defender Threat Feed:
| Workbook | Selection Criteria |
|---|---|
| Lumen-Threat-Feed-Overview |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Defender XDR:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForEndPoint |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| ExchangeCompromiseHunting | |
| MicrosoftDefenderForEndPoint | |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| SolarWindsPostCompromiseHunting |
ActionType == "ConnectionFailed"| Parser | Schema | Product |
|---|---|---|
| ASimNetworkSessionMicrosoft365Defender | NetworkSession | M365 Defender for Endpoint |
References by type: 0 connectors, 16 content items, 1 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType !has "ConnectionFailed" |
- | 6 | - | - | 6 |
ActionType == "ConnectionSuccess" |
- | 4 | - | - | 4 |
ActionType == "ConnectionFailed" |
- | 2 | 1 | - | 3 |
ActionType == "InboundConnectionAccepted" |
- | 1 | - | - | 1 |
ActionType in "ExploitGuardNetworkProtectionBlocked,SmartScreenUrlWarning" |
- | 1 | - | - | 1 |
ActionType == "NetworkSignatureInspected" |
- | 1 | - | - | 1 |
ActionType in "ConnectionFound,ConnectionRequest,ConnectionSuccess,InboundConnectionAccepted,ListeningConnectionCreated" |
- | 1 | - | - | 1 |
| Total | 0 | 16 | 1 | 0 | 17 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!has ConnectionFailed |
- | 6 | - | - | 6 |
ConnectionSuccess |
- | 5 | - | - | 5 |
ConnectionFailed |
- | 2 | 1 | - | 3 |
InboundConnectionAccepted |
- | 2 | - | - | 2 |
ExploitGuardNetworkProtectionBlocked |
- | 1 | - | - | 1 |
SmartScreenUrlWarning |
- | 1 | - | - | 1 |
NetworkSignatureInspected |
- | 1 | - | - | 1 |
ConnectionFound |
- | 1 | - | - | 1 |
ConnectionRequest |
- | 1 | - | - | 1 |
ListeningConnectionCreated |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊