Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for Event table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Windows |
| Basic Logs Eligible | ✗ No (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Lake-Only Ingestion | ✗ No (source) |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AzureDeploymentID | string | Azure deployment ID of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and collected from Azure storage. |
| Computer | string | Name of the computer that the event was collected from. |
| EventCategory | int | Category of the event. |
| EventData | string | All event data in raw format. |
| EventID | int | Number of the event. |
| EventLevel | int | Severity of the event in numeric form. |
| EventLevelName | string | Severity of the event in text form. |
| EventLog | string | Name of the event log that the event was collected from. |
| ManagementGroupName | string | Name of the management group for System Center Operations Manager agents. For other agents this value is AOI-<workspace ID> |
| Message | string | Event message for the different Languages. The language is defined by the LCID attribute. |
| ParameterXml | string | Event parameter values in XML format. |
| RenderedDescription | string | Event description with parameter values. |
| Role | string | Role of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and collected from Azure storage. |
| Source | string | Source of the event. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TimeGenerated | datetime | Date and time the record was created. |
| Type | string | The name of the table |
| UserName | string | User name of the account that logged the event. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Automated Logic WebCTRL | EventLevel in "1,2,3"Source == "ALCWebCTRL" |
| [Deprecated] Microsoft Exchange Logs and Events | EventLog in "Application,MSExchange Management,System" |
| Microsoft Exchange Admin Audit Logs by Event Logs | EventLog == "MSExchange Management" |
| Microsoft Exchange Logs and Events | EventLog == "Application" |
In solution Apache Log4j Vulnerability Detection: EventID == "3"Source == "Microsoft-Windows-Sysmon"
| Analytic Rule |
|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC |
In solution Attacker Tools Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Credential Dumping Tools - File Artifacts | EventID == "11"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Credential Dumping Tools - Service Installation | EventID == "7045"Source == "Service Control Manager" |
In solution Endpoint Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Detecting Macro Invoking ShellBrowserWindow COM Objects | EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Dumping LSASS Process Into a File | EventID == "10"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Lateral Movement via DCOM | EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Registry Persistence via AppCert DLL Modification | EventID == "13"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Registry Persistence via AppInit DLLs Modification | EventID == "13"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| WDigest downgrade attack | EventID == "13"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Windows Binaries Lolbins Renamed | EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
In solution Microsoft Exchange Security - Exchange On-Premises: EventID in "1,6"EventLog == "MSExchange Management"
| Analytic Rule |
|---|
| Server Oriented Cmdlet And User Oriented Cmdlet used |
| VIP Mailbox manipulation |
In solution Windows Forwarded Events: EventID == "0"EventLog == "Application"RenderedDescription has_any "Downloaded"Source == "MOVEit DMZ Audit"
| Analytic Rule |
|---|
| Progress MOVEIt File transfer above threshold |
| Progress MOVEIt File transfer folder count above threshold |
In solution Windows Security Events:
| Analytic Rule | Selection Criteria |
|---|---|
| AD FS Remote HTTP Network Connection | EventID in "18,3"Source == "Microsoft-Windows-Sysmon" |
| ADFS Database Named Pipe Connection | EventID == "18"Source == "Microsoft-Windows-Sysmon" |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| Zinc Actor IOCs files - October 2022 | |
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
In solution Endpoint Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Detect Certutil (LOLBins and LOLScripts) Usage | EventID == "1"Source == "Microsoft-Windows-Sysmon" |
| Execution of File with One Character in the Name | EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Persisting via IFEO Registry Key | Source == "Microsoft-Windows-Sysmon" |
| Potential Microsoft Security Services Tampering | ParameterXml in "<Param>WinDefend</Param>,<Param>sgrmbroker</Param>"Source == "Microsoft-Windows-SENSE" |
| Rare Windows Firewall Rule updates using Netsh | Source == "Microsoft-Windows-Sysmon" |
| Rundll32 (LOLBins and LOLScripts) | EventID == "1"Source == "Microsoft-Windows-Sysmon" |
In solution Legacy IOC based Threat Protection: Source == "Microsoft-Windows-Sysmon"
| Hunting Query |
|---|
| Known Nylon Typhoon Registry modifications patterns |
| SolarWinds Inventory |
In solution Windows Security Events:
| Hunting Query | Selection Criteria |
|---|---|
| KrbRelayUp Local Privilege Escalation Service Creation | EventID == "7045"Source == "Service Control Manager" |
| Service installation from user writable directory | EventID == "7045"Source == "Service Control Manager" |
| Windows System Shutdown/Reboot(Sysmon) | EventID == "1"EventLog has "shutdown.exe"Source == "Microsoft-Windows-Sysmon" |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Hunt for alerts correlated with Teams messages |
In solution Azure Web Application Firewall (WAF):
| Workbook | Selection Criteria |
|---|---|
| WebApplicationFirewallWAFTypeEvents |
In solution AzureSecurityBenchmark:
| Workbook | Selection Criteria |
|---|---|
| AzureSecurityBenchmark |
In solution CybersecurityMaturityModelCertification(CMMC)2.0: RenderedDescription contains "Hello"
| Workbook |
|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution DORA Compliance: EventID in "1001,1069,1205"EventLevelName == "Error"RenderedDescription has_any "failover"
| Workbook |
|---|
| DORACompliance |
In solution Microsoft Exchange Security - Exchange On-Premises: EventID in "1,6"EventLog == "MSExchange Management"
| Workbook |
|---|
| Microsoft Exchange Admin Activity |
| Microsoft Exchange Search AdminAuditLog |
In solution Microsoft Exchange Security - Exchange Online: EventID in "1,6"EventLog == "MSExchange Management"
| Workbook |
|---|
| Microsoft Exchange Least Privilege with RBAC - Online |
In solution PCI DSS Compliance:
| Workbook | Selection Criteria |
|---|---|
| PCIDSSCompliance |
In solution Veeam:
| Workbook | Selection Criteria |
|---|---|
| VeeamSecurityActivities |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimAuditEventMicrosoftEvent | AuditEvent | Microsoft Windows | |
| ASimDnsMicrosoftSysmon | Dns | Microsoft Windows Events Sysmon | EventID == "22"Source == "Microsoft-Windows-Sysmon" |
| ASimFileEventMicrosoftSysmon | FileEvent | Windows Sysmon | EventID in "11,23,26"Source == "Microsoft-Windows-Sysmon" |
| ASimNetworkSessionMicrosoftSysmon | NetworkSession | Windows Sysmon | EventID == "3"Source == "Microsoft-Windows-Sysmon" |
| ASimProcessEventCreateMicrosoftSysmon | ProcessEvent | Sysmon | EventID == "1"Source == "Microsoft-Windows-Sysmon" |
| ASimProcessEventTerminateMicrosoftSysmon | ProcessEvent | Microsoft Windows Events Sysmon | EventID == "5"Source == "Microsoft-Windows-Sysmon" |
| ASimRegistryEventMicrosoftSysmon | RegistryEvent | Microsoft Sysmon | EventID in "12,13,14"Source == "Microsoft-Windows-Sysmon" |
| Parser | Solution | Selection Criteria |
|---|---|---|
| ExchangeAdminAuditLogs | Microsoft Exchange Security - Exchange On-Premises | EventID in "1,6"EventLog == "MSExchange Management" |
| SQLServer_Parser | (Legacy) | Source contains "MSSQL" |
| Sysmon-AllVersions_Parser | (Legacy) | Source == "Microsoft-Windows-Sysmon" |
| Sysmon-v10.42-Parser | (Legacy) | EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
| Sysmon-v11.0 | (Legacy) | EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,23,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
| Sysmon-v12.0 | (Legacy) | EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,23,24,255,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
| Sysmon-v9.10-Parser | (Legacy) | EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
This table collects data from the following Azure resource types:
microsoft.operationalinsights/workspacesmicrosoft.compute/virtualmachinesmicrosoft.conenctedvmwarevsphere/virtualmachinesmicrosoft.azurestackhci/virtualmachinesmicrosoft.scvmm/virtualmachinesmicrosoft.compute/virtualmachinescalesetsmicrosoft.azurestackhci/clustersReferences by type: 4 connectors, 32 content items, 6 ASIM parsers, 7 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
EventID in "1,6"EventLog == "MSExchange Management" |
- | 5 | - | 1 | 6 |
Source == "Microsoft-Windows-Sysmon" |
- | 4 | - | 1 | 5 |
EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
- | 4 | - | - | 4 |
EventID == "7045"Source == "Service Control Manager" |
- | 3 | - | - | 3 |
EventID == "13"EventLog == "Microsoft-Windows-Sysmon/Operational" |
- | 3 | - | - | 3 |
EventID == "1"Source == "Microsoft-Windows-Sysmon" |
- | 2 | 1 | - | 3 |
EventID == "3"Source == "Microsoft-Windows-Sysmon" |
- | 1 | 1 | - | 2 |
EventID == "0"EventLog == "Application"RenderedDescription has_any "Downloaded"Source == "MOVEit DMZ Audit" |
- | 2 | - | - | 2 |
EventLog == "Application" |
1 | - | - | - | 1 |
EventLevel in "1,2,3"Source == "ALCWebCTRL" |
1 | - | - | - | 1 |
EventLog == "MSExchange Management" |
1 | - | - | - | 1 |
EventLog in "Application,MSExchange Management,System" |
1 | - | - | - | 1 |
EventID == "11"EventLog == "Microsoft-Windows-Sysmon/Operational" |
- | 1 | - | - | 1 |
EventID == "10"EventLog == "Microsoft-Windows-Sysmon/Operational" |
- | 1 | - | - | 1 |
EventID == "18"Source == "Microsoft-Windows-Sysmon" |
- | 1 | - | - | 1 |
EventID in "18,3"Source == "Microsoft-Windows-Sysmon" |
- | 1 | - | - | 1 |
ParameterXml in "<Param>WinDefend</Param>,<Param>sgrmbroker</Param>"Source == "Microsoft-Windows-SENSE" |
- | 1 | - | - | 1 |
EventID == "1"EventLog has "shutdown.exe"Source == "Microsoft-Windows-Sysmon" |
- | 1 | - | - | 1 |
RenderedDescription contains "Hello" |
- | 1 | - | - | 1 |
EventID in "1001,1069,1205"EventLevelName == "Error"RenderedDescription has_any "failover" |
- | 1 | - | - | 1 |
EventID == "22"Source == "Microsoft-Windows-Sysmon" |
- | - | 1 | - | 1 |
EventID in "11,23,26"Source == "Microsoft-Windows-Sysmon" |
- | - | 1 | - | 1 |
EventID == "5"Source == "Microsoft-Windows-Sysmon" |
- | - | 1 | - | 1 |
EventID in "12,13,14"Source == "Microsoft-Windows-Sysmon" |
- | - | 1 | - | 1 |
Source contains "MSSQL" |
- | - | - | 1 | 1 |
EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
- | - | - | 1 | 1 |
EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,23,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
- | - | - | 1 | 1 |
EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,23,24,255,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
- | - | - | 1 | 1 |
EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
- | - | - | 1 | 1 |
| Total | 4 | 32 | 6 | 7 | 49 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
1 |
- | 12 | 1 | 5 | 18 |
6 |
- | 5 | - | 5 | 10 |
13 |
- | 3 | 1 | 4 | 8 |
3 |
- | 2 | 1 | 4 | 7 |
11 |
- | 1 | 1 | 4 | 6 |
18 |
- | 2 | - | 4 | 6 |
10 |
- | 1 | - | 4 | 5 |
5 |
- | - | 1 | 4 | 5 |
12 |
- | - | 1 | 4 | 5 |
14 |
- | - | 1 | 4 | 5 |
22 |
- | - | 1 | 3 | 4 |
15 |
- | - | - | 4 | 4 |
16 |
- | - | - | 4 | 4 |
17 |
- | - | - | 4 | 4 |
19 |
- | - | - | 4 | 4 |
2 |
- | - | - | 4 | 4 |
20 |
- | - | - | 4 | 4 |
21 |
- | - | - | 4 | 4 |
4 |
- | - | - | 4 | 4 |
7 |
- | - | - | 4 | 4 |
8 |
- | - | - | 4 | 4 |
9 |
- | - | - | 4 | 4 |
7045 |
- | 3 | - | - | 3 |
23 |
- | - | 1 | 2 | 3 |
0 |
- | 2 | - | - | 2 |
1001 |
- | 1 | - | - | 1 |
1069 |
- | 1 | - | - | 1 |
1205 |
- | 1 | - | - | 1 |
26 |
- | - | 1 | - | 1 |
24 |
- | - | - | 1 | 1 |
255 |
- | - | - | 1 | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
1 |
1 | - | - | - | 1 |
2 |
1 | - | - | - | 1 |
3 |
1 | - | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Error |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Microsoft-Windows-Sysmon/Operational |
- | 9 | - | - | 9 |
MSExchange Management |
2 | 5 | - | 1 | 8 |
Application |
2 | 2 | - | - | 4 |
System |
1 | - | - | - | 1 |
has shutdown.exe |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
<Param>WinDefend</Param> |
- | 1 | - | - | 1 |
<Param>sgrmbroker</Param> |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has_any Downloaded |
- | 2 | - | - | 2 |
contains Hello |
- | 1 | - | - | 1 |
has_any failover |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Microsoft-Windows-Sysmon |
- | 10 | 6 | 5 | 21 |
Service Control Manager |
- | 3 | - | - | 3 |
MOVEit DMZ Audit |
- | 2 | - | - | 2 |
ALCWebCTRL |
1 | - | - | - | 1 |
Microsoft-Windows-SENSE |
- | 1 | - | - | 1 |
contains MSSQL |
- | - | - | 1 | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊