Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for Event table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Windows |
| Basic Logs Eligible | ✗ No (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AzureDeploymentID | string | Azure deployment ID of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and collected from Azure storage. |
| Computer | string | Name of the computer that the event was collected from. |
| EventCategory | int | Category of the event. |
| EventData | string | All event data in raw format. |
| EventID | int | Number of the event. |
| EventLevel | int | Severity of the event in numeric form. |
| EventLevelName | string | Severity of the event in text form. |
| EventLog | string | Name of the event log that the event was collected from. |
| ManagementGroupName | string | Name of the management group for System Center Operations Manager agents. For other agents this value is AOI- |
| Message | string | Event message for the different Languages. The language is defined by the LCID attribute. |
| ParameterXml | string | Event parameter values in XML format. |
| RenderedDescription | string | Event description with parameter values. |
| Role | string | Role of the cloud service the log belongs to. Only populated when events are collected using Azure Diagnostics agent and collected from Azure storage. |
| Source | string | Source of the event. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TimeGenerated | datetime | Date and time the record was created. |
| Type | string | The name of the table |
| UserName | string | User name of the account that logged the event. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Automated Logic WebCTRL | Source == "ALCWebCTRL" |
| [Deprecated] Microsoft Exchange Logs and Events | EventLog in "Application,MSExchange Management,System" |
| Microsoft Exchange Admin Audit Logs by Event Logs | EventLog == "MSExchange Management" |
| Microsoft Exchange Logs and Events | EventLog == "Application" |
In solution Apache Log4j Vulnerability Detection: EventID == "3"Source == "Microsoft-Windows-Sysmon"
| Analytic Rule |
|---|
| Log4j vulnerability exploit aka Log4Shell IP IOC |
In solution Attacker Tools Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Credential Dumping Tools - File Artifacts | EventID == "11"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Credential Dumping Tools - Service Installation | EventID == "7045"Source == "Service Control Manager" |
In solution Endpoint Threat Protection Essentials:
| Analytic Rule | Selection Criteria |
|---|---|
| Detecting Macro Invoking ShellBrowserWindow COM Objects | EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Dumping LSASS Process Into a File | EventID == "10"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Lateral Movement via DCOM | EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Registry Persistence via AppCert DLL Modification | EventID == "13"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Registry Persistence via AppInit DLLs Modification | EventID == "13"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| WDigest downgrade attack | EventID == "13"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Windows Binaries Lolbins Renamed | EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
In solution Microsoft Exchange Security - Exchange On-Premises: EventID in "1,6"EventLog == "MSExchange Management"
| Analytic Rule |
|---|
| Server Oriented Cmdlet And User Oriented Cmdlet used |
| VIP Mailbox manipulation |
In solution Windows Forwarded Events: EventID == "0"EventLog == "Application"Source == "MOVEit DMZ Audit"
| Analytic Rule |
|---|
| Progress MOVEIt File transfer above threshold |
| Progress MOVEIt File transfer folder count above threshold |
In solution Windows Security Events:
| Analytic Rule | Selection Criteria |
|---|---|
| AD FS Remote HTTP Network Connection | EventID in "18,3"Source == "Microsoft-Windows-Sysmon" |
| ADFS Database Named Pipe Connection | EventID == "18"Source == "Microsoft-Windows-Sysmon" |
In solution Zinc Open Source:
| Analytic Rule | Selection Criteria |
|---|---|
| Zinc Actor IOCs files - October 2022 | |
| [Deprecated] - Zinc Actor IOCs domains hashes IPs and useragent - October 2022 |
Standalone Content:
| Analytic Rule | Selection Criteria |
|---|---|
| ADFS DKM Master Key Export | |
| Audit policy manipulation using auditpol utility | Source == "Microsoft-Windows-Sysmon" |
| COM Event System Loading New DLL | EventID in "1,7"Source == "Microsoft-Windows-Sysmon" |
| DSRM Account Abuse | EventID == "13"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Email access via active sync | Source == "Microsoft-Windows-Sysmon" |
| Europium - Hash and IP IOCs - September 2022 | |
| Gain Code Execution on ADFS Server via Remote WMI Execution | Source == "Microsoft-Windows-Sysmon" |
| Mercury - Domain, Hash and IP IOCs - August 2022 | |
| Modification of Accessibility Features | EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Prestige ransomware IOCs Oct 2022 | |
| Silk Typhoon Suspicious UM Service Error | EventLog == "Application"Source startswith "MSExchange" |
| Solorigate Named Pipe |
In solution Endpoint Threat Protection Essentials:
| Hunting Query | Selection Criteria |
|---|---|
| Detect Certutil (LOLBins and LOLScripts) Usage | EventID == "1"Source == "Microsoft-Windows-Sysmon" |
| Execution of File with One Character in the Name | EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Persisting via IFEO Registry Key | Source == "Microsoft-Windows-Sysmon" |
| Potential Microsoft Security Services Tampering | Source == "Microsoft-Windows-SENSE" |
| Rare Windows Firewall Rule updates using Netsh | Source == "Microsoft-Windows-Sysmon" |
| Rundll32 (LOLBins and LOLScripts) | EventID == "1"Source == "Microsoft-Windows-Sysmon" |
In solution Legacy IOC based Threat Protection: Source == "Microsoft-Windows-Sysmon"
| Hunting Query |
|---|
| Known Nylon Typhoon Registry modifications patterns |
| SolarWinds Inventory |
In solution Windows Security Events:
| Hunting Query | Selection Criteria |
|---|---|
| KrbRelayUp Local Privilege Escalation Service Creation | EventID == "7045"Source == "Service Control Manager" |
| Service installation from user writable directory | EventID == "7045"Source == "Service Control Manager" |
| Windows System Shutdown/Reboot(Sysmon) | EventID == "1"EventLog has "shutdown.exe"Source == "Microsoft-Windows-Sysmon" |
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| Tracking Privileged Account Rare Activity |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| AD FS Database Local SQL Statements | EventID == "33205"EventLog == "Application"Source == "MSSQL$MICROSOFT##WID" |
| Potential Local Exploitation for Privilege Escalation | EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
| Rare firewall rule changes using netsh | Source == "Microsoft-Windows-Sysmon" |
| Windows System Shutdown/Reboot(Sysmon) | EventID == "1"Source == "Microsoft-Windows-Sysmon" |
In solution Azure Web Application Firewall (WAF):
| Workbook | Selection Criteria |
|---|---|
| WebApplicationFirewallWAFTypeEvents |
In solution AzureSecurityBenchmark:
| Workbook | Selection Criteria |
|---|---|
| AzureSecurityBenchmark |
In solution CybersecurityMaturityModelCertification(CMMC)2.0:
| Workbook | Selection Criteria |
|---|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution DORA Compliance: EventID in "1001,1069,1205"
| Workbook |
|---|
| DORACompliance |
In solution Microsoft Exchange Security - Exchange On-Premises: EventID in "1,6"EventLog == "MSExchange Management"
| Workbook |
|---|
| Microsoft Exchange Admin Activity |
| Microsoft Exchange Search AdminAuditLog |
In solution Microsoft Exchange Security - Exchange Online: EventID in "1,6"EventLog == "MSExchange Management"
| Workbook |
|---|
| Microsoft Exchange Least Privilege with RBAC - Online |
In solution PCI DSS Compliance:
| Workbook | Selection Criteria |
|---|---|
| PCIDSSCompliance |
In solution Veeam:
| Workbook | Selection Criteria |
|---|---|
| VeeamSecurityActivities |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| ExchangeCompromiseHunting | EventLog == "Application"Source == "Microsoft-Windows-Sysmon"Source startswith "MSExchange" |
| InsecureProtocols | EventLog == "Microsoft-Windows-SMBServer/Audit"EventLog == "System"Source == "NETLOGON" |
| SentinelWorkspaceReconTools | |
| SolarWindsPostCompromiseHunting | Source == "Microsoft-Windows-Sysmon"Source == "Microsoft-Windows-SENSE" |
| SolarWindsPostCompromiseHunting | Source == "Microsoft-Windows-Sysmon"Source == "Microsoft-Windows-SENSE" |
| SysmonThreatHunting | Source contains "sysmon" |
| VeeamSecurityActivities | |
| WebApplicationFirewallWAFTypeEvents | |
| WorkspaceUsage |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimAuditEventMicrosoftEvent | AuditEvent | Microsoft Windows | |
| ASimDnsMicrosoftSysmon | Dns | Microsoft Windows Events Sysmon | EventID == "22"Source == "Microsoft-Windows-Sysmon" |
| ASimFileEventMicrosoftSysmon | FileEvent | Windows Sysmon | EventID in "11,23,26"Source == "Microsoft-Windows-Sysmon" |
| ASimNetworkSessionMicrosoftSysmon | NetworkSession | Windows Sysmon | EventID == "3"Source == "Microsoft-Windows-Sysmon" |
| ASimProcessEventCreateMicrosoftSysmon | ProcessEvent | Sysmon | EventID == "1"Source == "Microsoft-Windows-Sysmon" |
| ASimProcessEventTerminateMicrosoftSysmon | ProcessEvent | Microsoft Windows Events Sysmon | EventID == "5"Source == "Microsoft-Windows-Sysmon" |
| ASimRegistryEventMicrosoftSysmon | RegistryEvent | Microsoft Sysmon | EventID in "12,13,14"Source == "Microsoft-Windows-Sysmon" |
| Parser | Solution | Selection Criteria |
|---|---|---|
| ExchangeAdminAuditLogs | Microsoft Exchange Security - Exchange On-Premises | EventID in "1,6"EventLog == "MSExchange Management" |
| SQLServer_Parser | (Legacy) | Source contains "MSSQL" |
| Sysmon-AllVersions_Parser | (Legacy) | Source == "Microsoft-Windows-Sysmon" |
| Sysmon-v10.42-Parser | (Legacy) | EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
| Sysmon-v11.0 | (Legacy) | EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,23,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
| Sysmon-v12.0 | (Legacy) | EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,23,24,255,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
| Sysmon-v9.10-Parser | (Legacy) | EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
This table collects data from the following Azure resource types:
microsoft.operationalinsights/workspacesmicrosoft.compute/virtualmachinesmicrosoft.conenctedvmwarevsphere/virtualmachinesmicrosoft.azurestackhci/virtualmachinesmicrosoft.scvmm/virtualmachinesmicrosoft.compute/virtualmachinescalesetsmicrosoft.azurestackhci/clustersReferences by type: 4 connectors, 42 content items, 6 ASIM parsers, 7 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Source == "Microsoft-Windows-Sysmon" |
- | 8 | - | 1 | 9 |
EventID == "1"EventLog == "Microsoft-Windows-Sysmon/Operational" |
- | 6 | - | - | 6 |
EventID in "1,6"EventLog == "MSExchange Management" |
- | 5 | - | 1 | 6 |
EventID == "13"EventLog == "Microsoft-Windows-Sysmon/Operational" |
- | 4 | - | - | 4 |
EventID == "1"Source == "Microsoft-Windows-Sysmon" |
- | 3 | 1 | - | 4 |
EventID == "7045"Source == "Service Control Manager" |
- | 3 | - | - | 3 |
EventID == "3"Source == "Microsoft-Windows-Sysmon" |
- | 1 | 1 | - | 2 |
EventID == "0"EventLog == "Application"Source == "MOVEit DMZ Audit" |
- | 2 | - | - | 2 |
EventLog == "Application" |
1 | - | - | - | 1 |
EventLog in "Application,MSExchange Management,System" |
1 | - | - | - | 1 |
Source == "ALCWebCTRL" |
1 | - | - | - | 1 |
EventLog == "MSExchange Management" |
1 | - | - | - | 1 |
EventID == "11"EventLog == "Microsoft-Windows-Sysmon/Operational" |
- | 1 | - | - | 1 |
EventID == "10"EventLog == "Microsoft-Windows-Sysmon/Operational" |
- | 1 | - | - | 1 |
EventID == "18"Source == "Microsoft-Windows-Sysmon" |
- | 1 | - | - | 1 |
EventID in "18,3"Source == "Microsoft-Windows-Sysmon" |
- | 1 | - | - | 1 |
EventID in "1,7"Source == "Microsoft-Windows-Sysmon" |
- | 1 | - | - | 1 |
EventLog == "Application"Source startswith "MSExchange" |
- | 1 | - | - | 1 |
Source == "Microsoft-Windows-SENSE" |
- | 1 | - | - | 1 |
EventID == "1"EventLog has "shutdown.exe"Source == "Microsoft-Windows-Sysmon" |
- | 1 | - | - | 1 |
EventID == "33205"EventLog == "Application"Source == "MSSQL$MICROSOFT##WID" |
- | 1 | - | - | 1 |
EventID in "1001,1069,1205" |
- | 1 | - | - | 1 |
EventID == "22"Source == "Microsoft-Windows-Sysmon" |
- | - | 1 | - | 1 |
EventID in "11,23,26"Source == "Microsoft-Windows-Sysmon" |
- | - | 1 | - | 1 |
EventID == "5"Source == "Microsoft-Windows-Sysmon" |
- | - | 1 | - | 1 |
EventID in "12,13,14"Source == "Microsoft-Windows-Sysmon" |
- | - | 1 | - | 1 |
Source contains "MSSQL" |
- | - | - | 1 | 1 |
EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
- | - | - | 1 | 1 |
EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,23,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
- | - | - | 1 | 1 |
EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,22,23,24,255,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
- | - | - | 1 | 1 |
EventID in "1,10,11,12,13,14,15,16,17,18,19,2,20,21,3,4,5,6,7,8,9"Source == "Microsoft-Windows-Sysmon" |
- | - | - | 1 | 1 |
| Total | 4 | 42 | 6 | 7 | 59 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
1 |
- | 16 | 1 | 5 | 22 |
6 |
- | 5 | - | 5 | 10 |
13 |
- | 4 | 1 | 4 | 9 |
3 |
- | 2 | 1 | 4 | 7 |
11 |
- | 1 | 1 | 4 | 6 |
18 |
- | 2 | - | 4 | 6 |
10 |
- | 1 | - | 4 | 5 |
7 |
- | 1 | - | 4 | 5 |
5 |
- | - | 1 | 4 | 5 |
12 |
- | - | 1 | 4 | 5 |
14 |
- | - | 1 | 4 | 5 |
22 |
- | - | 1 | 3 | 4 |
15 |
- | - | - | 4 | 4 |
16 |
- | - | - | 4 | 4 |
17 |
- | - | - | 4 | 4 |
19 |
- | - | - | 4 | 4 |
2 |
- | - | - | 4 | 4 |
20 |
- | - | - | 4 | 4 |
21 |
- | - | - | 4 | 4 |
4 |
- | - | - | 4 | 4 |
8 |
- | - | - | 4 | 4 |
9 |
- | - | - | 4 | 4 |
7045 |
- | 3 | - | - | 3 |
23 |
- | - | 1 | 2 | 3 |
0 |
- | 2 | - | - | 2 |
33205 |
- | 1 | - | - | 1 |
1001 |
- | 1 | - | - | 1 |
1069 |
- | 1 | - | - | 1 |
1205 |
- | 1 | - | - | 1 |
26 |
- | - | 1 | - | 1 |
24 |
- | - | - | 1 | 1 |
255 |
- | - | - | 1 | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Microsoft-Windows-Sysmon/Operational |
- | 12 | - | - | 12 |
MSExchange Management |
2 | 5 | - | 1 | 8 |
Application |
2 | 4 | - | - | 6 |
System |
1 | - | - | - | 1 |
has shutdown.exe |
- | 1 | - | - | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Microsoft-Windows-Sysmon |
- | 16 | 6 | 5 | 27 |
Service Control Manager |
- | 3 | - | - | 3 |
MOVEit DMZ Audit |
- | 2 | - | - | 2 |
ALCWebCTRL |
1 | - | - | - | 1 |
startswith MSExchange |
- | 1 | - | - | 1 |
Microsoft-Windows-SENSE |
- | 1 | - | - | 1 |
MSSQL$MICROSOFT##WID |
- | 1 | - | - | 1 |
contains MSSQL |
- | - | - | 1 | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊