Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Events involving an on-premises domain controller running Active Directory (AD). This table covers a range of identity-related events and system events on the domain controller.
| Attribute | Value |
|---|---|
| Category | Security, XDR |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
| Defender XDR Advanced Hunting Schema | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| AccountDisplayName | string | Name of the account user displayed in the address book |
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountObjectId | string | Unique identifier for the account in Azure AD |
| AccountSid | string | Security Identifier (SID) of the account |
| AccountUpn | string | User principal name (UPN) of the account |
| ActionType | string | Type of activity that triggered the event |
| AdditionalFields | dynamic | Additional information about the entity or event |
| Application | string | Application that performed the recorded action |
| DestinationDeviceName | string | Name of the device running the server application that processed the recorded action |
| DestinationIPAddress | string | IP address of the device running the server application that processed the recorded action |
| DestinationPort | string | Destination port of related network communications |
| DeviceName | string | Fully qualified domain name (FQDN) of the device |
| IPAddress | string | IP address assigned to the endpoint and used during related network communications |
| ISP | string | Internet service provider (ISP) associated with the endpoint IP address |
| Location | string | City, country, or other geographic location associated with the event |
| Port | string | TCP port used during communication |
| Protocol | string | Protocol used during the communication |
| ReportId | string | Unique identifier for the event |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TargetAccountDisplayName | string | Display name of the account that the recorded action was applied to |
| TargetAccountUpn | string | User principal name (UPN) of the account that the recorded action was applied to |
| TargetDeviceName | string | Fully qualified domain name (FQDN) of the device that the recorded action was applied to |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Date and time (UTC) when the record was generated |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Defender XDR |
In solution Microsoft Defender XDR: ActionType == "SAM Account Name changed"
| Hunting Query |
|---|
| SAM Name Change CVE-2021-42278 |
Standalone Content:
| Hunting Query | Selection Criteria |
|---|---|
| Active Directory Account lockout and unlocks | ActionType == "Account Unlock changed" |
| Find_deleted_accounts_and_by_whom | ActionType == "Account deleted" |
| MDI_Group_Memebership_Changes | ActionType == "Group Membership changed" |
| MDI_Objects_Moving_OUs | ActionType == "Account Path changed" |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Active Directory Sensitive Group Modifications | ActionType == "Group Membership changed" |
| SAM-Name-Changes-CVE-2021-42278 | ActionType == "SAM Account Name changed" |
In solution Microsoft Defender XDR:
| Workbook | Selection Criteria |
|---|---|
| MicrosoftDefenderForIdentity |
In solution SOX IT Compliance: ActionType in "DirectoryRoleMembershipChanged,GroupMembershipChanged,PrivilegeEscalation,SensitiveAccountChanged,UserAccountControlChanged"
| Workbook |
|---|
| SOXITCompliance |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| DoDZeroTrustWorkbook | |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| ZeroTrustStrategyWorkbook | |
| microsoftdefenderforidentity |
References by type: 0 connectors, 8 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
ActionType == "SAM Account Name changed" |
- | 2 | - | - | 2 |
ActionType == "Group Membership changed" |
- | 2 | - | - | 2 |
ActionType == "Account deleted" |
- | 1 | - | - | 1 |
ActionType == "Account Path changed" |
- | 1 | - | - | 1 |
ActionType == "Account Unlock changed" |
- | 1 | - | - | 1 |
ActionType in "DirectoryRoleMembershipChanged,GroupMembershipChanged,PrivilegeEscalation,SensitiveAccountChanged,UserAccountControlChanged" |
- | 1 | - | - | 1 |
| Total | 0 | 8 | 0 | 0 | 8 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
SAM Account Name changed |
- | 2 | - | - | 2 |
Group Membership changed |
- | 2 | - | - | 2 |
Account deleted |
- | 1 | - | - | 1 |
Account Path changed |
- | 1 | - | - | 1 |
Account Unlock changed |
- | 1 | - | - | 1 |
DirectoryRoleMembershipChanged |
- | 1 | - | - | 1 |
GroupMembershipChanged |
- | 1 | - | - | 1 |
PrivilegeEscalation |
- | 1 | - | - | 1 |
SensitiveAccountChanged |
- | 1 | - | - | 1 |
UserAccountControlChanged |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊