SecurityAlert
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Tables Index
Reference for SecurityAlert table in Azure Monitor Logs.
| Attribute |
Value |
| Category |
Internal |
| Basic Logs Eligible |
✗ No (source) |
| Supports Transformations |
✓ Yes (source) |
| Ingestion API Supported |
✗ No |
| Lake-Only Ingestion |
✓ Yes (source) |
| Azure Monitor Tables Reference |
View Documentation |
Contents
Schema (35 columns)
Source: Azure Monitor documentation
| Column Name |
Type |
Description |
| _BilledSize |
real |
The record size in bytes |
| _IsBillable |
string |
Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| AlertLink |
string |
|
| AlertName |
string |
|
| AlertSeverity |
string |
|
| AlertType |
string |
|
| CompromisedEntity |
string |
|
| ConfidenceLevel |
string |
|
| ConfidenceScore |
real |
|
| Description |
string |
|
| DisplayName |
string |
|
| EndTime |
datetime |
|
| Entities |
string |
|
| ExtendedLinks |
string |
|
| ExtendedProperties |
string |
|
| IsIncident |
bool |
|
| ProcessingEndTime |
datetime |
|
| ProductComponentName |
string |
|
| ProductName |
string |
|
| ProviderName |
string |
|
| RemediationSteps |
string |
|
| ResourceId |
string |
|
| SourceComputerId |
string |
|
| StartTime |
datetime |
|
| Status |
string |
|
| SubTechniques |
string |
|
| SystemAlertId |
string |
|
| Tactics |
string |
|
| Techniques |
string |
|
| TimeGenerated |
datetime |
|
| Type |
string |
The name of the table |
| VendorName |
string |
|
| VendorOriginalId |
string |
|
| WorkspaceResourceGroup |
string |
|
| WorkspaceSubscriptionId |
string |
|
📖 Related Documentation: Security alert schema reference - Describes the SecurityAlert table schema and field definitions
Solutions (52)
This table is used by the following solutions:
Connectors (10)
This table is ingested by the following connectors:
Content Items Using This Table (119)
Analytic Rules (42)
In solution AzureDevOpsAuditing: ProviderName == "IPC"
In solution Dragos:
In solution IoTOTThreatMonitoringwithDefenderforIoT:
In solution Microsoft Business Applications:
In solution Microsoft Defender XDR:
In solution Microsoft Defender for Cloud:
In solution Microsoft Defender for Cloud Apps:
In solution Microsoft Entra ID Protection:
In solution MicrosoftDefenderForEndpoint: ProviderName == "MDATP"
In solution MicrosoftPurviewInsiderRiskManagement:
In solution Multi Cloud Attack Coverage Essentials - Resource Abuse:
In solution Threat Intelligence:
In solution Threat Intelligence (NEW):
In solution Web Shells Threat Protection:
In solution Zinc Open Source:
Hunting Queries (14)
In solution AzureDevOpsAuditing: ProviderName == "IPC"
In solution Cloud Identity Threat Protection Essentials:
In solution Legacy IOC based Threat Protection:
In solution Microsoft Business Applications: ProviderName == "IPC"
In solution MicrosoftPurviewInsiderRiskManagement:
Workbooks (45)
In solution Apache Log4j Vulnerability Detection:
In solution Azure Key Vault: AlertType startswith "KV_"
In solution Azure SQL Database solution for sentinel: AlertType startswith "SQL."
AlertType startswith "SQl."
In solution Azure kubernetes Service: AlertType in "K8S_ClusterAdminBinding,K8S_MaliciousContainerExec,K8S_PrivilegedContainer,K8S_SensitiveMount"
AlertType startswith "K8S_"
In solution AzureSecurityBenchmark: AlertName contains "auth"
AlertName contains "cert"
AlertName contains "cred"
AlertName contains "password"
AlertName contains "secret"
ProviderName == "IPC"
In solution Censys:
| Workbook |
Selection Criteria |
| Censys |
|
In solution ContinuousDiagnostics&Mitigation: ProductName in "Azure Active Directory Identity Protection,Azure Security Center for IoT,Microsoft 365 Insider Risk Management,Microsoft Defender Advanced Threat Protection"
In solution CybersecurityMaturityModelCertification(CMMC)2.0: ProductName == "Microsoft 365 Insider Risk Management"
In solution DNS Essentials:
In solution DORA Compliance: AlertName has_any "Backup Failure"
AlertName has_any "Blocked"
AlertName has_any "Compliance Violation"
AlertName has_any "Credential Access"
AlertName has_any "Data Exfiltration"
AlertName has_any "Incident Reported"
AlertName has_any "Malware"
AlertName has_any "Policy Change"
AlertName has_any "Service Outage"
AlertName has_any "Suspicious Login"
AlertName has_any "TLPT"
AlertName has_any "Third-Party"
AlertName has_any "Threat Intelligence"
AlertName has_any "Unauthorized Access"
AlertName has_any "Vulnerability Exploitation"
In solution DPDP Compliance: AlertName contains "PII"
AlertName contains "confidential"
AlertName contains "intellectual"
AlertName contains "leak"
AlertName contains "sensitive"
AlertName contains "spill"
AlertName contains "steal"
AlertName contains "theft"
Tactics contains "exfil"
In solution ExtraHop: ProductName == "ExtraHop"
In solution GDPR Compliance & Data Security: AlertName contains "PII"
AlertName contains "confidential"
AlertName contains "intellectual"
AlertName contains "leak"
AlertName contains "sensitive"
AlertName contains "spill"
AlertName contains "steal"
AlertName contains "theft"
Tactics contains "exfil"
In solution GreyNoiseThreatIntelligence:
In solution HIPAA Compliance:
In solution Infoblox:
In solution Infoblox SOC Insights:
In solution Lumen Defender Threat Feed:
In solution MaturityModelForEventLogManagementM2131:
In solution Microsoft Defender Threat Intelligence:
In solution Microsoft Defender XDR:
In solution Microsoft Defender for Cloud Apps: AlertType has "DISCOVERY"
ProductName == "Microsoft Cloud App Security"
In solution MicrosoftPurviewInsiderRiskManagement: AlertName contains "PII"
AlertName contains "anomal"
AlertName contains "confidential"
AlertName contains "data"
AlertName contains "fusion"
AlertName contains "intellectual"
AlertName contains "leak"
AlertName contains "sensitive"
AlertName contains "spill"
AlertName contains "steal"
AlertName contains "theft"
ProductName == "Microsoft 365 Insider Risk Management"
ProviderName contains "anomal"
ProviderName contains "fusion"
Tactics contains "exfil"
In solution NISTSP80053: ProductName in "Azure Active Directory Identity Protection,Azure Security Center for IoT,Microsoft 365 Insider Risk Management"
In solution Network Session Essentials:
In solution ReversingLabs:
In solution SAP BTP: Entities has "SAP BTP"
In solution SOC Handbook:
In solution Threat Intelligence:
In solution Threat Intelligence (NEW):
In solution ThreatAnalysis&Response:
In solution ThreatConnect:
In solution Web Session Essentials:
In solution ZeroTrust(TIC3.0): AlertName contains "mal"
Entities contains "Fail"
Entities contains "inbound"
Entities contains "outbound"
ProductName in "Azure Active Directory Identity Protection,Azure Security Center for IoT,Microsoft 365 Insider Risk Management"
Parsers Using This Table (2)
Other Parsers (2)
Resource Types
This table collects data from the following Azure resource types:
microsoft.securityinsights/securityinsights
Selection Criteria Summary (43 criteria, 57 total references)
References by type: 10 connectors, 47 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
ProviderName == "IPC" |
- |
4 |
- |
- |
4 |
ProviderName == "IoTSecurity" |
- |
4 |
- |
- |
4 |
ProviderName == "MDATP" |
1 |
2 |
- |
- |
3 |
ProductName == "Microsoft 365 Insider Risk Management" |
1 |
2 |
- |
- |
3 |
ProductName == "Azure Security Center" |
2 |
- |
- |
- |
2 |
AlertName contains "PII"
AlertName contains "confidential"
AlertName contains "intellectual"
AlertName contains "leak"
AlertName contains "sensitive"
AlertName contains "spill"
AlertName contains "steal"
AlertName contains "theft"
Tactics contains "exfil" |
- |
2 |
- |
- |
2 |
ProductName in "Azure Active Directory Identity Protection,Azure Security Center for IoT,Microsoft 365 Insider Risk Management" |
- |
2 |
- |
- |
2 |
ProductName == "Azure Sentinel" |
- |
2 |
- |
- |
2 |
ProductName == "Azure Advanced Threat Protection" |
1 |
- |
- |
- |
1 |
ProductName == "Microsoft Cloud App Security" |
1 |
- |
- |
- |
1 |
ProviderName == "OATP" |
1 |
- |
- |
- |
1 |
ProductName in "Azure Advanced Threat Protection,Microsoft 365 Defender,Microsoft Cloud App Security,Microsoft Defender Advanced Threat Protection,Office 365 Advanced Threat Protection"
ProviderName == "Microsoft 365 Defender" |
1 |
- |
- |
- |
1 |
ProductName == "Azure Active Directory Identity Protection" |
1 |
- |
- |
- |
1 |
ProductName == "Azure Security Center for IoT" |
1 |
- |
- |
- |
1 |
AlertName == "Suspicion of Denial Of Service Attack"
ProviderName == "IoTSecurity" |
- |
1 |
- |
- |
1 |
AlertName in "Excessive Login Attempts,Excessive Number of Sessions,Excessive SMB login attempts,Password Guessing Attempt Detected"
ProviderName == "IoTSecurity" |
- |
1 |
- |
- |
1 |
AlertName has_any "Beckhoff Software Changed"
ProviderName == "IoTSecurity" |
- |
1 |
- |
- |
1 |
AlertName in "ARP Spoofing,Abnormal Traffic Bandwidth,Abnormal Traffic Bandwidth Between Devices,ICMP Flooding"
ProviderName == "IoTSecurity" |
- |
1 |
- |
- |
1 |
AlertName == "No Traffic Detected on Sensor Interface"
ProviderName == "IoTSecurity" |
- |
1 |
- |
- |
1 |
AlertName has "PLC Operating Mode Changed"
ProviderName == "IoTSecurity" |
- |
1 |
- |
- |
1 |
AlertName has "Internet"
ProviderName == "IoTSecurity" |
- |
1 |
- |
- |
1 |
AlertName has "Scan"
ProviderName == "IoTSecurity" |
- |
1 |
- |
- |
1 |
AlertName in "Abnormal usage of MAC Addresses,Field Device Discovered Unexpectedly,New Asset Detected,New LLDP Device Configuration"
ProviderName == "IoTSecurity" |
- |
1 |
- |
- |
1 |
AlertName == "Device Failed to Receive a Dynamic IP Address"
ProviderName == "IoTSecurity" |
- |
1 |
- |
- |
1 |
AlertName == "Unauthorized SSH Access"
ProviderName == "IoTSecurity" |
- |
1 |
- |
- |
1 |
Entities has "Type" |
- |
1 |
- |
- |
1 |
ProductName !in "Azure Sentinel" |
- |
1 |
- |
- |
1 |
AlertName in "Multiple failed user log on attempts to an app,Password Spray"
ProductName in "Azure Active Directory Identity Protection,Microsoft Cloud App Security" |
- |
1 |
- |
- |
1 |
AlertSeverity == "High"
ProductName in "Azure Active Directory,Azure Active Directory Identity Protection,Microsoft 365 Defender,Microsoft Cloud App Security,Microsoft Defender ATP,Microsoft Defender Advanced Threat Protection"
Tactics in "CredentialAccess,InitialAccess" |
- |
1 |
- |
- |
1 |
AlertSeverity == "High"
ProductName has "Azure Active Directory Identity Protection" |
- |
1 |
- |
- |
1 |
ProductName == "Microsoft Defender Advanced Threat Protection" |
- |
1 |
- |
- |
1 |
AlertType startswith "KV_" |
- |
1 |
- |
- |
1 |
AlertType in "K8S_ClusterAdminBinding,K8S_MaliciousContainerExec,K8S_PrivilegedContainer,K8S_SensitiveMount"
AlertType startswith "K8S_" |
- |
1 |
- |
- |
1 |
AlertType startswith "SQL."
AlertType startswith "SQl." |
- |
1 |
- |
- |
1 |
AlertName contains "auth"
AlertName contains "cert"
AlertName contains "cred"
AlertName contains "password"
AlertName contains "secret"
ProviderName == "IPC" |
- |
1 |
- |
- |
1 |
ProductName in "Azure Active Directory Identity Protection,Azure Security Center for IoT,Microsoft 365 Insider Risk Management,Microsoft Defender Advanced Threat Protection" |
- |
1 |
- |
- |
1 |
AlertName has_any "Backup Failure"
AlertName has_any "Blocked"
AlertName has_any "Compliance Violation"
AlertName has_any "Credential Access"
AlertName has_any "Data Exfiltration"
AlertName has_any "Incident Reported"
AlertName has_any "Malware"
AlertName has_any "Policy Change"
AlertName has_any "Service Outage"
AlertName has_any "Suspicious Login"
AlertName has_any "TLPT"
AlertName has_any "Third-Party"
AlertName has_any "Threat Intelligence"
AlertName has_any "Unauthorized Access"
AlertName has_any "Vulnerability Exploitation" |
- |
1 |
- |
- |
1 |
ProductName == "ExtraHop" |
- |
1 |
- |
- |
1 |
AlertType has "DISCOVERY"
ProductName == "Microsoft Cloud App Security" |
- |
1 |
- |
- |
1 |
AlertName contains "PII"
AlertName contains "anomal"
AlertName contains "confidential"
AlertName contains "data"
AlertName contains "fusion"
AlertName contains "intellectual"
AlertName contains "leak"
AlertName contains "sensitive"
AlertName contains "spill"
AlertName contains "steal"
AlertName contains "theft"
ProductName == "Microsoft 365 Insider Risk Management"
ProviderName contains "anomal"
ProviderName contains "fusion"
Tactics contains "exfil" |
- |
1 |
- |
- |
1 |
Entities has "SAP BTP" |
- |
1 |
- |
- |
1 |
DisplayName has "Incident"
DisplayName has "Investigation"
DisplayName has "Security operations efficiency" |
- |
1 |
- |
- |
1 |
AlertName contains "mal"
Entities contains "Fail"
Entities contains "inbound"
Entities contains "outbound"
ProductName in "Azure Active Directory Identity Protection,Azure Security Center for IoT,Microsoft 365 Insider Risk Management" |
- |
1 |
- |
- |
1 |
| Total |
10 |
47 |
0 |
0 |
57 |
AlertName
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
contains PII |
- |
3 |
- |
- |
3 |
contains confidential |
- |
3 |
- |
- |
3 |
contains intellectual |
- |
3 |
- |
- |
3 |
contains leak |
- |
3 |
- |
- |
3 |
contains sensitive |
- |
3 |
- |
- |
3 |
contains spill |
- |
3 |
- |
- |
3 |
contains steal |
- |
3 |
- |
- |
3 |
contains theft |
- |
3 |
- |
- |
3 |
Suspicion of Denial Of Service Attack |
- |
1 |
- |
- |
1 |
Excessive Login Attempts |
- |
1 |
- |
- |
1 |
Excessive Number of Sessions |
- |
1 |
- |
- |
1 |
Excessive SMB login attempts |
- |
1 |
- |
- |
1 |
Password Guessing Attempt Detected |
- |
1 |
- |
- |
1 |
has_any Beckhoff Software Changed |
- |
1 |
- |
- |
1 |
ARP Spoofing |
- |
1 |
- |
- |
1 |
Abnormal Traffic Bandwidth |
- |
1 |
- |
- |
1 |
Abnormal Traffic Bandwidth Between Devices |
- |
1 |
- |
- |
1 |
ICMP Flooding |
- |
1 |
- |
- |
1 |
No Traffic Detected on Sensor Interface |
- |
1 |
- |
- |
1 |
has PLC Operating Mode Changed |
- |
1 |
- |
- |
1 |
has Internet |
- |
1 |
- |
- |
1 |
has Scan |
- |
1 |
- |
- |
1 |
Abnormal usage of MAC Addresses |
- |
1 |
- |
- |
1 |
Field Device Discovered Unexpectedly |
- |
1 |
- |
- |
1 |
New Asset Detected |
- |
1 |
- |
- |
1 |
New LLDP Device Configuration |
- |
1 |
- |
- |
1 |
Device Failed to Receive a Dynamic IP Address |
- |
1 |
- |
- |
1 |
Unauthorized SSH Access |
- |
1 |
- |
- |
1 |
Multiple failed user log on attempts to an app |
- |
1 |
- |
- |
1 |
Password Spray |
- |
1 |
- |
- |
1 |
contains auth |
- |
1 |
- |
- |
1 |
contains cert |
- |
1 |
- |
- |
1 |
contains cred |
- |
1 |
- |
- |
1 |
contains password |
- |
1 |
- |
- |
1 |
contains secret |
- |
1 |
- |
- |
1 |
has_any Backup Failure |
- |
1 |
- |
- |
1 |
has_any Blocked |
- |
1 |
- |
- |
1 |
has_any Compliance Violation |
- |
1 |
- |
- |
1 |
has_any Credential Access |
- |
1 |
- |
- |
1 |
has_any Data Exfiltration |
- |
1 |
- |
- |
1 |
has_any Incident Reported |
- |
1 |
- |
- |
1 |
has_any Malware |
- |
1 |
- |
- |
1 |
has_any Policy Change |
- |
1 |
- |
- |
1 |
has_any Service Outage |
- |
1 |
- |
- |
1 |
has_any Suspicious Login |
- |
1 |
- |
- |
1 |
has_any TLPT |
- |
1 |
- |
- |
1 |
has_any Third-Party |
- |
1 |
- |
- |
1 |
has_any Threat Intelligence |
- |
1 |
- |
- |
1 |
has_any Unauthorized Access |
- |
1 |
- |
- |
1 |
has_any Vulnerability Exploitation |
- |
1 |
- |
- |
1 |
contains anomal |
- |
1 |
- |
- |
1 |
contains data |
- |
1 |
- |
- |
1 |
contains fusion |
- |
1 |
- |
- |
1 |
contains mal |
- |
1 |
- |
- |
1 |
AlertSeverity
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
High |
- |
2 |
- |
- |
2 |
AlertType
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
startswith KV_ |
- |
1 |
- |
- |
1 |
K8S_ClusterAdminBinding |
- |
1 |
- |
- |
1 |
K8S_MaliciousContainerExec |
- |
1 |
- |
- |
1 |
K8S_PrivilegedContainer |
- |
1 |
- |
- |
1 |
K8S_SensitiveMount |
- |
1 |
- |
- |
1 |
startswith K8S_ |
- |
1 |
- |
- |
1 |
startswith SQL. |
- |
1 |
- |
- |
1 |
startswith SQl. |
- |
1 |
- |
- |
1 |
has DISCOVERY |
- |
1 |
- |
- |
1 |
DisplayName
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
has Incident |
- |
1 |
- |
- |
1 |
has Investigation |
- |
1 |
- |
- |
1 |
has Security operations efficiency |
- |
1 |
- |
- |
1 |
Entities
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
has Type |
- |
1 |
- |
- |
1 |
has SAP BTP |
- |
1 |
- |
- |
1 |
contains Fail |
- |
1 |
- |
- |
1 |
contains inbound |
- |
1 |
- |
- |
1 |
contains outbound |
- |
1 |
- |
- |
1 |
ProductName
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
Microsoft 365 Insider Risk Management |
1 |
7 |
- |
- |
8 |
Azure Active Directory Identity Protection |
1 |
6 |
- |
- |
7 |
Microsoft Cloud App Security |
2 |
3 |
- |
- |
5 |
Azure Security Center for IoT |
1 |
4 |
- |
- |
5 |
Microsoft Defender Advanced Threat Protection |
1 |
3 |
- |
- |
4 |
Azure Advanced Threat Protection |
2 |
- |
- |
- |
2 |
Azure Security Center |
2 |
- |
- |
- |
2 |
Microsoft 365 Defender |
1 |
1 |
- |
- |
2 |
Azure Sentinel |
- |
2 |
- |
- |
2 |
Office 365 Advanced Threat Protection |
1 |
- |
- |
- |
1 |
!= Azure Sentinel |
- |
1 |
- |
- |
1 |
Azure Active Directory |
- |
1 |
- |
- |
1 |
Microsoft Defender ATP |
- |
1 |
- |
- |
1 |
has Azure Active Directory Identity Protection |
- |
1 |
- |
- |
1 |
ExtraHop |
- |
1 |
- |
- |
1 |
ProviderName
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
IoTSecurity |
- |
15 |
- |
- |
15 |
IPC |
- |
5 |
- |
- |
5 |
MDATP |
1 |
2 |
- |
- |
3 |
OATP |
1 |
- |
- |
- |
1 |
Microsoft 365 Defender |
1 |
- |
- |
- |
1 |
contains anomal |
- |
1 |
- |
- |
1 |
contains fusion |
- |
1 |
- |
- |
1 |
Tactics
| Value |
Connectors |
Content Items |
ASIM Parsers |
Other Parsers |
Total |
contains exfil |
- |
3 |
- |
- |
3 |
CredentialAccess |
- |
1 |
- |
- |
1 |
InitialAccess |
- |
1 |
- |
- |
1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Tables Index