Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for SentinelBehaviorEntities table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Security |
| Basic Logs Eligible | ✓ Yes |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AccountDomain | string | Domain of the account. |
| AccountName | string | User name of the account. |
| AccountObjectId | string | Unique identifier for the account in Microsoft Entra ID. |
| AccountSid | string | Security Identifier (SID) of the account. |
| AccountUpn | string | User principal name (UPN) of the account. |
| ActionType | string | Type of behavior. |
| AdditionalFields | string | Additional information about the entity or event. |
| Application | string | Application that performed the recorded action. |
| ApplicationId | string | Unique identifier for the application. |
| BehaviorId | string | Unique identifier for the behavior. |
| Categories | string | Type of threat indicator or breach activity identified by the behavior. |
| CloudPlatform | string | The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform. |
| CloudResource | string | Cloud resource name. |
| CloudResourceId | string | Unique identifier of the cloud resource accessed. |
| CloudResourceType | string | Type of cloud resource. |
| CloudSubscriptionId | string | Unique identifier of the cloud service subscription. |
| DataSources | string | Products or services that provided information for the behavior. |
| DetailedEntityRole | string | The role of the entity in the behavior. |
| DetectionSource | string | Detection technology or sensor that identified the notable component or activity. |
| DeviceId | string | Unique identifier for the device in the service. |
| DeviceName | string | Fully qualified domain name (FQDN) of the device. |
| EmailClusterId | string | Identifier for the group of similar emails clustered based on heuristic analysis of their contents. |
| EmailSubject | string | Subject of the email. |
| EntityRole | string | Indicates whether the entity is impacted or merely related. |
| EntityType | string | Type of object, such as a file, a process, a device, or a user. |
| FileName | string | Name of the file that the behavior applies to. |
| FileSize | long | Size, in bytes, of the file that the behavior applies to. |
| FolderPath | string | Folder containing the file that the behavior applies to. |
| LocalIP | string | IP address assigned to the local machine used during communication. |
| NetworkMessageId | string | Unique identifier for the email in UUID format, generated by Office 365. |
| OAuthApplicationId | string | Unique identifier of the third-party OAuth application in UUID format. |
| ProcessCommandLine | string | Command line used to create the new process. |
| RegistryKey | string | Registry key that the recorded action was applied to. |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
| RemoteIP | string | IP address that was being connected to. |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
| ServiceSource | string | Product or service that identified the behavior. |
| SHA1 | string | SHA-256 of the file that the behavior applies to. |
| SHA256 | string | SHA-256 of the file. Empty unless EntityType is "File" or "Process". |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| ThreatFamily | string | Malware family that the suspicious or malicious file or process has been classified under. |
| TimeGenerated | datetime | Date and time when the record was generated. |
| Type | string | The name of the table |
This table is used by the following solutions:
In solution UEBA Essentials: EntityType != "Ip"
| Workbook |
|---|
| UEBABehaviorsAnalysisWorkbook |
This table collects data from the following Azure resource types:
microsoft.securityinsights/securityinsightsReferences by type: 0 connectors, 1 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
EntityType != "Ip" |
- | 1 | - | - | 1 |
| Total | 0 | 1 | 0 | 0 | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
!= Ip |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊