Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for SentinelBehaviorEntities table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Security |
| Basic Logs Eligible | ✓ Yes |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| AccountDomain | string | Domain of the account. |
| AccountName | string | User name of the account. |
| AccountObjectId | string | Unique identifier for the account in Microsoft Entra ID. |
| AccountSid | string | Security Identifier (SID) of the account. |
| AccountUpn | string | User principal name (UPN) of the account. |
| ActionType | string | Type of behavior. |
| AdditionalFields | string | Additional information about the entity or event. |
| Application | string | Application that performed the recorded action. |
| ApplicationId | string | Unique identifier for the application. |
| BehaviorId | string | Unique identifier for the behavior. |
| Categories | string | Type of threat indicator or breach activity identified by the behavior. |
| CloudPlatform | string | The cloud platform that the resource belongs to, can be Azure, Amazon Web Services, or Google Cloud Platform. |
| CloudResource | string | Cloud resource name. |
| CloudResourceId | string | Unique identifier of the cloud resource accessed. |
| CloudResourceType | string | Type of cloud resource. |
| CloudSubscriptionId | string | Unique identifier of the cloud service subscription. |
| DataSources | string | Products or services that provided information for the behavior. |
| DetailedEntityRole | string | The role of the entity in the behavior. |
| DetectionSource | string | Detection technology or sensor that identified the notable component or activity. |
| DeviceId | string | Unique identifier for the device in the service. |
| DeviceName | string | Fully qualified domain name (FQDN) of the device. |
| EmailClusterId | string | Identifier for the group of similar emails clustered based on heuristic analysis of their contents. |
| EmailSubject | string | Subject of the email. |
| EntityRole | string | Indicates whether the entity is impacted or merely related. |
| EntityType | string | Type of object, such as a file, a process, a device, or a user. |
| FileName | string | Name of the file that the behavior applies to. |
| FileSize | long | Size, in bytes, of the file that the behavior applies to. |
| FolderPath | string | Folder containing the file that the behavior applies to. |
| LocalIP | string | IP address assigned to the local machine used during communication. |
| NetworkMessageId | string | Unique identifier for the email in UUID format, generated by Office 365. |
| OAuthApplicationId | string | Unique identifier of the third-party OAuth application in UUID format. |
| ProcessCommandLine | string | Command line used to create the new process. |
| RegistryKey | string | Registry key that the recorded action was applied to. |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to. |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to. |
| RemoteIP | string | IP address that was being connected to. |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to. |
| ServiceSource | string | Product or service that identified the behavior. |
| SHA1 | string | SHA-256 of the file that the behavior applies to. |
| SHA256 | string | SHA-256 of the file. Empty unless EntityType is "File" or "Process". |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| ThreatFamily | string | Malware family that the suspicious or malicious file or process has been classified under. |
| TimeGenerated | datetime | Date and time when the record was generated. |
| Type | string | The name of the table |
This table is used by the following solutions:
In solution UEBA Essentials:
| Workbook | Selection Criteria |
|---|---|
| UEBABehaviorsAnalysisWorkbook |
This table collects data from the following Azure resource types:
microsoft.securityinsights/securityinsightsBrowse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊