WindowsEvent

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Reference for WindowsEvent table in Azure Monitor Logs.

Attribute	Value
Category	Windows
Basic Logs Eligible	✗ No (source)
Supports Transformations	✓ Yes (source)
Ingestion API Supported	✓ Yes
Azure Monitor Tables Reference	View Documentation
Azure Monitor Logs Ingestion API	View Documentation

Schema
Solutions
Connectors
Content Items
Parsers
Resource Types

Schema (26 columns)

Source: Azure Monitor documentation

Column Name	Type	Description
_BilledSize	real	The record size in bytes
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account
_ResourceId	string	A unique identifier for the resource that the record is associated with
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
Channel	string	The channel to which the event was logged.
Computer	string	The name of the computer on which the event occurred.
Correlation	string	The activity identifiers that consumers can use to group related events together.
EventData	dynamic	Contains the event data parsed to dynamic type. If the parsing fails then this field will contain null and the RawEventData field will be populated.
EventID	int	The identifier that the provider used to identify the event.
EventLevel	int	Contains the severity level of the event.
EventLevelName	string	The rendered message string of the level specified in the event.
EventOriginId	string	VM ID obtained from the Azure Instance Metadata Service (IMDS).
EventRecordId	string	The record number assigned to the event when it was logged.
Keywords	string	A bitmask of the keywords defined in the event.
ManagementGroupName	string	Additional information based on the resource type.
Opcode	string	The opcode element is defined by the SystemPropertiesType complex type.
Provider	string	System Properties Type - Identifies the provider that logged the event.
RawEventData	string	The raw event XML when parsing fails. It's null when parsing successful.
SystemProcessId	int	Identifies the process that generated the event.
SystemThreadId	int	Identifies the thread that generated the event.
SystemUserId	string	The ID of the user who is responsible for the event.
Task	int	The task defined in the event.
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	The time stamp when the event was generated on the computer.
Type	string	The name of the table
Version	int	Contains the version number of the event's definition.

Solutions (10)

This table is used by the following solutions:

Connectors (1)

This table is ingested by the following connectors:

Connector	Selection Criteria
Windows Forwarded Events

Content Items Using This Table (54)

Analytic Rules (39)

In solution Attacker Tools Threat Protection Essentials:

Analytic Rule	Selection Criteria
Powershell Empire Cmdlets Executed in Command Line

In solution Endpoint Threat Protection Essentials:

Analytic Rule	Selection Criteria
Base64 encoded Windows process command-lines
Malware in the recycle bin
Process executed from binary hidden in Base64 encoded file
Security Event log cleared	`EventID == "1102"` `Provider == "Microsoft-Windows-Eventlog"`

In solution Lumen Defender Threat Feed:

Analytic Rule	Selection Criteria
Lumen TI IPAddress in WindowsEvents

In solution Network Threat Protection Essentials:

Analytic Rule	Selection Criteria
Network endpoint to host executable correlation

In solution Threat Intelligence:

Analytic Rule	Selection Criteria
TI map Email entity to SecurityEvent
TI map File Hash to Security Event

In solution Threat Intelligence (NEW):

Analytic Rule	Selection Criteria
TI map Email entity to SecurityEvent
TI map File Hash to Security Event

In solution Windows Forwarded Events: EventID == "4688"

Analytic Rule
Caramel Tsunami Actor IOC - July 2021
Chia_Crypto_Mining IOC - June 2021

Standalone Content:

Analytic Rule	Selection Criteria
AD account with Don't Expire Password	`EventID == "4738"`
ADFS DKM Master Key Export
Account added and removed from privileged groups
Email access via active sync
Failed AzureAD logons but success logon to host
Failed host logons but success logon to AzureAD	`EventID == "4625"`
Failed logon attempts by valid accounts within 10 mins
Gain Code Execution on ADFS Server via Remote WMI Execution	`EventID in "1,19,20,21,4624,4688"`
Group created then added to built in domain local or global group	`EventID in "4727,4728,4731,4732,4754,4756"`
Microsoft Entra ID Health Monitoring Agent Registry Keys Access	`EventID in "4656,4663"`
Microsoft Entra ID Health Service Agents Registry Keys Access
Midnight Blizzard - Script payload stored in Registry
Midnight Blizzard - suspicious rundll32.exe execution of vbscript
Multiple Password Reset by user	`EventID in "4723,4724"`
Multiple RDP connections from Single System
New user created and added to the built-in administrators group
Potential Build Process Compromise	`EventID in "4663,4688"`
Potential Kerberoasting	`EventID == "4769"`
RDP Nesting	`EventID == "4624"`
Rare RDP Connections
Security Service Registry ACL Modification	`EventID in "4670,4688"`
Silk Typhoon New UM Service Child Process	`EventID == "4688"`
Solorigate Named Pipe	`EventID in "17,18,5145"`
User account added to built in domain local or global group	`EventID in "4728,4732,4756"`
User account created and deleted within 10 mins	`EventID in "4720,4726"`
User account enabled and disabled within 10 mins	`EventID in "4722,4725"`

Hunting Queries (13)

In solution Attacker Tools Threat Protection Essentials:

Hunting Query	Selection Criteria
Potential Impacket Execution

In solution Endpoint Threat Protection Essentials:

Hunting Query	Selection Criteria
Backup Deletion
Persisting via IFEO Registry Key	`EventID in "12,13,4657"`
Potential Microsoft Security Services Tampering	`EventID in "4688,87"`

In solution Legacy IOC based Threat Protection:

Hunting Query	Selection Criteria
Dev-0056 Command Line Activity November 2021
Known Nylon Typhoon Registry modifications patterns	`EventID in "12,13,4657"`
Nylon Typhoon Command Line Activity November 2021
SolarWinds Inventory	`EventID in "1,4688"`

In solution Windows Security Events:

Hunting Query	Selection Criteria
Domain controller installation media creation
Establishing internal proxies

Standalone Content:

Hunting Query	Selection Criteria
Tracking Password Changes

GitHub Only:

Hunting Query	Selection Criteria
Critical user management operations followed by disabling of System Restore from admin account	`EventID == "4688"`
Possible command injection attempts against Azure Integration Runtimes

Workbooks (2)

GitHub Only:

Workbook	Selection Criteria
AMAmigrationTracker
MicrosoftSentinelDeploymentandMigrationTracker

Parsers Using This Table (13)

ASIM Parsers (13)

Parser	Schema	Product	Selection Criteria
ASimAuditEventMicrosoftWindowsEvents	AuditEvent	Microsoft Windows	`Provider == "Microsoft-Windows-Eventlog"`
ASimDnsMicrosoftSysmonWindowsEvent	Dns	Microsoft Windows Events Sysmon	`EventID == "22"` `Provider == "Microsoft-Windows-Sysmon"`
ASimFileEventMicrosoftSysmonWindowsEvent	FileEvent	Windows Sysmon	`EventID in "11,23,26"` `Provider == "Microsoft-Windows-Sysmon"`
ASimFileEventMicrosoftWindowsEvents	FileEvent	Microsoft Windows Events	`EventID == "4663"`
ASimNetworkSessionMicrosoftSysmonWindowsEvent	NetworkSession	Windows Sysmon	`EventID == "3"` `Provider == "Microsoft-Windows-Sysmon"`
ASimNetworkSessionMicrosoftWindowsEventFirewall	NetworkSession	Windows Firewall	`EventID in "5154,5155,5156,5158,5159"`
ASimProcessCreateMicrosoftWindowsEvents	ProcessEvent	Security Events	`EventID == "4688"`
ASimProcessEventCreateMicrosoftSysmonWindowsEvent	ProcessEvent	Sysmon	`EventID == "1"` `Provider == "Microsoft-Windows-Sysmon"`
ASimProcessEventTerminateMicrosoftSysmonWindowsEvent	ProcessEvent	Microsoft Windows Events Sysmon	`EventID == "5"` `Provider == "Microsoft-Windows-Sysmon"`
ASimProcessTerminateMicrosoftWindowsEvents	ProcessEvent	Security Events	`EventID == "4689"`
ASimRegistryEventMicrosoftSysmonWindowsEvent	RegistryEvent	Microsoft Sysmon	`EventID in "12,13,14"` `Provider == "Microsoft-Windows-Sysmon"`
ASimRegistryEventMicrosoftWindowsEvent	RegistryEvent	Security Events	`EventID in "4657,4663"`
ASimUserManagementMicrosoftWindowsEvent	UserManagement	Microsoft Windows Event

Resource Types

This table collects data from the following Azure resource types:

microsoft.securityinsights/securityinsights

Selection Criteria Summary (30 criteria, 35 total references)

References by type: 0 connectors, 23 content items, 12 ASIM parsers, 0 other parsers.

Selection Criteria	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`EventID == "4688"`	-	4	1	-	5
`EventID in "12,13,4657"`	-	2	-	-	2
`EventID == "1102"` `Provider == "Microsoft-Windows-Eventlog"`	-	1	-	-	1
`EventID in "1,19,20,21,4624,4688"`	-	1	-	-	1
`EventID == "4625"`	-	1	-	-	1
`EventID in "4723,4724"`	-	1	-	-	1
`EventID in "4670,4688"`	-	1	-	-	1
`EventID in "4656,4663"`	-	1	-	-	1
`EventID in "4727,4728,4731,4732,4754,4756"`	-	1	-	-	1
`EventID == "4738"`	-	1	-	-	1
`EventID in "4663,4688"`	-	1	-	-	1
`EventID == "4769"`	-	1	-	-	1
`EventID == "4624"`	-	1	-	-	1
`EventID in "17,18,5145"`	-	1	-	-	1
`EventID in "4728,4732,4756"`	-	1	-	-	1
`EventID in "4720,4726"`	-	1	-	-	1
`EventID in "4722,4725"`	-	1	-	-	1
`EventID in "4688,87"`	-	1	-	-	1
`EventID in "1,4688"`	-	1	-	-	1
`Provider == "Microsoft-Windows-Eventlog"`	-	-	1	-	1
`EventID == "22"` `Provider == "Microsoft-Windows-Sysmon"`	-	-	1	-	1
`EventID in "11,23,26"` `Provider == "Microsoft-Windows-Sysmon"`	-	-	1	-	1
`EventID == "4663"`	-	-	1	-	1
`EventID == "3"` `Provider == "Microsoft-Windows-Sysmon"`	-	-	1	-	1
`EventID in "5154,5155,5156,5158,5159"`	-	-	1	-	1
`EventID == "1"` `Provider == "Microsoft-Windows-Sysmon"`	-	-	1	-	1
`EventID == "5"` `Provider == "Microsoft-Windows-Sysmon"`	-	-	1	-	1
`EventID == "4689"`	-	-	1	-	1
`EventID in "12,13,14"` `Provider == "Microsoft-Windows-Sysmon"`	-	-	1	-	1
`EventID in "4657,4663"`	-	-	1	-	1
Total	0	23	12	0	35

EventID

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`4688`	-	9	1	-	10
`4663`	-	2	2	-	4
`1`	-	2	1	-	3
`12`	-	2	1	-	3
`13`	-	2	1	-	3
`4657`	-	2	1	-	3
`4624`	-	2	-	-	2
`4728`	-	2	-	-	2
`4732`	-	2	-	-	2
`4756`	-	2	-	-	2
`1102`	-	1	-	-	1
`19`	-	1	-	-	1
`20`	-	1	-	-	1
`21`	-	1	-	-	1
`4625`	-	1	-	-	1
`4723`	-	1	-	-	1
`4724`	-	1	-	-	1
`4670`	-	1	-	-	1
`4656`	-	1	-	-	1
`4727`	-	1	-	-	1
`4731`	-	1	-	-	1
`4754`	-	1	-	-	1
`4738`	-	1	-	-	1
`4769`	-	1	-	-	1
`17`	-	1	-	-	1
`18`	-	1	-	-	1
`5145`	-	1	-	-	1
`4720`	-	1	-	-	1
`4726`	-	1	-	-	1
`4722`	-	1	-	-	1
`4725`	-	1	-	-	1
`87`	-	1	-	-	1
`22`	-	-	1	-	1
`11`	-	-	1	-	1
`23`	-	-	1	-	1
`26`	-	-	1	-	1
`3`	-	-	1	-	1
`5154`	-	-	1	-	1
`5155`	-	-	1	-	1
`5156`	-	-	1	-	1
`5158`	-	-	1	-	1
`5159`	-	-	1	-	1
`5`	-	-	1	-	1
`4689`	-	-	1	-	1
`14`	-	-	1	-	1

Provider

Value	Connectors	Content Items	ASIM Parsers	Other Parsers	Total
`Microsoft-Windows-Sysmon`	-	-	6	-	6
`Microsoft-Windows-Eventlog`	-	1	1	-	2