Security events collected from windows machines by Azure Security Center or Azure Sentinel.
Attribute | Value |
Resource types | microsoft.securityinsights/securityinsights, microsoft.compute/virtualmachines, microsoft.conenctedvmwarevsphere/virtualmachines, microsoft.azurestackhci/virtualmachines, microsoft.scvmm/virtualmachines, microsoft.compute/virtualmachinescalesets |
Categories | Security |
Solutions | Security, SecurityInsights |
Basic log | No |
Ingestion-time transformation | Yes |
Sample Queries | Yes |
Column | Type | Description |
AccessMask | string | Hexadecimal mask for the requested or performed operation. |
Account | string | The Security context for services or users. |
AccountDomain | string | Subject's domain or computer name. |
AccountExpires | string | The date when the account expires. |
AccountName | string | The name of the account that requested the "remove domain trust" operation. |
AccountSessionIdentifier | string | A unique identifier that is generated by the machine when the session is created. |
AccountType | string | Identifies whether the account is a computer account (machine) or a user's. |
Activity | string | The descriptive title of the event occurred. |
AdditionalInfo | string | Additional information that is provided by the source, which do not mapped to other fields, represented by list. |
AdditionalInfo2 | string | Additional information that is provided by the source, which do not mapped to other fields, represented by list. |
AllowedToDelegateTo | string | The list of SPNs to which this account can present delegated credentials. |
Attributes | string | Additional information about the event. |
AuditPolicyChanges | string | Events that are generated when changes are made to the system audit policy or audit settings on a file or registry key. |
AuditsDiscarded | int | Number of audit messages that were discarded. |
AuthenticationLevel | int | Number of audit messages that were discarded. |
AuthenticationPackageName | string | the name of loaded Authentication Package. The format is: DLL_PATH_AND_NAME: AUTHENTICATION_PACKAGE_NAME. |
AuthenticationProvider | string | The identity of the provider responsible for the authentication process (can include a certificate authority, a username, a password authentication system, etc). |
AuthenticationServer | string | The server in which located the authentication provider. |
AuthenticationService | int | The service in which located the authentication provider. |
AuthenticationType | string | the type of authentication that was used for the event (two-factor authentication, biometric authentication, etc). |
AzureDeploymentID | string | Azure deployment ID of the cloud service the log belongs to. |
_BilledSize | real | The record size in bytes |
CACertificateHash | string | The hash value of the certificate authority's (CA) certificate that was used to authenticate the user who performed the event. |
CalledStationID | string | Information about the ID of the station that initiated the action that led to the security event. |
CallerProcessId | string | Hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
CallerProcessName | string | Full path and the name of the executable for the process. |
CallingStationID | string | Information about the ID of the station that initiated the action that led to the security event. |
CAPublicKeyHash | string | Hash value that identifies the public key of a certification authority (CA) that issued a certificate. |
CategoryId | string | The category of the security event that occurred (login attempt, data breach, etc). |
CertificateDatabaseHash | string | Hash value that identifies the database that issued a certificate. |
Channel | string | The channel to which the event was logged. |
ClassId | string | 'Class Guid' attribute of device. |
ClassName | string | 'Class' attribute of device. |
ClientAddress | string | IP address of the computer from which the TGT request was received. |
ClientIPAddress | string | IP address of the computer that initiated the action that led to the event. |
ClientName | string | computer name from which the user was reconnected. Has 'Unknown' value for console session. |
CommandLine | string | The command line arguments that were passed to an application or process that was involved in the event. |
CompatibleIds | string | 'Compatible Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details': |
Computer | string | The name of the computer on which the event occurred. |
Correlation | string | The activity identifiers that consumers can use to group related events together. |
DCDNSName | string | The DNS name of the domain controller that was involved in the event. |
DeviceDescription | string | the description of the device that was involved in the event. |
DeviceId | string | The unique identifier of the device that was involved in the event. |
DisplayName | string | It is a name, displayed in the address book for a particular account. This is usually the combination of the user's first name, middle initial, and last name. |
Disposition | string | The event outcome/ resolution, such as whether the event was resolved or whether any action was taken in response to the event. |
DomainBehaviorVersion | string | msDS-Behavior-Version domain attribute was modified. Numeric value. |
DomainName | string | The name of removed trusted domain. |
DomainPolicyChanged | string | Indicates whether any domain policies have been changed as part of the event (password policies, security policies, etc). |
DomainSid | string | SID of the trust partner. This parameter might not be captured in the event, and in that case appears as 'NULL SID'. |
EAPType | string | The type of Extensible Authentication Protocol (EAP) that was used for the event authentication process. |
ElevatedToken | string | A 'Yes' or 'No' flag. If 'Yes', then the session this event represents is elevated and has administrator privileges. |
ErrorCode | int | Contains error code for Failure events. For Success events this parameter has '0x0' value. |
EventData | string | Event specific data associated with the event. |
EventID | int | The identifier that the provider used to identify the event. |
EventLevelName | string | The rendered message string of the level specified in the event. |
EventRecordId | string | The record number assigned to the event when it was logged. |
EventSourceName | string | The name of the software that logs the event (applicationor a succomponent). |
ExtendedQuarantineState | string | The state of the network quarantine process, if applicable. Network quarantine is a process by which unauthorized devices are prevented from accessing a network until they meet certain security requirements or have been checked for malware. |
FailureReason | string | textual explanation of Status field value. For this event, it typically has 'Account locked out' value. |
FileHash | string | The hash value for any files that are were accessed or modified as part of the event, or any files that were used in the authentication or authorization process. |
FilePath | string | Full path and filename of the key file on which the operation was performed. |
FilePathNoUser | string | The path of any files that are related to the event, excluding the username or other user-specific information. |
Filter | string | Filters that are used in the performed event. |
ForceLogoff | string | '\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire' group policy. |
Fqbn | string | The fully qualified binary name (FQBN) for any files that are related to the event. |
FullyQualifiedSubjectMachineName | string | The fully qualified domain name (FQDN) of the machine that initiated the event. |
FullyQualifiedSubjectUserName | string | The username of the user or service that initiated the event in FQDN format. |
GroupMembership | string | The list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. |
HandleId | string | Hexadecimal value of a handle to Object Name. This field can be used for correlation with other events. |
HardwareIds | string | 'Hardware Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details': |
HomeDirectory | string | User's home directory. If homeDrive attribute is set and specifies a drive letter, homeDirectory should be a UNC path. The path must be a network UNC of the form \Server\Share\Directory. |
HomePath | string | User's home path. The path must be a network UNC of the form \Server\Share\Directory. |
InterfaceUuid | string | The unique identifier (UUID) for the network interface that was used for the event. |
IpAddress | string | the network address (usually IPv4 or IPv6) associated with the event. |
IpPort | string | The network port number associated with the event. |
_IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
KeyLength | int | The length of NTLM Session Security key. Typically it has 128 bit or 56 bit length. |
Keywords | string | A bitmask of the keywords defined in the event. |
Level | string | Windows categorizes every event with a severity level. The levels in order of severity are information, verbose, warning, error and critical expressed in numbers. |
LmPackageName | string | The name of the package or software component that is currently using the Local Security Authority (LSA) on the machine where the event is being generated. |
LocationInformation | string | 'Location information' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details': |
LockoutDuration | string | '\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration' group policy. Numeric value. |
LockoutObservationWindow | string | '\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after' group policy. Numeric value. |
LockoutThreshold | string | '\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold' group policy. Numeric value. |
LoggingResult | string | The result of the logon process. |
LogonGuid | string | A GUID that can help you correlate this event with another event that can contain the same Logon GUID. |
LogonHours | string | Hours that the account is allowed to logon to the domain. |
LogonID | string | Hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID. |
LogonProcessName | string | The name of registered logon process. |
LogonType | int | The type of logon which was performed. |
LogonTypeName | string | The type of logon or authentication event that is being captured by the event log (common values:Interactive, Network, RemoteInteractive, Unlock). |
MachineAccountQuota | string | ms-DS-MachineAccountQuota domain attribute was modified. Numeric value. |
MachineInventory | string | Information about the hardware configuration and software environment of the computer where the event is being generated. It can include different data points, for instance: the make and model of the computer, the amount of RAM or storage space available, the version numbers of various software applications, etc). |
MachineLogon | string | Information about a successful logon event in the machine. |
ManagementGroupName | string | Additional information based on the resource type. |
MandatoryLabel | string | ID of integrity label which was assigned to the new process. |
MaxPasswordAge | string | The period of time (in days) that a password can be used before the system requires the user to change it. |
MemberName | string | The user account that was involved in the event. |
MemberSid | string | The security identifier (SID) associated with the user account that was involved in the event. |
MinPasswordAge | string | The period of time (in days) that a password must be used before the system requires the user to change it. |
MinPasswordLength | string | The least number of characters that can make up a password for a user account. |
MixedDomainMode | string | The domain mode of a system or domain controller. |
NASIdentifier | string | The identifier of the network access server (NAS) that was involved in the event. |
NASIPv4Address | string | The IPv4Address of the network access server (NAS) that was involved in the event, if applicable. |
NASIPv6Address | string | The IPv6Address of the network access server (NAS) that was involved in the event, if applicable. |
NASPort | string | the port on the network access server that was used in the event. |
NASPortType | string | the type of network access server (NAS) used in the event. |
NetworkPolicyName | string | The name of the network policy associated with the event. |
NewDate | string | New date in UTC time zone. The format is YYYY-MM-DD. |
NewMaxUsers | string | The new maximum number of users allowed for a resource in the event. |
NewProcessId | string | Hexadecimal Process ID of the new process. Process ID (PID) is a number used by the operating system to uniquely identify an active process. |
NewProcessName | string | Full path and the name of the executable for the new process. |
NewRemark | string | The new value of network share 'Comments:' field. Has 'N/A' value if it isn't set. |
NewShareFlags | string | The share flags associated with a resource in the event, for instance: information on whether the resource is read-only or read/write, whether it is hidden, and other parameters that can affect access and permissions. |
NewTime | string | New time that was set in UTC time zone. The format is YYYY-MM-DDThh:mm:ss.nnnnnnnZ |
NewUacValue | string | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. |
NewValue | string | New value for changed registry key value. |
NewValueType | string | New type of changed registry key value. |
ObjectName | string | Name and other identifying information for the object for which access was requested. For example, for a file, the path would be included. |
ObjectServer | string | Contains the name of the Windows subsystem calling the routine. |
ObjectType | string | The type of an object that was accessed during the operation. |
ObjectValueName | string | The name of modified registry key value. |
OemInformation | string | The original equipment manufacturer (OEM) associated with a device or system in the event. |
OldMaxUsers | string | The previous maximum number of users allowed for a resource in the event. |
OldRemark | string | the old value of network share 'Comments:' field. Has 'N/A' value if it isn't set. |
OldShareFlags | string | The previous share flags associated with a resource in the event, for instance: information on whether the resource is read-only or read/write, whether it is hidden, and other parameters that can affect access and permissions. |
OldUacValue | string | Specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of userAccountControl attribute of user object. |
OldValue | string | Old value for changed registry key value. |
OldValueType | string | Old type of changed registry key value. |
Opcode | string | The opcode element is defined by the SystemPropertiesType complex type. |
OperationType | string | The type of operation which was performed on an object |
PackageName | string | The name of the LAN Manager sub-package (NTLM-family protocol name) that was used during logon. |
ParentProcessName | string | The name of the parent process associated with the event. |
PasswordHistoryLength | string | \Security Settings\Account Policies\Password Policy\Enforce password history" group policy. Numeric value. |
PasswordLastSet | string | Last time the account's password was modified. |
PasswordProperties | string | The password policies or properties associated with the event, for example: password length, complexity and expiration date. |
PreviousDate | string | The previous date associated with the event. |
PreviousTime | string | Previous time in UTC time zone. The format is YYYY-MM-DDThh:mm:ss.nnnnnnnZ. |
PrimaryGroupId | string | Relative Identifier (RID) of user's object primary group. |
PrivateKeyUsageCount | string | The number of times a private key has been used. |
PrivilegeList | string | The privileges, including user, group, or system privileges associated with the event. |
Process | string | The name of the process that generates the event. |
ProcessId | string | Identifies the process that generated the event. |
ProcessName | string | Full path and the name of the executable for the process. |
ProfilePath | string | Specifies a path to the account's profile. This value can be a null string, a local absolute path, or a UNC path. |
Properties | string | Depends on Object Type. This field can be empty or contain the list of the object properties that were accessed. |
ProtocolSequence | string | Information about the protocol used for an authentication attempt. |
ProxyPolicyName | string | Name of the policy that was used to configure the proxy server for connecting to the network. |
QuarantineHelpURL | string | URL that provides help with troubleshooting a network quarantine issue. |
QuarantineSessionID | string | Identifier of the session where the file was assessed for quarantine. |
QuarantineSessionIdentifier | string | Identifier of the session where the file was assessed for quarantine. |
QuarantineState | string | It shows whether the file is quarantined. |
QuarantineSystemHealthResult | string | Report that shows the status of the files that have been quarantined. |
RelativeTargetName | string | Relative name of the accessed target file or folder. This file-path is relative to the network share. If access was requested for the share itself, then this field appears as "". |
RemoteIpAddress | string | The IP address of the computer that initiated a remote connection. |
RemotePort | string | The port number of the remote computer that initiated a connection. |
Requester | string | The event requester identifier. |
RequestId | string | A unique identifier that's associated with particular requests, such as those made over HTTP. |
_ResourceId | string | A unique identifier for the resource that the record is associated with |
RestrictedAdminMode | string | Only populated for RemoteInteractive logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. |
RowsDeleted | string | The number of rows that were deleted as a part of a particular operation. |
SamAccountName | string | logon name for account used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). |
ScriptPath | string | Specifies the path of the account's logon script. |
SecurityDescriptor | string | Information about the security settings and permissions of a particular object or resource. |
ServiceAccount | string | The security context that the service will run as when started. |
ServiceFileName | string | Indicates the type of service that was registered with the Service Control Manager. |
ServiceName | string | The name of installed service. |
ServiceStartType | int | Contains information about how a particular service should be started, whether it should be started automatically or manually. |
ServiceType | string | Indicates the type of service that was registered with the Service Control Manager. |
SessionName | string | The name of the session to which the user was reconnected. |
ShareLocalPath | string | The local path of accessed network share. |
ShareName | string | The name of accessed network share. The format is: \*\SHARE_NAME. |
SidHistory | string | Contains previous SIDs used for the object if the object was moved from another domain. |
SourceComputerId | string | Unique identifier assigned to each computer in a Windows domain. |
SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
Status | string | The reason why logon failed. For this event, it typically has '0xC0000234' value. The most common status codes are listed in Table 12. Windows logon status codes. |
StorageAccount | string | Sets the storage account access key. |
SubcategoryGuid | string | The unique GUID of changed subcategory. |
SubcategoryId | string | A unique identifier for a specific type of the event. |
Subject | string | Information about the security principal (for instance: user account) that initiated the event. |
SubjectAccount | string | Information about the account that is initiating the event. |
SubjectDomainName | string | Information about the domain or workgroup to which the subject account belongs. |
SubjectKeyIdentifier | string | A unique identifier for a particular certificate subject. |
SubjectLogonId | string | A unique identifier for the logon session associated with the subject account. |
SubjectMachineName | string | Information about the machine or system from which the event was created. |
SubjectMachineSID | string | The security identifier (SID) for the machine that generated the event. |
SubjectUserName | string | The name of the user account that generated the event. |
SubjectUserSid | string | The security identifier (SID) for the user account that generated the event. |
_SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
SubStatus | string | Additional information about logon failure. The most common substatus codes listed in the 'Table 12. Windows logon status codes'. |
SystemProcessId | int | Identifies the process that generated the event. |
SystemThreadId | int | Identifies the thread that generated the event. |
SystemUserId | string | The ID of the user who is responsible for the event. |
TableId | string | The specific data table identifier the event data is stored in. |
TargetAccount | string | The account targeted by the event (user name, computer name, etc). |
TargetDomainName | string | The name of the domain that the target account belongs to. |
TargetInfo | string | Additional information about the event target (for example: the path to a file or folder, the name of a registry key, etc). |
TargetLinkedLogonId | string | Information that helps to link related events together by their logon attempt IDs. It can be useful in keeping all relevant events organized, tracking activity across multiple sessions, and identifying the attack source. |
TargetLogonGuid | string | A globally unique identifier (GUID) associated with the logon session related to the event. |
TargetLogonId | string | A unique identifier associated with the logon session related to the event. |
TargetOutboundDomainName | string | The domain that the account specified in the TargetAccount field was authenticated against during an outbound authentication attempt. |
TargetOutboundUserName | string | The name of the user account that was authenticated during an outbound authentication attempt. |
TargetServerName | string | The name of the server on which the new process was run. Has "localhost" value if the process was run locally. |
TargetSid | string | The security identifier (SID) of the server on which the new process was run. |
TargetUser | string | The user account identifier that generated the new process. |
TargetUserName | string | The name of the user account that generated the new process. |
TargetUserSid | string | The security identifier (SID) associated with the user or resource involved in the event. |
Task | int | The task defined in the event. |
TemplateContent | string | The content of the event message or notification in a structured form. |
TemplateDSObjectFQDN | string | FQDN of the DS object that represents the GPO template. |
TemplateInternalName | string | The internal name of the GPO template. |
TemplateOID | string | the unique identifier for the template that was used to create the event. |
TemplateSchemaVersion | string | Version of the template schema that defines the data to include with an event. |
TemplateVersion | string | Version of the template that defines the data to include with an event. |
TenantId | string | The Log Analytics workspace ID |
TimeGenerated | datetime | The time stamp when the event was generated on the computer. |
TokenElevationType | string | Type of token that was assigned to a new process in accordance with User Account Control Policy. |
TransmittedServices | string | The list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user - most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx. |
Type | string | The name of the table |
UserAccountControl | string | Shows the list of changes in userAccountControl attribute. You will see a line of text for each change. |
UserParameters | string | If you change any setting using Active Directory Users and Computers management console in Dial-in tab of user's account properties, then you will see <value changed, but not displayed> in this field. For local accounts, this field is not applicable and always has <value not set> value. |
UserPrincipalName | string | Internet-style login name for the account, based on the Internet standard RFC 822. By convention this should map to the account's email name. |
UserWorkstations | string | Contains the list of NetBIOS or DNS names of the computers from which the user can logon. Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a computer object. |
VendorIds | string | 'Hardware Ids' attribute of device. To see device properties, start Device Manager, open specific device properties, and click 'Details'. |
Version | int | Contains the version number of the event's definition. |
VirtualAccount | string | A 'Yes' or 'No' flag, which indicates if the account is a virtual account (e.g., 'Managed Service Account'), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using 'NetworkService'. |
Workstation | string | The name of the machine that was used to perform the event. |
WorkstationName | string | Machine name from which a logon attempt was performed. |
