DynamicSummary
Azure Sentinel Dynamic Summary provides a security data storage to persist concentrated findings and summaries for hunting, investigation, search, detection. Summary description and detailed observables can be stored in Log Analytics for further analysis and report generation.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | - |
| Solutions | SecurityInsights |
| Basic log | No |
| Ingestion-time transformation | No |
| Sample Queries | - |
Columns
| Column | Type | Description |
|---|---|---|
| AzureTenantId | string | The AAD tenant ID to which this DynamicSummary table belongs. |
| _BilledSize | real | The record size in bytes |
| CreatedBy | dynamic | The JSON object with the user who created summary, including: object ID, email and name. |
| CreatedTimeUTC | datetime | The time (UTC) when the summary was created. |
| EventTimeUTC | datetime | The time (UTC) when the summary item occurred originally. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| ObservableType | string | Observables are stateful events ot properties that are related to the operation of computing system, which are helpful in identifying indicators of compromise. For example, login. |
| ObservableValue | string | Value for observable type, such as: anomalous RDP activity. |
| PackedContent | dynamic | The JSON object has packed columns which can be generated by using KQL pack_all(). |
| Query | string | This is the query that was used to generate the result. |
| QueryEndDate | datetime | Events that occurred before this datetime will be included in the result. |
| QueryStartDate | datetime | Events that occurred after this datetime will be included in the result. |
| RelationId | string | The original data source ID |
| RelationName | string | The original data source name. |
| SearchKey | string | SearchKey is used to optimize query performance when using DynamicSummary for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field to join in other event tables by IP address. |
| SourceInfo | dynamic | The JSON object with the data producer info, including source, name, version. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| SummaryDataType | string | This flag is used to tell if the record is either a summary level or a summary item level record. |
| SummaryDescription | string | The description provided by user. |
| SummaryId | string | Summary unique ID. |
| SummaryItemId | string | Summary item unique ID. |
| SummaryName | string | The Summary display name, unique within workspace. |
| SummaryStatus | string | Active or deleted. |
| Tactics | dynamic | MITRE ATT&CK tactics are what attackers are trying to achieve. For example, exfiltration. |
| Techniques | dynamic | MITRE ATT&CK techniques are how those tactics are accomplished. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC) of when the event was ingested to Azure Monitor. |
| Type | string | The name of the table |
| UpdatedBy | dynamic | The JSON object with the user who updated summary, including: object ID, email and name. |
| UpdatedTimeUTC | datetime | The time (UTC) when the summary was updated. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for