WindowsEvent
Windows events which are collected and sent by the agent.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | CustomizedWindowsEventsFiltering, InternalWindowsEvent, SecurityInsights, WEFInternalUat, WEF_10x, WEF_10xDSRE, WinLog, WindowsEventForwarding |
| Basic log | No |
| Ingestion-time transformation | Yes |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| Channel | string | The channel to which the event was logged. |
| Computer | string | The name of the computer on which the event occurred. |
| Correlation | string | The activity identifiers that consumers can use to group related events together. |
| EventData | dynamic | Contains the event data parsed to dynamic type. If the parsing fails then this field will contain null and the RawEventData field will be populated. |
| EventID | int | The identifier that the provider used to identify the event. |
| EventLevel | int | Contains the severity level of the event. |
| EventLevelName | string | The rendered message string of the level specified in the event. |
| EventOriginId | string | VM ID obtained from the Azure Instance Metadata Service (IMDS). |
| EventRecordId | string | The record number assigned to the event when it was logged. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| Keywords | string | A bitmask of the keywords defined in the event. |
| ManagementGroupName | string | Additional information based on the resource type. |
| Opcode | string | The opcode element is defined by the SystemPropertiesType complex type. |
| Provider | string | System Properties Type - Identifies the provider that logged the event. |
| RawEventData | string | The raw event XML when parsing fails. It's null when parsing successful. |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| SystemProcessId | int | Identifies the process that generated the event. |
| SystemThreadId | int | Identifies the thread that generated the event. |
| SystemUserId | string | The ID of the user who is responsible for the event. |
| Task | int | The task defined in the event. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The time stamp when the event was generated on the computer. |
| Type | string | The name of the table |
| Version | int | Contains the version number of the event's definition. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for