Microsoft Graph API 알림 로그 수집

다음에서 지원:

이 문서에서는 Google SecOps 피드를 통해 Microsoft Graph API 알림 로그를 Google Security Operations로 내보내는 방법과 Microsoft Graph API 알림 필드가 Google SecOps 통합 데이터 모델 (UDM) 필드에 매핑되는 방식을 설명합니다.

자세한 내용은 Google SecOps에 데이터 수집 개요를 참고하세요.

개요

일반적인 배포는 Microsoft Graph API 알림과 Google SecOps에 로그를 전송하도록 구성된 Google SecOps 피드로 구성됩니다. 고객 배포마다 다를 수 있으며 더 복잡할 수도 있습니다.

배포에는 다음 구성요소가 포함됩니다.

  • Microsoft Graph API 알림: Microsoft Graph API에서 생성하는 알림입니다.

  • Google SecOps 관리 피드 Microsoft Graph 제공업체 (Cloud)에서 로그를 가져오고 로그를 Google SecOps에 작성하는 Google SecOps 관리 피드입니다.

  • Google SecOps: Microsoft Graph API 알림 로그를 보관하고 분석합니다.

수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 MICROSOFT_GRAPH_ALERT 수집 라벨이 있는 파서에 적용됩니다.

시작하기 전에

Google SecOps 피드를 구성하기 전에 다음을 완료합니다.

  • Microsoft 365 E5에 대한 액세스 권한을 확인합니다.
  • 사용자 계정에 다음 Microsoft 365 권한을 추가합니다.
    • SecurityEvents.Read.All
    • SecurityAlert.ReadWrite.All
    • SecurityIncident.Read.All
    • SecurityIncident.ReadWrite.All
    • Directory.Read.All
    • AuditLog.Read.All
    • Application.Read.All
  • Microsoft Azure 앱 등록 세부정보에서 Oauth client id, Oauth client secret, Tenant id를 가져옵니다.

로그를 수집하도록 Google SecOps 피드 구성

처리 피드를 설정하려면 다음 단계를 따르세요.

  1. 설정을 클릭하고 피드로 이동합니다.
  2. 새로 추가를 클릭하고 다음 세부정보를 입력합니다.
    • 소스 유형Third Party API로 설정합니다.
    • 로그 유형Microsoft Graph API Alerts로 설정합니다.
  3. 다음을 클릭합니다.
  4. Oauth client id, Oauth client secret, Tenant id를 채웁니다.
  5. 피드를 만듭니다.
  6. 다음을 클릭한 후 제출을 클릭합니다.

문제가 발생하면 지원팀에 문의하세요. 자세한 내용은 Google Security Operations SIEM 지원팀으로부터 지원 받기를 참고하세요.

필드 매핑 참조

이 섹션에서는 Google SecOps 파서가 Microsoft Graph API 알림 필드를 Google SecOps UDM 필드에 매핑하는 방법을 설명합니다.

필드 매핑 참조: 이벤트 식별자에서 이벤트 유형으로

다음 표에는 MICROSOFT_GRAPH_ALERT 로그 유형과 해당 UDM 이벤트 유형이 나와 있습니다.

Event Identifier Event Type Security Category
Atypical travel USER_UNCATEGORIZED
Anomalous Token USER_RESOURCE_ACCESS
Default Mapping USER_UNCATEGORIZED
Malware linked IP address USER_LOGIN
Suspicious browser USER_UNCATEGORIZED
Unfamiliar sign-in properties USER_LOGIN
Malicious IP address USER_LOGIN
Suspicious inbox manipulation rules USER_UNCATEGORIZED
Password spray USER_UNCATEGORIZED AUTH_VIOLATION
Impossible travel USER_UNCATEGORIZED
New country USER_UNCATEGORIZED
Activity from anonymous IP address USER_UNCATEGORIZED
Suspicious inbox forwarding USER_UNCATEGORIZED
Mass Access to Sensitive Files USER_RESOURCE_ACCESS
Additional risk detected STATUS_UPDATE
Anonymous IP address USER_LOGIN
Admin confirmed user compromised USER_UNCATEGORIZED
Azure AD threat intelligence USER_UNCATEGORIZED
Possible attempt to access Primary Refresh Token (PRT) USER_RESOURCE_ACCESS
Verified threat actor IP USER_LOGIN
Microsoft Entra threat intelligence (sign-in) USER_UNCATEGORIZED
User reported suspicious activity USER_UNCATEGORIZED
Suspicious API Traffic USER_UNCATEGORIZED
Suspicious sending patterns USER_UNCATEGORIZED
Leaked credentials STATUS_UPDATE
Anomalous user activity USER_UNCATEGORIZED
'Phish' malware was prevented SCAN_HOST MAIL_PHISHING
'AutoItinject' malware was detected SCAN_HOST
'Agent' backdoor was detected SCAN_UNCATEGORIZED
A malicious file was detected based on indication provided by O365 SCAN_FILE
An active 'Wacatac' malware was blocked SCAN_UNCATEGORIZED
A suspicious file was observed SCAN_FILE
'AutoItinject' malware was prevented SCAN_HOST
'CoinMiner' unwanted software was prevented SCAN_HOST
Right-to-Left-Override (RLO) technique observed SCAN_FILE SOCIAL_ENGINEERING
Connection to a custom network indicator SCAN_UNCATEGORIZED
'Conteban' malware was detected SCAN_HOST SOFTWARE_PUA
EAF violation blocked by exploit protection SCAN_UNCATEGORIZED EXPLOIT
'EICAR_Test_File' malware was prevented SCAN_HOST SOFTWARE_MALICIOUS
'EncDoc' malware was prevented SCAN_HOST SOFTWARE_PUA
'Fuerboos' malware was detected SCAN_HOST SOFTWARE_PUA
'Laqma' malware was prevented SCAN_HOST SOFTWARE_PUA
'Locky' ransomware was prevented SCAN_HOST SOFTWARE_PUA
Microsoft Defender ATP detected 'Trojan.Generic.1218852' malware SCAN_UNCATEGORIZED SOFTWARE_MALICIOUS
'Oneeva' malware was prevented SCAN_HOST SOFTWARE_PUA
Password hashes dumped from LSASS memory USER_UNCATEGORIZED
'PiriformBundler' unwanted software was prevented SCAN_HOST SOFTWARE_PUA
'Presenoker' unwanted software was prevented SCAN_HOST SOFTWARE_PUA
Sensitive credential memory read SCAN_UNCATEGORIZED
Suspicious connection blocked by network protection SCAN_UNCATEGORIZED
Test_Set Auditpol SCAN_UNCATEGORIZED
Unsanctioned cloud app access was blocked SCAN_UNCATEGORIZED
'Uwamson' malware was prevented SCAN_HOST SOFTWARE_PUA
'CoinMiner' unwanted software was detected SCAN_HOST SOFTWARE_PUA
NT - Unknown process injecting dll into lsass or winlogon SCAN_UNCATEGORIZED
Suspected SID-History injection USER_CHANGE_PERMISSIONS
Suspected overpass-the-hash attack (Kerberos) NETWORK_UNCATEGORIZED
Account enumeration reconnaissance NETWORK_UNCATEGORIZED
Suspected Brute Force attack (LDAP) USER_LOGIN
Suspected DCSync attack (replication of directory services) NETWORK_UNCATEGORIZED
Network mapping reconnaissance (DNS) NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspected over-pass-the-hash attack (forced encryption type) NETWORK_UNCATEGORIZED
Suspected Golden Ticket usage (encryption downgrade) USER_UNCATEGORIZED
Suspected Skeleton Key attack (encryption downgrade) NETWORK_UNCATEGORIZED
User and IP address reconnaissance (SMB) NETWORK_UNCATEGORIZED
Suspected Golden Ticket usage (forged authorization data) USER_UNCATEGORIZED
Honeytoken authentication activity USER_UNCATEGORIZED
Suspected identity theft (pass-the-hash) USER_UNCATEGORIZED DATA_EXFILTRATION
Suspected identity theft (pass-the-ticket) USER_UNCATEGORIZED EXPLOIT
Remote code execution attempt USER_UNCATEGORIZED
Malicious request of Data Protection API master key USER_UNCATEGORIZED
User and Group membership reconnaissance (SAMR) USER_UNCATEGORIZED
Suspected Golden Ticket usage (time anomaly) USER_UNCATEGORIZED
Suspected Brute Force attack (Kerberos, NTLM) USER_LOGIN
Suspicious additions to sensitive groups USER_CHANGE_PERMISSIONS
Suspicious VPN connection USER_UNCATEGORIZED
Suspicious service creation SERVICE_CREATION
Suspected Golden Ticket usage (nonexistent account) USER_UNCATEGORIZED
Suspected DCShadow attack (domain controller promotion) STATUS_UPDATE
Suspected DCShadow attack (domain controller replication request) STATUS_UPDATE
Data exfiltration over SMB STATUS_UPDATE DATA_EXFILTRATION
Suspicious communication over DNS NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspected Golden Ticket usage (ticket anomaly) USER_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspected Brute Force attack (SMB) NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspected use of Metasploit hacking framework NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspected WannaCry ransomware attack NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Remote code execution over DNS NETWORK_UNCATEGORIZED
Suspected NTLM relay attack NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Security principal reconnaissance (LDAP) STATUS_UPDATE
Suspected NTLM authentication tampering NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspected Golden Ticket usage (ticket anomaly using RBCD) USER_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspected rogue Kerberos certificate usage NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspicious Kerberos delegation attempt using BronzeBit method (CVE-2020-17049 exploitation) STATUS_UPDATE NETWORK_SUSPICIOUS
Active Directory attributes reconnaissance (LDAP) STATUS_UPDATE
Suspected SMB packet manipulation (CVE-2020-0796 exploitation) STATUS_UPDATE
Suspected Kerberos SPN exposure NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation) NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspected AS-REP Roasting attack NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspected AD FS DKM key read STATUS_UPDATE
Exchange Server Remote Code Execution (CVE-2021-26855) STATUS_UPDATE
Suspected exploitation attempt on Windows Print Spooler service NETWORK_UNCATEGORIZED
Suspicious network connection over Encrypting File System Remote Protocol NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspected suspicious Kerberos ticket request STATUS_UPDATE
Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287 exploitation) STATUS_UPDATE
Suspected brute-force attack (Kerberos, NTLM) USER_UNCATEGORIZED AUTH_VIOLATION
Suspicious modification of the trust relationship of AD FS server SETTING_MODIFICATION
Suspicious modification of a dNSHostName attribute (CVE-2022-26923) SETTING_MODIFICATION
Suspicious Kerberos delegation attempt by a newly created computer NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspicious modification of the Resource Based Constrained Delegation attribute by a machine account SETTING_MODIFICATION
Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate USER_LOGIN
Suspicious certificate usage over Kerberos protocol (PKINIT) STATUS_UPDATE EXPLOIT
Suspected DFSCoerce attack using Distributed File System Protocol USER_LOGIN
Honeytoken user attributes modified SETTING_MODIFICATION
Honeytoken group membership changed GROUP_MODIFICATION
Honeytoken was queried via LDAP STATUS_UPDATE
Suspicious modification of domain AdminSdHolder SETTING_MODIFICATION
Suspected account takeover using shadow credentials USER_RESOURCE_ACCESS EXPLOIT
Suspicious Domain Controller certificate request (ESC8) STATUS_UPDATE
Suspicious deletion of the certificate database entries STATUS_UPDATE
Suspicious disable of audit filters of AD CS SETTING_MODIFICATION
Suspicious modifications to the AD CS security permissions/settings SETTING_MODIFICATION
Account Enumeration reconnaissance (LDAP) (Preview) STATUS_UPDATE
Directory Services Restore Mode Password Change (Preview) SETTING_MODIFICATION
Honeytoken was queried via SAM-R STATUS_UPDATE
User and group membership reconnaissance (SAMR) USER_RESOURCE_ACCESS
A potentially malicious URL click was detected USER_UNCATEGORIZED NETWORK_SUSPICIOUS
A user clicked through to a potentially malicious URL USER_UNCATEGORIZED NETWORK_SUSPICIOUS
Admin Submission result completed STATUS_UPDATE
Admin triggered manual investigation of email EMAIL_TRANSACTION
Admin triggered user compromise investigation EMAIL_TRANSACTION
Administrative action submitted by an Administrator EMAIL_UNCATEGORIZED
Creation of forwarding/redirect rule USER_UNCATEGORIZED
eDiscovery search started or exported USER_UNCATEGORIZED
Email messages containing malicious file removed after delivery EMAIL_TRANSACTION MAIL_PHISHING
Email messages containing malicious URL removed after delivery EMAIL_TRANSACTION MAIL_PHISHING
Email messages containing malware removed after delivery EMAIL_TRANSACTION MAIL_PHISHING
Email messages containing phish URLs removed after delivery EMAIL_TRANSACTION MAIL_PHISHING
Email messages from a campaign removed after delivery EMAIL_TRANSACTION MAIL_PHISHING
Email messages removed after delivery EMAIL_TRANSACTION MAIL_PHISHING
Messages containing malicious entity not removed after delivery EMAIL_TRANSACTION MAIL_PHISHING
Email reported by user as malware or phish EMAIL_TRANSACTION MAIL_PHISHING
Email sending limit exceeded EMAIL_UNCATEGORIZED
Form blocked due to potential phishing attempt STATUS_UPDATE MAIL_PHISHING
Form flagged and confirmed as phishing STATUS_UPDATE MAIL_PHISHING
Messages have been delayed EMAIL_UNCATEGORIZED
Malware campaign detected after delivery EMAIL_TRANSACTION
Malware campaign detected and blocked EMAIL_TRANSACTION
Malware campaign detected in SharePoint and OneDrive STATUS_UPDATE
Malware not zapped because ZAP is disabled STATUS_UPDATE
Phish delivered due to an ETR override EMAIL_UNCATEGORIZED NETWORK_SUSPICIOUS
Phish delivered due to an IP allow policy EMAIL_TRANSACTION NETWORK_SUSPICIOUS
Phish not zapped because ZAP is disabled EMAIL_TRANSACTION NETWORK_SUSPICIOUS
Phish delivered due to tenant or user override1 EMAIL_TRANSACTION
Suspicious email forwarding activity EMAIL_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspicious email sending patterns detected EMAIL_UNCATEGORIZED EXPLOIT
Tenant Allow/Block List entry is about to expire STATUS_UPDATE
Tenant restricted from sending email EMAIL_UNCATEGORIZED
Tenant restricted from sending unprovisioned email EMAIL_UNCATEGORIZED
Unusual external user file activity FILE_UNCATEGORIZED NETWORK_SUSPICIOUS
Unusual volume of external file sharing FILE_UNCATEGORIZED NETWORK_SUSPICIOUS
Unusual volume of file deletion FILE_DELETION DATA_DESTRUCTION
Unusual increase in email reported as phish EMAIL_TRANSACTION NETWORK_SUSPICIOUS
User impersonation phish delivered to inbox/folder USER_UNCATEGORIZED NETWORK_SUSPICIOUS
User requested to release a quarantined message USER_UNCATEGORIZED
User restricted from sending email USER_UNCATEGORIZED
User restricted from sharing forms and collecting responses USER_UNCATEGORIZED NETWORK_SUSPICIOUS
Elevation of Exchange admin privilege USER_UNCATEGORIZED
Activity by terminated user USER_UNCATEGORIZED ACL_VIOLATION
DLP-Detect Highly Sensitive Data Movement USER_UNCATEGORIZED NETWORK_MALICIOUS
DLP-Sensitive Data Movement USER_UNCATEGORIZED
Email reported by user as junk EMAIL_TRANSACTION
Suspicious massive data read USER_UNCATEGORIZED
Activity from infrequent country USER_UNCATEGORIZED NETWORK_SUSPICIOUS
Malware detection USER_UNCATEGORIZED
Activity from anonymous IP addresses USER_UNCATEGORIZED NETWORK_SUSPICIOUS
Ransomware activity USER_UNCATEGORIZED
Activity performed by terminated user USER_UNCATEGORIZED POLICY_VIOLATION
Activity from suspicious IP addresses USER_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspicious inbox forwarding EMAIL_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspicious inbox manipulation rules STATUS_UPDATE NETWORK_SUSPICIOUS
Suspicious email deletion activity EMAIL_UNCATEGORIZED NETWORK_SUSPICIOUS
Suspicious OAuth app file download activities SCAN_HOST
Unusual ISP for an OAuth App NETWORK_UNCATEGORIZED SOFTWARE_PUA
Unusual multiple file download activities USER_UNCATEGORIZED
Unusual file share activities USER_UNCATEGORIZED
Unusual file deletion activities USER_UNCATEGORIZED
Unusual impersonated activities USER_UNCATEGORIZED
Unusual administrative activities USER_UNCATEGORIZED
Unusual Power BI report sharing activities (preview) USER_UNCATEGORIZED
Unusual multiple VM creation activities (preview) USER_UNCATEGORIZED
Unusual multiple storage deletion activities (preview) USER_UNCATEGORIZED
Unusual region for cloud resource (preview) USER_UNCATEGORIZED
Unusual file access USER_UNCATEGORIZED
Multiple failed login attempts USER_LOGIN AUTH_VIOLATION
Data exfiltration to unsanctioned apps USER_UNCATEGORIZED DATA_EXFILTRATION
Multiple delete VM activities USER_UNCATEGORIZED DATA_DESTRUCTION
Misleading OAuth app name SCAN_UNCATEGORIZED POLICY_VIOLATION
Misleading publisher name for an OAuth app SCAN_UNCATEGORIZED POLICY_VIOLATION
Malicious OAuth app consent SCAN_UNCATEGORIZED
Activity from a TOR IP address USER_LOGIN ACL_VIOLATION
Impossible travel activity USER_UNCATEGORIZED POLICY_VIOLATION
Activity from Nigeria USER_UNCATEGORIZED POLICY_VIOLATION
Activity from an anonymous proxy USER_UNCATEGORIZED
Block download based on real-time content inspection USER_UNCATEGORIZED
Investigation priority score increase USER_UNCATEGORIZED
Mass delete USER_UNCATEGORIZED DATA_DESTRUCTION
Mass download by a single user - External users USER_RESOURCE_ACCESS
Mass download by a single user - Internal USER_RESOURCE_ACCESS
Mass share USER_UNCATEGORIZED
Multiple Power BI report sharing activities USER_UNCATEGORIZED
New high upload volume app STATUS_UPDATE POLICY_VIOLATION
New high volume app STATUS_UPDATE POLICY_VIOLATION
New risky app STATUS_UPDATE POLICY_VIOLATION
Ransomware activity USER_UNCATEGORIZED
Suspicious administrative activity USER_RESOURCE_ACCESS
Unknown login to Exchange Online USER_UNCATEGORIZED
Unusual addition of credentials to an OAuth app USER_RESOURCE_ACCESS
Tracking Online Meeting App Usage STATUS_UPDATE
Mass download by a single user USER_UNCATEGORIZED
Mass download USER_UNCATEGORIZED
New popular app STATUS_UPDATE POLICY_VIOLATION
Compromised account STATUS_UPDATE
New admin user STATUS_UPDATE
New location STATUS_UPDATE
Inactive account STATUS_UPDATE
Ransomware activity USER_UNCATEGORIZED
Unexpected admin location STATUS_UPDATE
Suspicious activity alert STATUS_UPDATE
Suspicious cloud use alert STATUS_UPDATE
Activity policy violation STATUS_UPDATE POLICY_VIOLATION
File policy violation STATUS_UPDATE POLICY_VIOLATION
Proxy policy violation STATUS_UPDATE POLICY_VIOLATION
Field policy violation STATUS_UPDATE POLICY_VIOLATION
New service discovered STATUS_UPDATE
Use of personal account STATUS_UPDATE
Failed logon attempts USER_UNCATEGORIZED
Anomalous SSH login detected USER_LOGIN
Identity - Suspicious granting of permissions to an account USER_CHANGE_PERMISSIONS
Endpoint - NT - Suspicious Oracle Query - Attempted Password Hash Exfiltration USER_UNCATEGORIZED DATA_EXFILTRATION
Suspicious Resource deployment USER_RESOURCE_ACCESS
Endpoint - NT - Anomalous BITS download URL destination - Rule STATUS_UPDATE
Azure High Risk User account - Signin USER_LOGIN
Azure VWAN Tunnel Down - Run the RRAS Scrip STATUS_UPDATE
Brute force attack against Azure Portal USER_LOGIN
Changes made to AWS CloudTrail logs STATUS_UPDATE
Endpoint - NT - A .js file executed inside zip archive. Locky - Rule STATUS_UPDATE
Endpoint - NT - New service created with anomalous name and ImagePath under users. - Rul SERVICE_CREATION
Endpoint - NT - New service created with possibly obfuscated powershell commandline ImagePath - Rule SERVICE_CREATION
Endpoint - NT - Powershell CommandLine Longer than 2000 Characters USER_UNCATEGORIZED
Endpoint - NT - Scheduled task created with anomalous location under user profile - Rule SCHEDULED_TASK_CREATION
Failed AzureAD logons but success logon to AWS Console USER_UNCATEGORIZED
General Policy - Deny Prior Threats USER_UNCATEGORIZED
High count of failed attempts from same client IP USER_UNCATEGORIZED
High count of failed logons by a user USER_UNCATEGORIZED
High Risk Travel Alert USER_UNCATEGORIZED
Identity - AD user created password not set with 24-48 hours USER_UNCATEGORIZED
Identity - Attempts to sign in to disabled accounts USER_LOGIN
Identity - Attempt to bypass conditional access rule in Azure AD USER_UNCATEGORIZED
Identity - New user created and added to the built-in administrators group USER_CREATION
Identity - NT - Pulse VPN Brute Force Attempt USER_UNCATEGORIZED
Identity - User account created and deleted within 10 mins USER_UNCATEGORIZED
Login to AWS Management Console without MFA STATUS_UPDATE
Monitor AWS Credential abuse or hijacking STATUS_UPDATE
Network - FirepowerAlertTest STATUS_UPDATE
Network - NT - Email detected from tiscali.it may be part of phishing campaign - Rule EMAIL_UNCATEGORIZED
Network - NT - Phishing attachment delivered - Rule EMAIL_UNCATEGORIZED
Network - NT - Phishing Link Clicked EMAIL_UNCATEGORIZED
Network - NT - Malware attachment delivered - Rule EMAIL_UNCATEGORIZED
Network - NT - Possible Ursnif/Gozi Phish EMAIL_UNCATEGORIZED
Network - NT - Recently Created Domain Referenced in Inbound Email EMAIL_UNCATEGORIZED
Network - NT - Sender Domain in Inbound Email Recently Created EMAIL_UNCATEGORIZED
Network - NT - StealthWatch Detected a Concerning Host STATUS_UPDATE
Network - Rare RDP Connections NETWORK_UNCATEGORIZED
Network - SSH Potential Brute Force USER_LOGIN
NT - Anomalous attempt to reset Domain Admin or Enterprise Admin account password USER_UNCATEGORIZED
NTC3 Testing Rule AR466 STATUS_UPDATE
NT - Degraded Workspace Performance Warning, Last 4 hours STATUS_UPDATE
NT - LogSource Increasing or Decreasing over Last 4 Hour STATUS_UPDATE
NT - StealthWatch Detected Potential Exploitation Activity STATUS_UPDATE
NT - Usage of jsc.exe. Possible malware recompilation on endpoint - Endpoint STATUS_UPDATE
Sign-ins from IPs that attempt sign-ins to disabled accounts STATUS_UPDATE
Test Endpoint - MDATP Machine Isolated Test USER_UNCATEGORIZED
Test- Security Event log Deleted/Cleared USER_UNCATEGORIZED
Network - NT - Malware url delivered - Rule STATUS_UPDATE
Endpoint - NT - New service created with anomalous name and ImagePath under users. - Rule STATUS_UPDATE
A logon from a malicious IP has been detected. [seen multiple times] USER_LOGIN NETWORK_MALICIOUS
Adaptive application control policy violation was audited STATUS_UPDATE POLICY_VIOLATION
Addition of Guest account to Local Administrators group GROUP_MODIFICATION
An event log was cleared STATUS_UPDATE
Antimalware Action Failed STATUS_UPDATE
Antimalware Action Taken STATUS_UPDATE
Antimalware broad files exclusion in your virtual machine STATUS_UPDATE
Antimalware disabled and code execution in your virtual machine STATUS_UPDATE
Antimalware disabled in your virtual machine STATUS_UPDATE
Antimalware file exclusion and code execution in your virtual machine STATUS_UPDATE
Antimalware file exclusion in your virtual machine STATUS_UPDATE
Antimalware real-time protection was disabled in your virtual machine STATUS_UPDATE
Antimalware real-time protection was disabled temporarily in your virtual machine STATUS_UPDATE
Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine STATUS_UPDATE
Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine (Preview) STATUS_UPDATE
Antimalware temporarily disabled in your virtual machine STATUS_UPDATE
Antimalware unusual file exclusion in your virtual machine STATUS_UPDATE
Communication with suspicious domain identified by threat intelligence STATUS_UPDATE
Detected actions indicative of disabling and deleting IIS log files FILE_MODIFICATION
Detected anomalous mix of upper and lower case characters in command-line PROCESS_UNCATEGORIZED
Detected change to a registry key that can be abused to bypass UAC REGISTRY_MODIFICATION
Detected decoding of an executable using built-in certutil.exe tool PROCESS_UNCATEGORIZED
Detected enabling of the WDigest UseLogonCredential registry key REGISTRY_MODIFICATION
Detected encoded executable in command line data PROCESS_UNCATEGORIZED
Detected obfuscated command line PROCESS_UNCATEGORIZED
Detected possible execution of keygen executable PROCESS_UNCATEGORIZED
Detected possible execution of malware dropper STATUS_UPDATE
Detected possible local reconnaissance activity PROCESS_UNCATEGORIZED
Detected potentially suspicious use of Telegram tool DEVICE_PROGRAM_DOWNLOAD SOFTWARE_SUSPICIOUS
Detected suppression of legal notice displayed to users at logon REGISTRY_MODIFICATION
Detected suspicious combination of HTA and PowerShell PROCESS_UNCATEGORIZED
Detected suspicious commandline arguments PROCESS_UNCATEGORIZED
Detected suspicious commandline used to start all executables in a directory PROCESS_UNCATEGORIZED
Detected suspicious credentials in commandline PROCESS_UNCATEGORIZED
Detected suspicious document credentials PROCESS_UNCATEGORIZED
Detected suspicious execution of VBScript.Encode command PROCESS_UNCATEGORIZED
Detected suspicious execution via rundll32.exe PROCESS_UNCATEGORIZED
Detected suspicious file cleanup commands PROCESS_UNCATEGORIZED
Detected suspicious file creation FILE_CREATION
Detected suspicious named pipe communications PROCESS_UNCATEGORIZED
Detected suspicious network activity NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Detected suspicious new firewall rule DEVICE_CONFIG_UPDATE NETWORK_SUSPICIOUS
Detected suspicious use of Cacls to lower the security state of the system PROCESS_UNCATEGORIZED
Detected suspicious use of FTP -s Switch PROCESS_UNCATEGORIZED
Detected suspicious use of Pcalua.exe to launch executable code PROCESS_UNCATEGORIZED
Detected the disabling of critical services PROCESS_UNCATEGORIZED
Digital currency mining related behavior detected PROCESS_UNCATEGORIZED
Dynamic PS script construction PROCESS_UNCATEGORIZED
Executable found running from a suspicious location PROCESS_UNCATEGORIZED
Fileless attack behavior detected PROCESS_UNCATEGORIZED
Fileless attack technique detected PROCESS_UNCATEGORIZED
Fileless attack toolkit detected PROCESS_UNCATEGORIZED
High risk software detected STATUS_UPDATE
Local Administrators group members were enumerated GROUP_MODIFICATION
Malicious firewall rule created by ZINC server implant [seen multiple times] SETTING_MODIFICATION
Malicious SQL activity PROCESS_UNCATEGORIZED
Multiple Domain Accounts Queried STATUS_UPDATE
Possible credential dumping detected [seen multiple times] STATUS_UPDATE
Potential attempt to bypass AppLocker detected PROCESS_UNCATEGORIZED
Rare SVCHOST service group executed USER_UNCATEGORIZED
Sticky keys attack detected STATUS_UPDATE
Successful brute force attack USER_LOGIN
Suspect integrity level indicative of RDP hijacking PROCESS_PRIVILEGE_ESCALATION
Suspect service installation SERVICE_CREATION
Suspected Kerberos Golden Ticket attack parameters observed STATUS_UPDATE
Suspicious Account Creation Detected USER_CREATION
Suspicious Activity Detected PROCESS_INJECTION
Suspicious authentication activity USER_RESOURCE_ACCESS
Suspicious code segment detected STATUS_UPDATE
Suspicious double extension file executed PROCESS_UNCATEGORIZED
Suspicious download using Certutil detected [seen multiple times] PROCESS_UNCATEGORIZED
Suspicious download using Certutil detected PROCESS_UNCATEGORIZED
Suspicious PowerShell Activity Detected PROCESS_UNCATEGORIZED
Suspicious PowerShell cmdlets executed PROCESS_UNCATEGORIZED
Suspicious process executed [seen multiple times] PROCESS_UNCATEGORIZED
Suspicious process executed PROCESS_UNCATEGORIZED
Suspicious process name detected [seen multiple times] PROCESS_UNCATEGORIZED
Suspicious process name detected PROCESS_UNCATEGORIZED
Suspicious SQL activity PROCESS_UNCATEGORIZED
Suspicious SVCHOST process executed PROCESS_UNCATEGORIZED
Suspicious system process executed PROCESS_UNCATEGORIZED
Suspicious Volume Shadow Copy Activity RESOURCE_DELETION
Suspicious WindowPosition registry value detected REGISTRY_MODIFICATION
Suspiciously named process detected PROCESS_UNCATEGORIZED
Unusual config reset in your virtual machine SETTING_MODIFICATION
Unusual process execution detected PROCESS_UNCATEGORIZED
Unusual user password reset in your virtual machine USER_CHANGE_PASSWORD
Unusual user SSH key reset in your virtual machine STATUS_UPDATE
VBScript HTTP object allocation detected FILE_CREATION
Suspicious installation of GPU extension in your virtual machine (Preview) SERVICE_CREATION
A history file has been cleared STATUS_UPDATE
Behavior similar to ransomware detected [seen multiple times] SCAN_UNCATEGORIZED
Container with a miner image detected SCAN_UNCATEGORIZED
Detected anomalous mix of upper and lower case characters in command line PROCESS_UNCATEGORIZED
Detected file download from a known malicious source SCAN_UNCATEGORIZED
Disabling of auditd logging [seen multiple times] STATUS_UPDATE
Exploitation of Xorg vulnerability [seen multiple times] STATUS_UPDATE
Failed SSH brute force attack USER_LOGIN
Hidden file execution detected PROCESS_UNCATEGORIZED
New SSH key added [seen multiple times] SETTING_MODIFICATION
New SSH key added SETTING_MODIFICATION
Possible backdoor detected [seen multiple times] FILE_UNCATEGORIZED
Possible exploitation of the mailserver detected SCAN_UNCATEGORIZED
Possible malicious web shell detected SCAN_UNCATEGORIZED
Possible password change using crypt-method detected [seen multiple times] USER_CHANGE_PASSWORD
Process associated with digital currency mining detected [seen multiple times] PROCESS_UNCATEGORIZED
Process associated with digital currency mining detected PROCESS_UNCATEGORIZED
Python encoded downloader detected [seen multiple times] SCAN_UNCATEGORIZED
Screenshot taken on host [seen multiple times] STATUS_UPDATE
Shellcode detected [seen multiple times] PROCESS_UNCATEGORIZED
Successful SSH brute force attack USER_LOGIN
Suspicious kernel module detected [seen multiple times] PROCESS_MODULE_LOAD
Suspicious password access [seen multiple times] STATUS_UPDATE
Suspicious password access STATUS_UPDATE
Suspicious request to the Kubernetes Dashboard STATUS_UPDATE
Anomalous network protocol usage NETWORK_UNCATEGORIZED
Anonymity network activity NETWORK_UNCATEGORIZED
Anonymity network activity using web proxy NETWORK_UNCATEGORIZED
Attempted communication with suspicious sinkholed domain NETWORK_UNCATEGORIZED
Communication with possible phishing domain NETWORK_UNCATEGORIZED
Communication with suspicious algorithmically generated domain NETWORK_UNCATEGORIZED
Communication with suspicious random domain name NETWORK_UNCATEGORIZED
Digital currency mining activity NETWORK_UNCATEGORIZED
Network intrusion detection signature activation NETWORK_UNCATEGORIZED
Possible data download via DNS tunnel NETWORK_UNCATEGORIZED
Possible data exfiltration via DNS tunnel NETWORK_UNCATEGORIZED DATA_EXFILTRATION
Possible data transfer via DNS tunnel NETWORK_UNCATEGORIZED
Suspicious failure installing GPU extension in your subscription (Preview) SCAN_UNCATEGORIZED
Suspicious installation of a GPU extension was detected on your virtual machine (Preview) SCAN_UNCATEGORIZED
Run Command with a suspicious script was detected on your virtual machine (Preview) PROCESS_UNCATEGORIZED
Suspicious unauthorized Run Command usage was detected on your virtual machine (Preview) PROCESS_UNCATEGORIZED
Suspicious Run Command usage was detected on your virtual machine (Preview) PROCESS_UNCATEGORIZED
Suspicious usage of multiple monitoring or data collection extensions was detected on your virtual machines (Preview) SCAN_UNCATEGORIZED
Suspicious installation of disk encryption extensions was detected on your virtual machines (Preview) SCAN_UNCATEGORIZED
Suspicious usage of VMAccess extension was detected on your virtual machines (Preview) SCAN_UNCATEGORIZED
Desired State Configuration (DSC) extension with a suspicious script was detected on your virtual machine (Preview) PROCESS_UNCATEGORIZED
Suspicious usage of a Desired State Configuration (DSC) extension was detected on your virtual machines (Preview) PROCESS_UNCATEGORIZED
Custom script extension with a suspicious script was detected on your virtual machine (Preview) PROCESS_UNCATEGORIZED
Suspicious failed execution of custom script extension in your virtual machine PROCESS_UNCATEGORIZED
Unusual deletion of custom script extension in your virtual machine PROCESS_UNCATEGORIZED
Unusual execution of custom script extension in your virtual machine PROCESS_UNCATEGORIZED
Custom script extension with suspicious entry-point in your virtual machine PROCESS_UNCATEGORIZED
Custom script extension with suspicious payload in your virtual machine PROCESS_UNCATEGORIZED
An attempt to run Linux commands on a Windows App Service PROCESS_UNCATEGORIZED
An IP that connected to your Azure App Service FTP Interface was found in Threat Intelligence NETWORK_UNCATEGORIZED
Attempt to run high privilege command detected PROCESS_UNCATEGORIZED
Connection to web page from anomalous IP address detected SCAN_NETWORK
Dangling DNS record for an App Service resource detected RESOURCE_DELETION
Detected suspicious file download SCAN_UNCATEGORIZED
Executable decoded using certutil PROCESS_UNCATEGORIZED
Microsoft Defender for Cloud test alert for App Service (not a threat) STATUS_UPDATE
NMap scanning detected SCAN_UNCATEGORIZED
Phishing content hosted on Azure Webapps SCAN_UNCATEGORIZED
PHP file in upload folder SCAN_UNCATEGORIZED
Possible Cryptocoinminer download detected SCAN_UNCATEGORIZED
Possible data exfiltration detected NETWORK_UNCATEGORIZED DATA_EXFILTRATION
Potential dangling DNS record for an App Service resource detected RESOURCE_DELETION
Potential reverse shell detected SCAN_UNCATEGORIZED
Raw data download detected SCAN_UNCATEGORIZED
Saving curl output to disk detected PROCESS_UNCATEGORIZED
Spam folder referrer detected SCAN_UNCATEGORIZED
Suspicious access to possibly vulnerable web page detected SCAN_UNCATEGORIZED
Suspicious domain name reference SCAN_UNCATEGORIZED
Suspicious PHP execution detected SCAN_UNCATEGORIZED
Suspicious User Agent detected SCAN_UNCATEGORIZED
Suspicious WordPress theme invocation detected SCAN_UNCATEGORIZED
Vulnerability scanner detected SCAN_UNCATEGORIZED
Web fingerprinting detected SCAN_UNCATEGORIZED
Website is tagged as malicious in threat intelligence feed STATUS_UPDATE
Exposed Postgres service with trust authentication configuration in Kubernetes detected (Preview) SCAN_UNCATEGORIZED
Exposed Postgres service with risky configuration in Kubernetes detected (Preview) SCAN_UNCATEGORIZED
Attempt to create a new Linux namespace from a container detected SCAN_UNCATEGORIZED
Abnormal activity of managed identity associated with Kubernetes (Preview) SCAN_UNCATEGORIZED
Abnormal Kubernetes service account operation detected SCAN_UNCATEGORIZED
An uncommon connection attempt detected SCAN_UNCATEGORIZED
Attempt to stop apt-daily-upgrade.timer service detected SCAN_UNCATEGORIZED
Behavior similar to common Linux bots detected (Preview) SCAN_UNCATEGORIZED
Command within a container running with high privileges STATUS_UPDATE
Container running in privileged mode STATUS_UPDATE
Container with a sensitive volume mount detected SCAN_UNCATEGORIZED
CoreDNS modification in Kubernetes detected SCAN_UNCATEGORIZED
Creation of admission webhook configuration detected SCAN_UNCATEGORIZED
Detected suspicious use of the nohup command SCAN_UNCATEGORIZED
Detected suspicious use of the useradd command SCAN_UNCATEGORIZED
Digital currency mining container detected SCAN_UNCATEGORIZED
Docker build operation detected on a Kubernetes node SCAN_UNCATEGORIZED
Exposed Kubeflow dashboard detected SCAN_UNCATEGORIZED
Exposed Kubernetes dashboard detected SCAN_UNCATEGORIZED
Exposed Kubernetes service detected SCAN_UNCATEGORIZED
Exposed Redis service in AKS detected SCAN_UNCATEGORIZED
Indicators associated with DDOS toolkit detected SCAN_UNCATEGORIZED
K8S API requests from proxy IP address detected SCAN_UNCATEGORIZED
Kubernetes events deleted STATUS_UPDATE
Kubernetes penetration testing tool detected SCAN_UNCATEGORIZED
Microsoft Defender for Cloud test alert (not a threat). STATUS_UPDATE
New container in the kube-system namespace detected SCAN_UNCATEGORIZED
New high privileges role detected SCAN_UNCATEGORIZED
Possible attack tool detected SCAN_UNCATEGORIZED
Possible backdoor detected SCAN_UNCATEGORIZED
Possible command line exploitation attempt SCAN_UNCATEGORIZED
Possible credential access tool detected SCAN_UNCATEGORIZED
Possible Log Tampering Activity Detected SCAN_UNCATEGORIZED
Possible password change using crypt-method detected SCAN_UNCATEGORIZED
Potential port forwarding to external IP address SCAN_UNCATEGORIZED
Privileged container detected SCAN_UNCATEGORIZED
Process seen accessing the SSH authorized keys file in an unusual way FILE_READ
Role binding to the cluster-admin role detected SCAN_UNCATEGORIZED
Security-related process termination detected PROCESS_TERMINATION
SSH server is running inside a container STATUS_UPDATE
Suspicious file timestamp modification STATUS_UPDATE
Suspicious request to Kubernetes API STATUS_UPDATE
Potential crypto coin miner started STATUS_UPDATE
Possible malicious web shell detected. SCAN_UNCATEGORIZED
Burst of multiple reconnaissance commands could indicate initial activity after compromise STATUS_UPDATE
Suspicious Download Then Run Activity STATUS_UPDATE
Access to kubelet kubeconfig file detected SCAN_UNCATEGORIZED
Access to cloud metadata service detected SCAN_UNCATEGORIZED
MITRE Caldera agent detected SCAN_UNCATEGORIZED
A possible vulnerability to SQL Injection USER_RESOURCE_ACCESS EXPLOIT
Attempted logon by a potentially harmful application USER_LOGIN
Log on from an unusual Azure Data Center USER_LOGIN
Log on from an unusual location USER_LOGIN
Login from a principal user not seen in 60 days USER_LOGIN
Login from a domain not seen in 60 days USER_LOGIN
Login from a suspicious IP USER_LOGIN
Potential SQL injection USER_RESOURCE_ACCESS EXPLOIT
Suspected brute force attack using a valid user USER_LOGIN
Suspected brute force attack USER_LOGIN
Suspected successful brute force attack USER_LOGIN
SQL Server potentially spawned a Windows command shell and accessed an abnormal external source PROCESS_UNCATEGORIZED
Unusual payload with obfuscated parts has been initiated by SQL Server STATUS_UPDATE
Logon from an unusual cloud provider USER_LOGIN
Azure Resource Manager operation from suspicious IP address NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
Azure Resource Manager operation from suspicious proxy IP address NETWORK_UNCATEGORIZED NETWORK_SUSPICIOUS
MicroBurst exploitation toolkit used to enumerate resources in your subscriptions PROCESS_UNCATEGORIZED
MicroBurst exploitation toolkit used to execute code on your virtual machine PROCESS_UNCATEGORIZED
MicroBurst exploitation toolkit used to extract keys from your Azure key vaults PROCESS_UNCATEGORIZED
MicroBurst exploitation toolkit used to extract keys to your storage accounts PROCESS_UNCATEGORIZED
MicroBurst exploitation toolkit used to extract secrets from your Azure key vaults PROCESS_UNCATEGORIZED
PowerZure exploitation toolkit used to elevate access from Azure AD to Azure STATUS_UPDATE
PowerZure exploitation toolkit used to enumerate resources RESOURCE_READ
PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables RESOURCE_READ
PowerZure exploitation toolkit used to execute a Runbook in your subscription STATUS_UPDATE
PowerZure exploitation toolkit used to extract Runbooks content STATUS_UPDATE
PREVIEW - Azurite toolkit run detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious creation of compute resources detected RESOURCE_CREATION
PREVIEW - Suspicious key vault recovery detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious management session using an inactive account detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious invocation of a high-risk 'Credential Access' operation by a service principal detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious invocation of a high-risk 'Data Collection' operation by a service principal detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious invocation of a high-risk 'Defense Evasion' operation by a service principal detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious invocation of a high-risk 'Execution' operation by a service principal detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious invocation of a high-risk 'Impact' operation by a service principal detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious invocation of a high-risk 'Initial Access' operation by a service principal detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious invocation of a high-risk 'Lateral Movement Access' operation by a service principal detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious invocation of a high-risk 'persistence' operation by a service principal detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious invocation of a high-risk 'Privilege Escalation' operation by a service principal detected SCAN_UNCATEGORIZED
PREVIEW - Suspicious management session using PowerShell detected SCAN_UNCATEGORIZED
PREVIEW â€" Suspicious management session using Azure portal detected SCAN_UNCATEGORIZED
Privileged custom role created for your subscription in a suspicious way (Preview) SCAN_UNCATEGORIZED
Suspicious Azure role assignment detected (Preview) SCAN_UNCATEGORIZED
Suspicious invocation of a high-risk 'Credential Access' operation detected (Preview) SCAN_UNCATEGORIZED
Suspicious invocation of a high-risk 'Data Collection' operation detected (Preview) SCAN_UNCATEGORIZED
Suspicious invocation of a high-risk 'Defense Evasion' operation detected (Preview) SCAN_UNCATEGORIZED
Suspicious invocation of a high-risk 'Execution' operation detected (Preview) SCAN_UNCATEGORIZED
Suspicious invocation of a high-risk 'Impact' operation detected (Preview) SCAN_UNCATEGORIZED
Suspicious invocation of a high-risk 'Initial Access' operation detected (Preview) SCAN_UNCATEGORIZED
Suspicious invocation of a high-risk 'Lateral Movement' operation detected (Preview) SCAN_UNCATEGORIZED
Suspicious elevate access operation (Preview)(ARM_AnomalousElevateAccess) SCAN_UNCATEGORIZED
Suspicious invocation of a high-risk 'Persistence' operation detected (Preview) SCAN_UNCATEGORIZED
Suspicious invocation of a high-risk 'Privilege Escalation' operation detected (Preview) SCAN_UNCATEGORIZED
Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials PROCESS_UNCATEGORIZED
Usage of NetSPI techniques to maintain persistence in your Azure environment SCAN_UNCATEGORIZED
Usage of PowerZure exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials SCAN_UNCATEGORIZED
Usage of PowerZure function to maintain persistence in your Azure environment SCAN_UNCATEGORIZED
Suspicious classic role assignment detected (Preview) RESOURCE_PERMISSIONS_CHANGE
Access from a suspicious application USER_RESOURCE_ACCESS EXPLOIT
Access from a suspicious IP address USER_RESOURCE_ACCESS
Phishing content hosted on a storage account STATUS_UPDATE
Storage account identified as source for distribution of malware STATUS_UPDATE
The access level of a potentially sensitive storage blob container was changed to allow unauthenticated public access RESOURCE_PERMISSIONS_CHANGE
Authenticated access from a Tor exit node USER_RESOURCE_ACCESS
Access from an unusual location to a storage account USER_RESOURCE_ACCESS
Unusual unauthenticated access to a storage container USER_RESOURCE_ACCESS
Potential malware uploaded to a storage account STATUS_UPDATE
Publicly accessible storage containers successfully discovered STATUS_UPDATE
Publicly accessible storage containers unsuccessfully scanned STATUS_UPDATE
Unusual access inspection in a storage account USER_RESOURCE_ACCESS
Unusual amount of data extracted from a storage account STATUS_UPDATE
Unusual application accessed a storage account USER_RESOURCE_ACCESS
Unusual data exploration in a storage account STATUS_UPDATE
Unusual deletion in a storage account STATUS_UPDATE
Unusual unauthenticated public access to a sensitive blob container (Preview) USER_RESOURCE_ACCESS
Unusual amount of data extracted from a sensitive blob container (Preview) STATUS_UPDATE
Unusual number of blobs extracted from a sensitive blob container (Preview) STATUS_UPDATE
Access from a known suspicious application to a sensitive blob container (Preview) USER_RESOURCE_ACCESS
Access from a known suspicious IP address to a sensitive blob container (Preview) USER_RESOURCE_ACCESS
Access from a Tor exit node to a sensitive blob container (Preview) USER_RESOURCE_ACCESS
Access from an unusual location to a sensitive blob container (Preview) USER_RESOURCE_ACCESS
The access level of a sensitive storage blob container was changed to allow unauthenticated public access (Preview) RESOURCE_PERMISSIONS_CHANGE
Suspicious external access to an Azure storage account with overly permissive SAS token (Preview) USER_RESOURCE_ACCESS
Suspicious external operation to an Azure storage account with overly permissive SAS token (Preview) USER_RESOURCE_ACCESS
Unusual SAS token was used to access an Azure storage account from a public IP address (Preview) USER_RESOURCE_ACCESS
Malicious file uploaded to storage account STATUS_UPDATE
Malicious blob was downloaded from a storage account (Preview) STATUS_UPDATE
Access from a Tor exit node USER_RESOURCE_ACCESS
Access from a suspicious IP USER_RESOURCE_ACCESS
Access from an unusual location USER_RESOURCE_ACCESS
Unusual volume of data extracted STATUS_UPDATE
Extraction of Azure Cosmos DB accounts keys via a potentially malicious script STATUS_UPDATE
Suspicious extraction of Azure Cosmos DB account keys (AzureCosmosDB_SuspiciousListKeys.SuspiciousPrincipal) STATUS_UPDATE
SQL injection: potential data exfiltration STATUS_UPDATE EXPLOIT
SQL injection: fuzzing attempt STATUS_UPDATE EXPLOIT
Network communication with a malicious machine detected NETWORK_UNCATEGORIZED
Possible compromised machine detected NETWORK_UNCATEGORIZED
Possible incoming %{Service Name} brute force attempts detected NETWORK_UNCATEGORIZED
Possible incoming SQL brute force attempts detected NETWORK_UNCATEGORIZED
Possible outgoing denial-of-service attack detected NETWORK_UNCATEGORIZED NETWORK_DENIAL_OF_SERVICE
Suspicious incoming RDP network activity from multiple sources NETWORK_UNCATEGORIZED
Suspicious incoming RDP network activity NETWORK_UNCATEGORIZED
Suspicious incoming SSH network activity from multiple sources NETWORK_UNCATEGORIZED
Suspicious incoming SSH network activity NETWORK_UNCATEGORIZED
Suspicious outgoing %{Attacked Protocol} traffic detected NETWORK_UNCATEGORIZED
Suspicious outgoing RDP network activity to multiple destinations NETWORK_UNCATEGORIZED
Suspicious outgoing RDP network activity NETWORK_UNCATEGORIZED
Suspicious outgoing SSH network activity to multiple destinations NETWORK_UNCATEGORIZED
Suspicious outgoing SSH network activity NETWORK_UNCATEGORIZED
Traffic detected from IP addresses recommended for blocking SCAN_NETWORK
Access from a suspicious IP address to a key vault USER_RESOURCE_ACCESS
Access from a TOR exit node to a key vault USER_RESOURCE_ACCESS
High volume of operations in a key vault USER_UNCATEGORIZED
Suspicious policy change and secret query in a key vault USER_UNCATEGORIZED
Suspicious secret listing and query in a key vault USER_UNCATEGORIZED
Unusual access denied - User accessing high volume of key vaults denied USER_RESOURCE_ACCESS
Unusual access denied - Unusual user accessing key vault denied USER_RESOURCE_ACCESS
Unusual application accessed a key vault USER_RESOURCE_ACCESS
Unusual operation pattern in a key vault USER_UNCATEGORIZED
Unusual user accessed a key vault USER_RESOURCE_ACCESS
Unusual user-application pair accessed a key vault USER_RESOURCE_ACCESS
User accessed high volume of key vaults USER_RESOURCE_ACCESS
Denied access from a suspicious IP to a key vault USER_RESOURCE_ACCESS
Unusual access to the key vault from a suspicious IP (Non-Microsoft or External) USER_RESOURCE_ACCESS
DDoS Attack detected for Public IP SCAN_UNCATEGORIZED NETWORK_DENIAL_OF_SERVICE
DDoS Attack mitigated for Public IP STATUS_UPDATE NETWORK_DENIAL_OF_SERVICE
Suspicious population-level spike in API traffic to an API endpoint SCAN_UNCATEGORIZED
Suspicious spike in API traffic from a single IP address to an API endpoint SCAN_UNCATEGORIZED
Unusually large response payload transmitted between a single IP address and an API endpoint SCAN_UNCATEGORIZED
Unusually large request body transmitted between a single IP address and an API endpoint SCAN_UNCATEGORIZED
(Preview) Suspicious spike in latency for traffic between a single IP address and an API endpoint SCAN_UNCATEGORIZED
API requests spray from a single IP address to an unusually large number of distinct API endpoints NETWORK_UNCATEGORIZED
Parameter enumeration on an API endpoint NETWORK_UNCATEGORIZED
Distributed parameter enumeration on an API endpoint NETWORK_UNCATEGORIZED
Parameter value(s) with anomalous data types in an API call NETWORK_UNCATEGORIZED
Previously unseen parameter used in an API call NETWORK_UNCATEGORIZED
Access from a Tor exit node to an API endpoint NETWORK_UNCATEGORIZED
API Endpoint access from suspicious IP NETWORK_UNCATEGORIZED
Access from an unusual location to a storage blob container USER_RESOURCE_ACCESS
Potentially Unsafe Action USER_RESOURCE_ACCESS
Logon by an unfamiliar principal USER_LOGIN
NT - Download requested by Powershell USER_UNCATEGORIZED
Logon from an unusual location USER_UNCATEGORIZED
NT - Anomalous Registry Persistence Value USER_UNCATEGORIZED
NT - Suspicious powershell command with windowstyle hidden USER_UNCATEGORIZED
NT - Unauthorized nmap usage USER_UNCATEGORIZED
NT - Unusual process spawned from Chrome USER_UNCATEGORIZED
NT - Encoded powershell command executed USER_UNCATEGORIZED
NT - Powershell command with suspicious reference to AppData subfolder USER_UNCATEGORIZED
NT - Powershell executing standard input (possible obfuscation) USER_UNCATEGORIZED
NT - Anomalous bitsadmin transfer request STATUS_UPDATE
NT - Anomalous reg import command - Rule STATUS_UPDATE
NT - Anomalous usage of sdbinst.exe - possible shim database persistence STATUS_UPDATE
NT - Folder name of nonbreaking space detected in commandline. possible Andromeda. STATUS_UPDATE
NT - Rundll32.exe communicating with proxy STATUS_UPDATE
NT - LogSource Increasing or Decreasing over Last 4 Hours STATUS_UPDATE
Azure VWAN Tunnel Down - Run the RRAS Script STATUS_UPDATE
Security incident with shared process detected STATUS_UPDATE
Security incident detected on multiple resources STATUS_UPDATE
Security incident detected STATUS_UPDATE
PsExec execution detected USER_UNCATEGORIZED

필드 매핑 참조: MICROSOFT_GRAPH_ALERT

다음 표에는 MICROSOFT_GRAPH_ALERT 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.
Log field UDM mapping Logic
actorDisplayName security_result.about.user.user_display_name If the actorDisplayName log field value is not equal to null, then the actorDisplayName log field is mapped to the security_result.about.user.user_display_name UDM field.
additionalData additional.fields [additionalData %{key}]
alertPolicyId security_result.rule_id If the alertPolicyId log field value is not equal to null, then the alertPolicyId log field is mapped to the security_result.rule_id UDM field.
alertWebUrl metadata.url_back_to_product
assignedTo security_result.about.user.userid If the assignedTo log field value is not equal to null, then the assignedTo log field is mapped to the security_result.about.user.userid UDM field.
category metadata.product_event_type
category security_result.summary
classification security_result.detection_fields[classification] If the classification log field value is not equal to null, then the classification log field is mapped to the security_result.detection_fields UDM field.
comments.comment security_result.about.investigation.comments
comments.createdByDisplayName security_result.detection_fields[comments_created_by_display_name]
comments.createdDateTime security_result.detection_fields[comments_created_date_time]
createdDateTime metadata.event_timestamp
description metadata.description
description security_result.description
detectionSource security_result.detection_fields[detection_source]
evidence.createdDateTime principal.user.attribute.creation_time The evidence.createdDateTime is mapped to principal.user.attribute.creation_time when all of the following conditions are met:
  • The evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence)
  • If the title field value doesn't contains any of the following values:
    • Malware linked IP address
    • Unfamiliar sign-in properties
    • Malicious IP address
    • Anonymous IP address
    • Verified threat actor IP
    • Suspected Brute Force attack (LDAP)
    • Suspected Brute Force attack (Kerberos, NTLM)
    • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
    • Suspected DFSCoerce attack using Distributed File System Protocol
    • Multiple failed login attempts
    • Activity from a TOR IP address
    • Anomalous SSH login detected
    • Azure High Risk User account - Signin
    • Brute force attack against Azure Portal
    • Identity - Attempts to sign in to disabled accounts
    • Network - SSH Potential Brute Force
    • A logon from a malicious IP has been detected. [seen multiple times]
    • Successful brute force attack
    • Failed SSH brute force attack
    • Successful SSH brute force attack
    • Attempted logon by a potentially harmful application
    • Log on from an unusual Azure Data Center
    • Log on from an unusual location
    • Login from a principal user not seen in 60 days
    • Login from a domain not seen in 60 days
    • Login from a suspicious IP
    • Suspected brute force attack using a valid user
    • Suspected brute force attack
    • Suspected successful brute force attack
    • Logon from an unusual cloud provider
    • Logon by an unfamiliar principal
evidence.createdDateTime target.user.attribute.creation_time The evidence.createdDateTime is mapped to target.user.attribute.creation_time when all of the following conditions are met:
  • The evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence)
  • If the title field value contains one of the following values:
    • Malware linked IP address
    • Unfamiliar sign-in properties
    • Malicious IP address
    • Anonymous IP address
    • Verified threat actor IP
    • Suspected Brute Force attack (LDAP)
    • Suspected Brute Force attack (Kerberos, NTLM)
    • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
    • Suspected DFSCoerce attack using Distributed File System Protocol
    • Multiple failed login attempts
    • Activity from a TOR IP address
    • Anomalous SSH login detected
    • Azure High Risk User account - Signin
    • Brute force attack against Azure Portal
    • Identity - Attempts to sign in to disabled accounts
    • Network - SSH Potential Brute Force
    • A logon from a malicious IP has been detected. [seen multiple times]
    • Successful brute force attack
    • Failed SSH brute force attack
    • Successful SSH brute force attack
    • Attempted logon by a potentially harmful application
    • Log on from an unusual Azure Data Center
    • Log on from an unusual location
    • Login from a principal user not seen in 60 days
    • Login from a domain not seen in 60 days
    • Login from a suspicious IP
    • Suspected brute force attack using a valid user
    • Suspected brute force attack
    • Suspected successful brute force attack
    • Logon from an unusual cloud provider
    • Logon by an unfamiliar principal
evidence.createdDateTime principal.asset.attribute.creation_time If the evidence.@odata.type log field value matches the regular expression pattern (.*)deviceEvidence, then the evidence.createdDateTime log field is mapped to the principal.asset.attribute.creation_time UDM field.
evidence.createdDateTime target.resource_ancestors.attribute.creation_time If the evidence.@odata.type log field value matches the regular expression pattern (.*)(amazonResourceEvidence or azureResourceEvidence or blobContainerEvidence or blobEvidence or googleCloudResourceEvidence or containerEvidence or containerImageEvidence or containerRegistryEvidence or kubernetesClusterEvidence or kubernetesControllerEvidence or kubernetesNamespaceEvidence or kubernetesPodEvidence or kubernetesSecretEvidence or kubernetesServiceAccountEvidence or kubernetesServiceEvidence or oauthApplicationEvidence), then the evidence.createdDateTime log field is mapped to the target.resource_ancestors.attribute.creation_time UDM field.
evidence.createdDateTime target.group.attribute.creation_time If the evidence.@odata.type log field value matches the regular expression pattern (.*)securityGroupEvidence, then the evidence.createdDateTime log field is mapped to the target.group.attribute.creation_time UDM field.
evidence.createdDateTime security_result.detection_fields [created_date_time] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(cloudApplicationEvidence or amazonResourceEvidence or azureResourceEvidence or blobContainerEvidence or blobEvidence or googleCloudResourceEvidence or containerEvidence or containerImageEvidence or containerRegistryEvidence or kubernetesClusterEvidence or kubernetesControllerEvidence or kubernetesNamespaceEvidence or kubernetesSecretEvidence or kubernetesServiceAccountEvidence or kubernetesServiceEvidence or oauthApplicationEvidence or kubernetesPodEvidence or deviceEvidence or mailClusterEvidence or registryKeyEvidence or registryValueEvidence or urlEvidence or analyzedMessageEvidence or securityGroupEvidence or userEvidence or mailboxEvidence or ipEvidence or mailClusterEvidence or analyzedMessageEvidence or registryKeyEvidence or registryValueEvidence or urlEvidence or fileEvidence or processEvidence), then the evidence.createdDateTime extracted field is mapped to the security_result.detection_fields UDM field.
evidence.remediationStatusDetails principal.user.attribute.labels [remediation_status_details] The evidence.remediationStatusDetails is mapped to principal.user.attribute.labels when all of the following conditions are met:
  • The evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence)
  • If the title field value doesn't contains any of the following values:
    • Malware linked IP address
    • Unfamiliar sign-in properties
    • Malicious IP address
    • Anonymous IP address
    • Verified threat actor IP
    • Suspected Brute Force attack (LDAP)
    • Suspected Brute Force attack (Kerberos, NTLM)
    • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
    • Suspected DFSCoerce attack using Distributed File System Protocol
    • Multiple failed login attempts
    • Activity from a TOR IP address
    • Anomalous SSH login detected
    • Azure High Risk User account - Signin
    • Brute force attack against Azure Portal
    • Identity - Attempts to sign in to disabled accounts
    • Network - SSH Potential Brute Force
    • A logon from a malicious IP has been detected. [seen multiple times]
    • Successful brute force attack
    • Failed SSH brute force attack
    • Successful SSH brute force attack
    • Attempted logon by a potentially harmful application
    • Log on from an unusual Azure Data Center
    • Log on from an unusual location
    • Login from a principal user not seen in 60 days
    • Login from a domain not seen in 60 days
    • Login from a suspicious IP
    • Suspected brute force attack using a valid user
    • Suspected brute force attack
    • Suspected successful brute force attack
    • Logon from an unusual cloud provider
    • Logon by an unfamiliar principal
evidence.remediationStatusDetails target.user.attribute.labels [remediation_status_details] The evidence.remediationStatusDetails is mapped to target.user.attribute.labels when all of the following conditions are met:
  • The evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence)
  • If the title field value contains one of the following values:
    • Malware linked IP address
    • Unfamiliar sign-in properties
    • Malicious IP address
    • Anonymous IP address
    • Verified threat actor IP
    • Suspected Brute Force attack (LDAP)
    • Suspected Brute Force attack (Kerberos, NTLM)
    • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
    • Suspected DFSCoerce attack using Distributed File System Protocol
    • Multiple failed login attempts
    • Activity from a TOR IP address
    • Anomalous SSH login detected
    • Azure High Risk User account - Signin
    • Brute force attack against Azure Portal
    • Identity - Attempts to sign in to disabled accounts
    • Network - SSH Potential Brute Force
    • A logon from a malicious IP has been detected. [seen multiple times]
    • Successful brute force attack
    • Failed SSH brute force attack
    • Successful SSH brute force attack
    • Attempted logon by a potentially harmful application
    • Log on from an unusual Azure Data Center
    • Log on from an unusual location
    • Login from a principal user not seen in 60 days
    • Login from a domain not seen in 60 days
    • Login from a suspicious IP
    • Suspected brute force attack using a valid user
    • Suspected brute force attack
    • Suspected successful brute force attack
    • Logon from an unusual cloud provider
    • Logon by an unfamiliar principal
evidence.remediationStatusDetails principal.asset.attribute.labels [remediation_status_details] If the evidence.@odata.type log field value matches the regular expression pattern (.*)deviceEvidence, then the evidence.remediationStatusDetails log field is mapped to the principal.asset.attribute.labels UDM field.
evidence.remediationStatusDetails target.resource_ancestors.attribute.labels [remediation_status_details] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(amazonResourceEvidence or azureResourceEvidence or blobContainerEvidence or blobEvidence or googleCloudResourceEvidence or containerEvidence or containerImageEvidence or containerRegistryEvidence or kubernetesClusterEvidence or kubernetesControllerEvidence or kubernetesNamespaceEvidence or kubernetesPodEvidence or kubernetesSecretEvidence or kubernetesServiceAccountEvidence or kubernetesServiceEvidence or oauthApplicationEvidence), then the evidence.remediationStatusDetails log field is mapped to the target.resource_ancestors.attribute.labels UDM field.
evidence.remediationStatusDetails target.group.attribute.labels [remediation_status_details] If the evidence.@odata.type log field value matches the regular expression pattern (.*)securityGroupEvidence, then the evidence.remediationStatusDetails log field is mapped to the target.group.attribute.labels UDM field.
evidence.remediationStatusDetails security_result.detection_fields [remediation_status_details] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(ipEvidence or mailClusterEvidence or analyzedMessageEvidence or registryKeyEvidence or registryValueEvidence or urlEvidence or fileEvidence or processEvidence), then the evidence.remediationStatusDetails log field is mapped to the security_result.detection_fields UDM field.
evidence.remediationStatus principal.user.attribute.labels [remediation_status] The evidence.remediationStatus is mapped to principal.user.attribute.labels when all of the following conditions are met:
  • The evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence)
  • If the title field value doesn't contains any of the following values:
    • Malware linked IP address
    • Unfamiliar sign-in properties
    • Malicious IP address
    • Anonymous IP address
    • Verified threat actor IP
    • Suspected Brute Force attack (LDAP)
    • Suspected Brute Force attack (Kerberos, NTLM)
    • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
    • Suspected DFSCoerce attack using Distributed File System Protocol
    • Multiple failed login attempts
    • Activity from a TOR IP address
    • Anomalous SSH login detected
    • Azure High Risk User account - Signin
    • Brute force attack against Azure Portal
    • Identity - Attempts to sign in to disabled accounts
    • Network - SSH Potential Brute Force
    • A logon from a malicious IP has been detected. [seen multiple times]
    • Successful brute force attack
    • Failed SSH brute force attack
    • Successful SSH brute force attack
    • Attempted logon by a potentially harmful application
    • Log on from an unusual Azure Data Center
    • Log on from an unusual location
    • Login from a principal user not seen in 60 days
    • Login from a domain not seen in 60 days
    • Login from a suspicious IP
    • Suspected brute force attack using a valid user
    • Suspected brute force attack
    • Suspected successful brute force attack
    • Logon from an unusual cloud provider
    • Logon by an unfamiliar principal
evidence.remediationStatus target.user.attribute.labels [remediation_status] The evidence.remediationStatus is mapped to target.user.attribute.labels when all of the following conditions are met:
  • The evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence)
  • If the title field value contains one of the following values:
    • Malware linked IP address
    • Unfamiliar sign-in properties
    • Malicious IP address
    • Anonymous IP address
    • Verified threat actor IP
    • Suspected Brute Force attack (LDAP)
    • Suspected Brute Force attack (Kerberos, NTLM)
    • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
    • Suspected DFSCoerce attack using Distributed File System Protocol
    • Multiple failed login attempts
    • Activity from a TOR IP address
    • Anomalous SSH login detected
    • Azure High Risk User account - Signin
    • Brute force attack against Azure Portal
    • Identity - Attempts to sign in to disabled accounts
    • Network - SSH Potential Brute Force
    • A logon from a malicious IP has been detected. [seen multiple times]
    • Successful brute force attack
    • Failed SSH brute force attack
    • Successful SSH brute force attack
    • Attempted logon by a potentially harmful application
    • Log on from an unusual Azure Data Center
    • Log on from an unusual location
    • Login from a principal user not seen in 60 days
    • Login from a domain not seen in 60 days
    • Login from a suspicious IP
    • Suspected brute force attack using a valid user
    • Suspected brute force attack
    • Suspected successful brute force attack
    • Logon from an unusual cloud provider
    • Logon by an unfamiliar principal
evidence.remediationStatus principal.asset.attribute.labels [remediation_status] If the evidence.@odata.type log field value matches the regular expression pattern (.*)deviceEvidence, then the evidence.remediationStatus log field is mapped to the principal.asset.attribute.labels UDM field.
evidence.remediationStatus target.resource_ancestors.attribute.labels [remediation_status] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(amazonResourceEvidence or azureResourceEvidence or blobContainerEvidence or blobEvidence or googleCloudResourceEvidence or containerEvidence or containerImageEvidence or containerRegistryEvidence or kubernetesClusterEvidence or kubernetesControllerEvidence or kubernetesNamespaceEvidence or kubernetesPodEvidence or kubernetesSecretEvidence or kubernetesServiceAccountEvidence or kubernetesServiceEvidence or oauthApplicationEvidence), then the evidence.remediationStatus log field is mapped to the target.resource_ancestors.attribute.labels UDM field.
evidence.remediationStatus target.group.attribute.labels [remediation_status] If the evidence.@odata.type log field value matches the regular expression pattern (.*)securityGroupEvidence, then the evidence.remediationStatus log field is mapped to the target.group.attribute.labels UDM field.
evidence.remediationStatus security_result.detection_fields [remediation_status] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(ipEvidence or mailClusterEvidence or analyzedMessageEvidence or registryKeyEvidence or registryValueEvidence or urlEvidence or fileEvidence or processEvidence), then the evidence.remediationStatus log field is mapped to the security_result.detection_fields UDM field.
evidence.tags principal.user.attribute.labels [tags] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), then the evidence.tags log field is mapped to the principal.user.attribute.labels UDM field.
evidence.tags target.user.attribute.labels [tags] The evidence.tags is mapped to target.user.attribute.labels when all of the following conditions are met:
  • The evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence)
  • If the title field value contains one of the following values:
    • Malware linked IP address
    • Unfamiliar sign-in properties
    • Malicious IP address
    • Anonymous IP address
    • Verified threat actor IP
    • Suspected Brute Force attack (LDAP)
    • Suspected Brute Force attack (Kerberos, NTLM)
    • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
    • Suspected DFSCoerce attack using Distributed File System Protocol
    • Multiple failed login attempts
    • Activity from a TOR IP address
    • Anomalous SSH login detected
    • Azure High Risk User account - Signin
    • Brute force attack against Azure Portal
    • Identity - Attempts to sign in to disabled accounts
    • Network - SSH Potential Brute Force
    • A logon from a malicious IP has been detected. [seen multiple times]
    • Successful brute force attack
    • Failed SSH brute force attack
    • Successful SSH brute force attack
    • Attempted logon by a potentially harmful application
    • Log on from an unusual Azure Data Center
    • Log on from an unusual location
    • Login from a principal user not seen in 60 days
    • Login from a domain not seen in 60 days
    • Login from a suspicious IP
    • Suspected brute force attack using a valid user
    • Suspected brute force attack
    • Suspected successful brute force attack
    • Logon from an unusual cloud provider
    • Logon by an unfamiliar principal
evidence.tags principal.asset.attribute.labels [tags] If the evidence.@odata.type log field value matches the regular expression pattern (.*)deviceEvidence, then the evidence.tags log field is mapped to the principal.asset.attribute.labels UDM field.
evidence.tags target.resource_ancestors.attribute.labels [tags] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(amazonResourceEvidence or azureResourceEvidence or blobContainerEvidence or blobEvidence or googleCloudResourceEvidence or containerEvidence or containerImageEvidence or containerRegistryEvidence or kubernetesClusterEvidence or kubernetesControllerEvidence or kubernetesNamespaceEvidence or kubernetesPodEvidence or kubernetesSecretEvidence or kubernetesServiceAccountEvidence or kubernetesServiceEvidence or oauthApplicationEvidence), then the evidence.tags log field is mapped to the target.resource_ancestors.attribute.labels UDM field.
evidence.tags target.group.attribute.labels [tags] If the evidence.@odata.type log field value matches the regular expression pattern (.*)securityGroupEvidence, then the evidence.tags log field is mapped to the target.group.attribute.labels UDM field.
evidence.tags security_result.detection_fields [tags] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(ipEvidence or mailClusterEvidence or analyzedMessageEvidence or registryKeyEvidence or registryValueEvidence or urlEvidence or fileEvidence or processEvidence), then the evidence.tags log field is mapped to the security_result.detection_fields UDM field.
evidence.detailedRoles principal.user.attribute.labels [evidence_detailed_roles] The evidence.detailedRoles is mapped to principal.user.attribute.labels when all of the following conditions are met:
  • The evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence)
  • If the title field value doesn't contains any of the following values:
    • Malware linked IP address
    • Unfamiliar sign-in properties
    • Malicious IP address
    • Anonymous IP address
    • Verified threat actor IP
    • Suspected Brute Force attack (LDAP)
    • Suspected Brute Force attack (Kerberos, NTLM)
    • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
    • Suspected DFSCoerce attack using Distributed File System Protocol
    • Multiple failed login attempts
    • Activity from a TOR IP address
    • Anomalous SSH login detected
    • Azure High Risk User account - Signin
    • Brute force attack against Azure Portal
    • Identity - Attempts to sign in to disabled accounts
    • Network - SSH Potential Brute Force
    • A logon from a malicious IP has been detected. [seen multiple times]
    • Successful brute force attack
    • Failed SSH brute force attack
    • Successful SSH brute force attack
    • Attempted logon by a potentially harmful application
    • Log on from an unusual Azure Data Center
    • Log on from an unusual location
    • Login from a principal user not seen in 60 days
    • Login from a domain not seen in 60 days
    • Login from a suspicious IP
    • Suspected brute force attack using a valid user
    • Suspected brute force attack
    • Suspected successful brute force attack
    • Logon from an unusual cloud provider
    • Logon by an unfamiliar principal
evidence.detailedRoles target.user.attribute.labels [evidence_detailed_roles] The evidence.detailedRoles is mapped to target.user.attribute.labels when all of the following conditions are met:
  • The evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence)
  • If the title field value contains one of the following values:
    • Malware linked IP address
    • Unfamiliar sign-in properties
    • Malicious IP address
    • Anonymous IP address
    • Verified threat actor IP
    • Suspected Brute Force attack (LDAP)
    • Suspected Brute Force attack (Kerberos, NTLM)
    • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
    • Suspected DFSCoerce attack using Distributed File System Protocol
    • Multiple failed login attempts
    • Activity from a TOR IP address
    • Anomalous SSH login detected
    • Azure High Risk User account - Signin
    • Brute force attack against Azure Portal
    • Identity - Attempts to sign in to disabled accounts
    • Network - SSH Potential Brute Force
    • A logon from a malicious IP has been detected. [seen multiple times]
    • Successful brute force attack
    • Failed SSH brute force attack
    • Successful SSH brute force attack
    • Attempted logon by a potentially harmful application
    • Log on from an unusual Azure Data Center
    • Log on from an unusual location
    • Login from a principal user not seen in 60 days
    • Login from a domain not seen in 60 days
    • Login from a suspicious IP
    • Suspected brute force attack using a valid user
    • Suspected brute force attack
    • Suspected successful brute force attack
    • Logon from an unusual cloud provider
    • Logon by an unfamiliar principal
evidence.detailedRoles principal.asset.attribute.labels [evidence_detailed_roles] If the evidence.@odata.type log field value matches the regular expression pattern (.*)deviceEvidence, then the evidence.detailedRoles log field is mapped to the principal.asset.attribute.labels UDM field.
evidence.detailedRoles target.resource_ancestors.attribute.labels [evidence_detailed_roles] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(amazonResourceEvidence or azureResourceEvidence or blobContainerEvidence or blobEvidence or googleCloudResourceEvidence or containerEvidence or containerImageEvidence or containerRegistryEvidence or kubernetesClusterEvidence or kubernetesControllerEvidence or kubernetesNamespaceEvidence or kubernetesPodEvidence or kubernetesSecretEvidence or kubernetesServiceAccountEvidence or kubernetesServiceEvidence or oauthApplicationEvidence), then the evidence.detailedRoles log field is mapped to the target.resource_ancestors.attribute.labels UDM field.
evidence.detailedRoles target.group.attribute.labels [evidence_detailed_roles] If the evidence.@odata.type log field value matches the regular expression pattern (.*)securityGroupEvidence, then the evidence.detailedRoles log field is mapped to the target.group.attribute.labels UDM field.
evidence.detailedRoles security_result.detection_fields [detailed_roles] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(ipEvidence or mailClusterEvidence or analyzedMessageEvidence or registryKeyEvidence or registryValueEvidence or urlEvidence or fileEvidence or processEvidence), then the evidence.detailedRoles log field is mapped to the security_result.detection_fields UDM field.
evidence.verdict principal.user.attribute.labels [verdict] The evidence.verdict is mapped to principal.user.attribute.labels when all of the following conditions are met:
  • The evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence)
  • If the title field value contains one of the following values:
    • Malware linked IP address
    • Unfamiliar sign-in properties
    • Malicious IP address
    • Anonymous IP address
    • Verified threat actor IP
    • Suspected Brute Force attack (LDAP)
    • Suspected Brute Force attack (Kerberos, NTLM)
    • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
    • Suspected DFSCoerce attack using Distributed File System Protocol
    • Multiple failed login attempts
    • Activity from a TOR IP address
    • Anomalous SSH login detected
    • Azure High Risk User account - Signin
    • Brute force attack against Azure Portal
    • Identity - Attempts to sign in to disabled accounts
    • Network - SSH Potential Brute Force
    • A logon from a malicious IP has been detected. [seen multiple times]
    • Successful brute force attack
    • Failed SSH brute force attack
    • Successful SSH brute force attack
    • Attempted logon by a potentially harmful application
    • Log on from an unusual Azure Data Center
    • Log on from an unusual location
    • Login from a principal user not seen in 60 days
    • Login from a domain not seen in 60 days
    • Login from a suspicious IP
    • Suspected brute force attack using a valid user
    • Suspected brute force attack
    • Suspected successful brute force attack
    • Logon from an unusual cloud provider
    • Logon by an unfamiliar principal
evidence.verdict target.user.attribute.labels[verdict] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value contain one of the following values, and if the target.user.attribute.labels log field value is empty, then the evidence.verdict log field is mapped to the target.user.attribute.labels UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.verdict target.group.attribute.labels [verdict] If the evidence.@odata.type log field value matches the regular expression pattern (.*)securityGroupEvidence, then the evidence.verdict log field is mapped to the target.group.attribute.labels UDM field.
evidence.verdict security_result.detection_fields [verdict] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(ipEvidence or mailClusterEvidence or analyzedMessageEvidence or registryKeyEvidence or registryValueEvidence or urlEvidence or fileEvidence or processEvidence), then the evidence.verdict log field is mapped to the security_result.detection_fields UDM field.
evidence.roles principal.user.attribute.roles.name If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value does not contain one of the following values, then the evidence.roles log field is mapped to the principal.user.attribute.roles.name UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.roles target.user.attribute.roles.name If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value contain one of the following values, then the evidence.roles log field is mapped to the target.user.attribute.roles.name UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.roles principal.asset.attribute.roles.name If the evidence.@odata.type log field value matches the regular expression pattern (.*)deviceEvidence, then the evidence.roles log field is mapped to the principal.asset.attribute.roles.name UDM field.
evidence.roles security_result.detection_fields [roles] If the evidence.@odata.type log field value matches the regular expression pattern (.*)(ipEvidence or mailClusterEvidence or analyzedMessageEvidence or registryKeyEvidence or registryValueEvidence or urlEvidence or fileEvidence or processEvidence), then the evidence.roles log field is mapped to the security_result.detection_fields UDM field.
evidence.roles target.resource_ancestors.attribute.roles.name If the evidence.@odata.type log field value matches the regular expression pattern (.*)(amazonResourceEvidence or azureResourceEvidence or blobContainerEvidence or blobEvidence or googleCloudResourceEvidence or containerEvidence or containerImageEvidence or containerRegistryEvidence or kubernetesClusterEvidence or kubernetesControllerEvidence or kubernetesNamespaceEvidence or kubernetesPodEvidence or kubernetesSecretEvidence or kubernetesServiceAccountEvidence or kubernetesServiceEvidence or oauthApplicationEvidence), then The evidence.roles log field is mapped to the target.resource_ancestors.attribute.roles.name UDM field.
evidence.roles target.group.attribute.roles.name If the evidence.@odata.type log field value matches the regular expression pattern (.*)securityGroupEvidence, then the evidence.roles log field is mapped to the target.group.attribute.roles.name UDM field.
evidence.createdDateTime target.resource.attribute.creation_time If the evidence.@odata.type log field value matches the regular expression pattern (.*)cloudApplicationEvidence, then the evidence.createdDateTime log field is mapped to the target.resource.attribute.creation_time UDM field.
evidence.remediationStatusDetails target.resource.attribute.labels [remediation_status_details] If the evidence.@odata.type log field value matches the regular expression pattern (.*)cloudApplicationEvidence, then the evidence.remediationStatusDetails log field is mapped to the target.resource.attribute.labels UDM field.
evidence.remediationStatus target.resource.attribute.labels [remediation_status] If the evidence.@odata.type log field value matches the regular expression pattern (.*)cloudApplicationEvidence, then the evidence.remediationStatus log field is mapped to the target.resource.attribute.labels UDM field.
evidence.tags target.resource.attribute.labels [tags] If the evidence.@odata.type log field value matches the regular expression pattern (.*)cloudApplicationEvidence, then the evidence.tags log field is mapped to the target.resource.attribute.labels UDM field.
evidence.verdict target.resource.attribute.labels [verdict] If the evidence.@odata.type log field value matches the regular expression pattern (.*)cloudApplicationEvidence, then the evidence.verdict log field is mapped to the target.resource.attribute.labels UDM field.
evidence.roles target.resource.attribute.roles.name If the evidence.@odata.type log field value matches the regular expression pattern (.*)cloudApplicationEvidence, then the evidence.roles log field is mapped to the target.resource.attribute.roles.name UDM field.
detectorId security_result.detection_fields[detector_id] If the detectorId log field value is not equal to null, then the detectorId log field is mapped to the security_result.detection_fields UDM field.
determination security_result.detection_fields[determination] If the determination log field value is not equal to null, then the determination log field is mapped to the security_result.detection_fields UDM field.
evidence.@odata.type
evidence.azureAdDeviceId security_result.detection_fields[azure_ad_device_id]
evidence.deviceDnsName principal.asset.hostname If the evidence.@odata.type log field value matches the regular expression pattern .*deviceEvidence, then the evidence.deviceDnsName field is mapped to the principal.asset.hostname UDM field.
evidence.deviceDnsName principal.hostname If the evidence.@odata.type log field value matches the regular expression pattern .*deviceEvidence, then the evidence.deviceDnsName field is mapped to the principal.hostname UDM field.
evidence.firstSeenDateTime principal.asset.first_seen_time
principal.asset.deployment_status The principal.asset.deployment_status UDM field is set to one of the following values:
  • ACTIVE when the following conditions are met:
    • The value in the evidence.healthStatus field is active.
    • The value in the evidence.@odata.type field value matches the regular expression pattern .*deviceEvidence
  • DECOMMISSIONED when the following conditions are met:
    • The value in the evidence.healthStatus field is inactive.
    • The value in the evidence.@odata.type field value matches the regular expression pattern .*deviceEvidence
evidence.healthStatus principal.asset.attribute.labels[health_status]
evidence.amazonAccountId target.resource_ancestors.attribute.labels[amazon_account_id]
evidence.amazonResourceId target.resource_ancestors.product_object_id
evidence.resourceName target.resource_ancestors.name
evidence.resourceType target.resource_ancestors.resource_subtype
evidence.cloudResource.amazonAccountId target.resource_ancestors.attribute.labels[cloud_resource_amazon_account_id]
evidence.cloudResource.amazonResourceId target.resource_ancestors.attribute.labels[cloud_resource_amazon_resource_id]
evidence.cloudResource.remediationStatus target.resource_ancestors.attribute.labels[cloud_resource_remediation_status]
evidence.cloudResource.remediationStatusDetails target.resource_ancestors.attribute.labels[cloud_resource_remediation_status_details]
evidence.cloudResource.roles target.resource_ancestors.attribute.labels[cloud_resource_roles]
evidence.cloudResource.tags target.resource_ancestors.attribute.labels[cloud_resource_tags]
evidence.cloudResource.verdict target.resource_ancestors.attribute.labels[cloud_resource_verdict]
evidence.cluster.cloudResource.amazonAccountId target.resource_ancestors.attribute.labels[cluster_cloud_resource_amazon_account_id]
evidence.cluster.cloudResource.amazonResourceId target.resource_ancestors.attribute.labels[cluster_cloud_resource_amazon_resource_id]
evidence.cluster.cloudResource.remediationStatus target.resource_ancestors.attribute.labels[cluster_cloud_resource_remediation_status]
evidence.cluster.cloudResource.remediationStatusDetails target.resource_ancestors.attribute.labels[cluster_cloud_resource_remediation_status_details]
evidence.cluster.cloudResource.roles target.resource_ancestors.attribute.labels[cluster_cloud_resource_roles]
evidence.cluster.cloudResource.tags target.resource_ancestors.attribute.labels[cluster_cloud_resource_tags]
evidence.cluster.cloudResource.verdict target.resource_ancestors.attribute.labels[cluster_cloud_resource_verdict]
evidence.namespace.cluster.cloudResource.amazonAccountId target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_amazon_account_id]
evidence.namespace.cluster.cloudResource.amazonResourceId target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_amazon_resource_id]
evidence.namespace.cluster.cloudResource.remediationStatus target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_remediation_status]
evidence.namespace.cluster.cloudResource.remediationStatusDetails target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_remediation_status_details]
evidence.namespace.cluster.cloudResource.resourceName target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_resource_name]
evidence.namespace.cluster.cloudResource.resourceType target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_resource_type]
evidence.namespace.cluster.cloudResource.roles target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_roles]
evidence.namespace.cluster.cloudResource.tags target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_tags]
evidence.namespace.cluster.cloudResource.verdict target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_verdict]
evidence.pod.namespace.cluster.cloudResource.amazonAccountId target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_amazon_account_id]
evidence.pod.namespace.cluster.cloudResource.amazonResourceId target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_amazon_resource_id]
evidence.pod.namespace.cluster.cloudResource.remediationStatus target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_remediation_status]
evidence.pod.namespace.cluster.cloudResource.remediationStatusDetails target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_remediation_status_details]
evidence.pod.namespace.cluster.cloudResource.resourceName target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_resource_name]
evidence.pod.namespace.cluster.cloudResource.resourceType target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_resource_type]
evidence.pod.namespace.cluster.cloudResource.roles target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_roles]
evidence.pod.namespace.cluster.cloudResource.tags target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_tags]
evidence.pod.namespace.cluster.cloudResource.verdict target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_verdict]
evidence.location target.location.country_or_region If the evidence.@odata.type log field value matches the regular expression pattern .*googleCloudResourceEvidence, then the evidence.location log field is mapped to the target.location.country_or_region UDM field.
evidence.locationType target.resource_ancestors.attribute.labels[location_type]
evidence.projectId target.resource_ancestors.attribute.labels[project_id]
evidence.projectNumber target.resource_ancestors.attribute.labels[project_number]
evidence.resourceId target.resource_ancestors.product_object_id
evidence.cloudResource.createdDateTime target.resource_ancestors.attribute.labels[cloud_resource_created_date_time]
evidence.cloudResource.location target.resource_ancestors.attribute.labels[cloud_resource_location]
evidence.cloudResource.locationType target.resource_ancestors.attribute.labels[cloud_resource_location_type]
evidence.cloudResource.projectId target.resource_ancestors.attribute.labels[cloud_resource_project_id]
evidence.cloudResource.projectNumber target.resource_ancestors.attribute.labels[cloud_resource_project_number]
evidence.cloudResource.resourceId target.resource_ancestors.attribute.labels[cloud_resource_resource_id]
evidence.cloudResource.resourceName target.resource_ancestors.attribute.labels[cloud_resource_resource_name]
evidence.cloudResource.resourceType target.resource_ancestors.attribute.labels[cloud_resource_resource_type]
evidence.cluster.cloudResource.createdDateTime target.resource_ancestors.attribute.labels[cluster_cloud_resource_created_date_time]
evidence.cluster.cloudResource.location target.resource_ancestors.attribute.labels[cluster_cloud_resource_location]
evidence.cluster.cloudResource.locationType target.resource_ancestors.attribute.labels[cluster_cloud_resource_location_type]
evidence.cluster.cloudResource.projectId target.resource_ancestors.attribute.labels[cluster_cloud_resource_project_id]
evidence.cluster.cloudResource.projectNumber target.resource_ancestors.attribute.labels[cluster_cloud_resource_project_number]
evidence.cluster.cloudResource.resourceId target.resource_ancestors.attribute.labels[cluster_cloud_resource_resource_id]
evidence.cluster.cloudResource.resourceName target.resource_ancestors.attribute.labels[cluster_cloud_resource_resource_name]
evidence.cluster.cloudResource.resourceType target.resource_ancestors.attribute.labels[cluster_cloud_resource_resource_type]
evidence.namespace.cluster.cloudResource.createdDateTime target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_created_date_time]
evidence.namespace.cluster.cloudResource.location target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_location]
evidence.namespace.cluster.cloudResource.locationType target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_location_type]
evidence.namespace.cluster.cloudResource.projectId target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_project_id]
evidence.namespace.cluster.cloudResource.projectNumber target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_project_number]
evidence.namespace.cluster.cloudResource.resourceId target.resource_ancestors.attribute.labels[namespace_cluster_cloud_resource_resource_id]
evidence.pod.namespace.cluster.cloudResource.createdDateTime target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_created_date_time]
evidence.pod.namespace.cluster.cloudResource.location target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_location]
evidence.pod.namespace.cluster.cloudResource.locationType target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_location_type]
evidence.pod.namespace.cluster.cloudResource.projectId target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_project_id]
evidence.pod.namespace.cluster.cloudResource.projectNumber target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_project_number]
evidence.pod.namespace.cluster.cloudResource.resourceId target.resource_ancestors.attribute.labels[pod_namespace_cluster_cloud_resource_resource_id]
evidence.blobContainer.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.fileHashes target.resource_ancestors.attribute.labels [file_hashes]
evidence.blobContainer.name target.resource_ancestors.name
evidence.blobContainer.remediationStatus target.resource_ancestors.attribute.labels [blob_container_remediation_status]
evidence.blobContainer.remediationStatusDetails target.resource_ancestors.attribute.labels [blob_container_remediation_status_details]
evidence.blobContainer.roles target.resource_ancestors.attribute.labels [blob_container_roles]
evidence.blobContainer.tags target.resource_ancestors.attribute.labels [blob_container_tags]
evidence.blobContainer.url target.resource_ancestors.attribute.labels [blob_container_url]
evidence.blobContainer.verdict target.resource_ancestors.attribute.labels [blob_container_verdict]
target.resource_ancestors.resource_type If the evidence.@odata.type log field value matches the regular expression pattern .*kubernetesNamespaceEvidence, then the target.resource_ancestors.resource_type UDM field is set to CONTAINER.
evidence.cluster.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.cluster.distribution target.resource_ancestors.attribute.labels[cluster_distribution]
evidence.cluster.name target.resource_ancestors.name
evidence.cluster.platform target.resource_ancestors.attribute.labels[cluster_platform]
evidence.cluster.remediationStatus target.resource_ancestors.attribute.labels[cluster_remediation_status]
evidence.cluster.remediationStatusDetails target.resource_ancestors.attribute.labels[cluster_remediation_status_details]
evidence.cluster.roles target.resource_ancestors.attribute.roles.name
evidence.cluster.tags target.resource_ancestors.attribute.labels[cluster_tags]
evidence.cluster.verdict target.resource_ancestors.attribute.labels[cluster_verdict]
evidence.cluster.version target.resource_ancestors.attribute.labels[cluster_version]
target.resource_ancestors.resource_type If the evidence.cluster.name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.
evidence.image.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.image.digestImage target.resource_ancestors.attribute.labels [image_digest_image]
evidence.image.imageId target.resource_ancestors.product_object_id
evidence.image.registry.createdDateTime target.resource_ancestors.attribute.labels [image_registry_created_date_time]
evidence.image.registry.registry target.resource_ancestors.attribute.labels [image_registry_registry]
evidence.image.registry.remediationStatus target.resource_ancestors.attribute.labels [image_registry_remediation_status]
evidence.image.registry.remediationStatusDetails target.resource_ancestors.attribute.labels [image_registry_remediation_status_details]
evidence.image.registry.roles target.resource_ancestors.attribute.labels [image_registry_roles]
evidence.image.registry.tags target.resource_ancestors.attribute.labels [image_registry_tags]
evidence.image.registry.verdict target.resource_ancestors.attribute.labels [image_registry_verdict]
evidence.image.remediationStatus target.resource_ancestors.attribute.labels [image_remediation_status]
evidence.image.remediationStatusDetails target.resource_ancestors.attribute.labels [image_remediation_status_details]
evidence.image.roles target.resource_ancestors.attribute.labels [image_roles]
evidence.image.tags target.resource_ancestors.attribute.labels [image_tags]
evidence.image.verdict target.resource_ancestors.attribute.labels [image_verdict]
target.resource_ancestors.resource_type If the evidence.@odata.type log field value matches the regular expression pattern .*containerEvidence, then the target.resource_ancestors.resource_type UDM field is set to IMAGE.
evidence.pod.containers.args target.resource_ancestors.attribute.labels [pod_containers_args]
evidence.pod.containers.command target.resource_ancestors.attribute.labels [pod_containers_command]
evidence.pod.containers.containerId target.resource_ancestors.product_object_id
evidence.pod.containers.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.pod.containers.isPrivileged target.resource_ancestors.attribute.labels [pod_containers_is_privileged]
evidence.pod.containers.name target.resource_ancestors.name
evidence.pod.containers.remediationStatus target.resource_ancestors.attribute.labels [pod_containers_remediation_status]
evidence.pod.containers.remediationStatusDetails target.resource_ancestors.attribute.labels [pod_containers_remediation_status_details]
evidence.pod.containers.roles target.resource_ancestors.attribute.labels [pod_containers_roles]
evidence.pod.containers.tags target.resource_ancestors.attribute.labels [pod_containers_tags]
evidence.pod.containers.verdict target.resource_ancestors.attribute.labels [pod_containers_verdict]
target.resource_ancestors.resource_type If the evidence.@odata.type log field value matches the regular expression pattern .*containerEvidence, then the target.resource_ancestors.resource_type UDM field is set to CONTAINER.
evidence.pod.controller.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.pod.controller.labels target.resource_ancestors.attribute.labels [pod_controller_labels]
evidence.pod.controller.name target.resource_ancestors.name
evidence.pod.controller.remediationStatus target.resource_ancestors.attribute.labels [pod_controller_remediation_status]
evidence.pod.controller.remediationStatusDetails target.resource_ancestors.attribute.labels [pod_controller_remediation_status_details]
evidence.pod.controller.roles target.resource_ancestors.attribute.labels [pod_controller_roles]
evidence.pod.controller.tags target.resource_ancestors.attribute.labels [pod_controller_tags]
evidence.pod.controller.type target.resource_ancestors.resource_subtype
evidence.pod.controller.verdict target.resource_ancestors.attribute.labels [pod_controller_verdict]
evidence.pod.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.pod.name target.resource_ancestors.name
evidence.pod.remediationStatus target.resource_ancestors.attribute.labels [pod_remediation_status]
evidence.pod.remediationStatusDetails target.resource_ancestors.attribute.labels [pod_remediation_status_details]
evidence.pod.roles target.resource_ancestors.attribute.labels [pod_roles]
evidence.pod.tags target.resource_ancestors.attribute.labels [pod_tags]
evidence.pod.verdict target.resource_ancestors.attribute.labels [pod_verdict]
target.resource_ancestors.resource_type If the evidence.@odata.type log field value matches the regular expression pattern .*containerEvidence, then the target.resource_ancestors.resource_type UDM field is set to POD.
evidence.pod.ephemeralContainers.args target.resource_ancestors.attribute.labels [pod_ephemeral_containers_args]
evidence.pod.ephemeralContainers.command target.resource_ancestors.attribute.labels [pod_ephemeral_containers_command]
evidence.pod.ephemeralContainers.containerId target.resource_ancestors.product_object_id
evidence.pod.ephemeralContainers.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.pod.ephemeralContainers.isPrivileged target.resource_ancestors.attribute.labels [pod_ephemeral_containers_is_privileged]
evidence.pod.ephemeralContainers.name target.resource_ancestors.name
evidence.pod.ephemeralContainers.remediationStatus target.resource_ancestors.attribute.labels [pod_ephemeral_containers_remediation_status]
evidence.pod.ephemeralContainers.remediationStatusDetails target.resource_ancestors.attribute.labels [pod_ephemeral_containers_remediation_status_details]
evidence.pod.ephemeralContainers.roles target.resource_ancestors.attribute.labels [pod_ephemeral_containers_roles]
evidence.pod.ephemeralContainers.tags target.resource_ancestors.attribute.labels [pod_ephemeral_containers_tags]
evidence.pod.ephemeralContainers.verdict target.resource_ancestors.attribute.labels [pod_ephemeral_containers_verdict]
target.resource_ancestors.resource_type If the evidence.@odata.type log field value matches the regular expression pattern .*containerEvidence, then the target.resource_ancestors.resource_type UDM field is set to CONTAINER.
evidence.pod.serviceAccount.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.pod.serviceAccount.name target.resource_ancestors.name
evidence.pod.serviceAccount.remediationStatus target.resource_ancestors.attribute.labels [pod_service_account_remediation_status]
evidence.pod.serviceAccount.remediationStatusDetails target.resource_ancestors.attribute.labels [pod_service_account_remediation_status_details]
evidence.pod.serviceAccount.roles target.resource_ancestors.attribute.labels [pod_service_account_roles]
evidence.pod.serviceAccount.tags target.resource_ancestors.attribute.labels [pod_service_account_tags]
evidence.pod.serviceAccount.verdict target.resource_ancestors.attribute.labels [pod_service_account_verdict]
target.resource_ancestors.resource_type If the evidence.@odata.type log field value matches the regular expression pattern .*containerEvidence, and if the evidence.pod.serviceAccount.name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to SERVICE_ACCOUNT.
evidence.pod.initContainers.args target.resource_ancestors.attribute.labels [pod_init_containers_args]
evidence.pod.initContainers.command target.resource_ancestors.attribute.labels [pod_init_containers_command]
evidence.pod.initContainers.containerId target.resource_ancestors.product_object_id
evidence.pod.initContainers.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.pod.initContainers.isPrivileged target.resource_ancestors.attribute.labels [pod_init_containers_is_privileged]
evidence.pod.initContainers.name target.resource_ancestors.name
evidence.pod.initContainers.remediationStatus target.resource_ancestors.attribute.labels [pod_init_containers_remediation_status]
evidence.pod.initContainers.remediationStatusDetails target.resource_ancestors.attribute.labels [pod_init_containers_remediation_status_details]
evidence.pod.initContainers.roles target.resource_ancestors.attribute.labels [pod_init_containers_roles]
evidence.pod.initContainers.tags target.resource_ancestors.attribute.labels [pod_init_containers_tags]
evidence.pod.initContainers.verdict target.resource_ancestors.attribute.labels [pod_init_containers_verdict]
target.resource_ancestors.resource_type If the evidence.@odata.type log field value matches the regular expression pattern .*containerEvidence, then the target.resource_ancestors.resource_type UDM field is set to CONTAINER.
evidence.containers.args target.resource_ancestors.attribute.labels [containers_args]
evidence.containers.command target.resource_ancestors.attribute.labels [containers_command]
evidence.containers.containerId target.resource_ancestors.product_object_id
evidence.containers.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.containers.isPrivileged target.resource_ancestors.attribute.labels [containers_is_privileged]
evidence.containers.name target.resource_ancestors.name
evidence.containers.remediationStatus target.resource_ancestors.attribute.labels [containers_remediation_status]
evidence.containers.remediationStatusDetails target.resource_ancestors.attribute.labels [containers_remediation_status_details]
evidence.containers.roles target.resource_ancestors.attribute.labels [containers_roles]
evidence.containers.tags target.resource_ancestors.attribute.labels [containers_tags]
evidence.containers.verdict target.resource_ancestors.attribute.labels [containers_verdict]
target.resource_ancestors.resource_type If the evidence.@odata.type log field value matches the regular expression pattern .*kubernetesNamespaceEvidence, then the target.resource_ancestors.resource_type UDM field is set to CONTAINER.
evidence.controller.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.controller.name target.resource_ancestors.name
evidence.controller.remediationStatus target.resource_ancestors.attribute.labels [controller_remediation_status]
evidence.controller.remediationStatusDetails target.resource_ancestors.attribute.labels [controller_remediation_status_details]
evidence.controller.roles target.resource_ancestors.attribute.labels [controller_roles]
evidence.controller.tags target.resource_ancestors.attribute.labels [controller_tags]
evidence.controller.type target.resource_ancestors.resource_subtype
evidence.controller.verdict target.resource_ancestors.attribute.labels [controller_verdict]
evidence.initContainers.args target.resource_ancestors.attribute.labels [init_containers_args]
evidence.initContainers.command target.resource_ancestors.attribute.labels [init_containers_command]
evidence.initContainers.containerId target.resource_ancestors.product_object_id
evidence.initContainers.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.initContainers.isPrivileged target.resource_ancestors.attribute.labels [init_containers_is_privileged]
evidence.initContainers.name target.resource_ancestors.name
evidence.initContainers.remediationStatus target.resource_ancestors.attribute.labels [init_containers_remediation_status]
evidence.initContainers.remediationStatusDetails target.resource_ancestors.attribute.labels [init_containers_remediation_status_details]
evidence.initContainers.roles target.resource_ancestors.attribute.labels [init_containers_roles]
evidence.initContainers.tags target.resource_ancestors.attribute.labels [init_containers_tags]
evidence.initContainers.verdict target.resource_ancestors.attribute.labels [init_containers_verdict]
target.resource_ancestors.resource_type If the evidence.@odata.type log field value matches the regular expression pattern .*kubernetesNamespaceEvidence, then the target.resource_ancestors.resource_type UDM field is set to CONTAINER.
evidence.ephemeralContainers.args target.resource_ancestors.attribute.labels [ephemeral_containers_args]
evidence.ephemeralContainers.command target.resource_ancestors.attribute.labels [ephemeral_containers_command]
evidence.ephemeralContainers.containerId target.resource_ancestors.product_object_id
evidence.ephemeralContainers.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.ephemeralContainers.isPrivileged target.resource_ancestors.attribute.labels [ephemeral_containers_is_privileged]
evidence.ephemeralContainers.name target.resource_ancestors.name
evidence.ephemeralContainers.remediationStatus target.resource_ancestors.attribute.labels [ephemeral_containers_remediation_status]
evidence.ephemeralContainers.remediationStatusDetails target.resource_ancestors.attribute.labels [ephemeral_containers_remediation_status_details]
evidence.ephemeralContainers.roles target.resource_ancestors.attribute.labels [ephemeral_containers_roles]
evidence.ephemeralContainers.tags target.resource_ancestors.attribute.labels [ephemeral_containers_tags]
evidence.ephemeralContainers.verdict target.resource_ancestors.attribute.labels [ephemeral_containers_verdict]
target.resource_ancestors.resource_type If the evidence.@odata.type log field value matches the regular expression pattern .*kubernetesNamespaceEvidence, then the target.resource_ancestors.resource_type UDM field is set to CONTAINER.
evidence.podIp.countryLetterCode target.resource_ancestors.attribute.labels [podip_country_letter_code]
evidence.podIp.ipAddress target.resource_ancestors.attribute.labels [podip_ip_address]
evidence.serviceAccount.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.serviceAccount.name target.resource_ancestors.name
evidence.serviceAccount.remediationStatus target.resource_ancestors.attribute.labels [service_account_remediation_status]
evidence.serviceAccount.remediationStatusDetails target.resource_ancestors.attribute.labels [service_account_remediation_status_details]
evidence.serviceAccount.roles target.resource_ancestors.attribute.labels [service_account_roles]
evidence.serviceAccount.tags target.resource_ancestors.attribute.labels [service_account_tags]
evidence.serviceAccount.verdict target.resource_ancestors.attribute.labels [service_account_verdict]
target.resource_ancestors.resource_type If the evi.@odata.type log field value matches the regular expression pattern (.*)(kubernetesNamespaceEvidence or kubernetesPodEvidence), then the target.resource_ancestors.resource_type UDM field is set to SERVICE_ACCOUNT.
network.direction If the evidence.antiSpamDirection log field value matches the regular expression pattern (?i)(inbound), then the network.direction UDM field is set to INBOUND.

Else, If the evidence.antiSpamDirection log field value matches the regular expression pattern (?i)(outbound), then the network.direction UDM field is set to OUTBOUND.
evidence.appId target.application If the index log field value is equal to 1, then the evidence.appId log field is mapped to the target.application UDM field.
evidence.appId target.resource_ancestors.attribute.labels[app_id] If the evidence.@odata.type log field value matches the regular expression pattern (.*oauthApplicationEvidence or .*cloudApplicationEvidence), then the evidence.appId log field is mapped to the target.resource_ancestors.attribute.labels UDM field.
evidence.args target.resource_ancestors.attribute.labels[args]
evidence.attachmentsCount security_result.detection_fields[attachments_count]
evidence.clusterBy security_result.detection_fields[cluster_by]
evidence.clusterByValue security_result.detection_fields[cluster_by_value]
evidence.clusterIP.countryLetterCode about.location.country_or_region If the evidence.@odata.type log field value matches the regular expression pattern .*kubernetesServiceEvidence, then the evidence.clusterIP.countryLetterCode log field is mapped to the about.location.country_or_region UDM field.
evidence.clusterIP.ipAddress about.ip
evidence.command target.resource_ancestors.attribute.labels[command]
evidence.containerId target.resource_ancestors.attribute.labels[container_id]
evidence.countryLetterCode principal.location.country_or_region
  • The protoPayload.metadata.event.eventName.parameter.value is mapped to principal.location.country_or_region when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*ipEvidence
    • The value in the principal.location.country_or_region field is empty.
  • The protoPayload.metadata.event.eventName.parameter.value is mapped to about.location.country_or_region when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*ipEvidence
    • The value in the principal.location.country_or_region field is not empty.
evidence.defenderAvStatus security_result.detection_fields [defender_av_status]
evidence.deliveryAction security_result.detection_fields [delivery_action]
evidence.deliveryLocation security_result.detection_fields [delivery_location]
evidence.detectionStatus security_result.detection_fields[detection_status]
evidence.displayName target.application If the evidence.@odata.type log field value matches the regular expression pattern (.*oauthApplicationEvidence or .*cloudApplicationEvidence), then the evidence.displayName log field is mapped to the target.application UDM field.
evidence.displayName target.group.group_display_name If the evidence.@odata.type log field value matches the regular expression pattern .*securityGroupEvidence, then the evidence.displayName log field is mapped to the target.group.group_display_name UDM field.
evidence.displayName principal.user.attribute.labels[display_name] If the evidence.@odata.type log field value matches the regular expression pattern .*mailboxEvidence, and if the title log field value does not contain one of the following values, then the evidence.displayName log field is mapped to the principal.user.attribute.labels UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.displayName target.user.attribute.labels[display_name] If the evidence.@odata.type log field value matches the regular expression pattern .*mailboxEvidence, and if the title log field value contain one of the following values, then the evidence.displayName log field is mapped to the target.user.attribute.labels UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.distribution target.resource_ancestors.attribute.labels[distribution]
evidence.emailCount security_result.detection_fields [email_count]
evidence.externalIPs.countryLetterCode about.location.country_or_region
evidence.externalIPs.ipAddress about.ip
evidence.fileDetails.fileName target.file.names
evidence.fileDetails.filePath target.file.full_path
evidence.fileDetails.filePublisher security_result.detection_fields [file_details_file_publisher] If the evidence.@odata.type log field value matches the regular expression pattern .*fileEvidence, then the evidence.fileDetails.filePublisher log field is mapped to the security_result.detection_fields UDM field.
evidence.fileDetails.fileSize target.file.size
evidence.fileDetails.issuer security_result.detection_fields [file_details_issuer]
evidence.fileDetails.sha1 target.file.sha1
evidence.fileDetails.sha256 target.file.sha256
evidence.fileDetails.signer security_result.detection_fields [file_details_signer]
evidence.imageFile.fileName target.process.file.names If the evidence.@odata.type log field value matches the regular expression pattern .*processEvidence, then the evidence.imageFile.fileName log field is mapped to the target.process.file.names UDM field.
evidence.imageFile.filePath target.process.file.full_path If the evidence.@odata.type log field value matches the regular expression pattern .*processEvidence, then the evidence.imageFile.filePath log field is mapped to the target.process.file.full_path UDM field.
evidence.imageFile.filePublisher security_result.detection_fields [image_file_file_publisher] If the evidence.@odata.type log field value matches the regular expression pattern .*processEvidence, then the evidence.imageFile.filePublisher log field is mapped to the security_result.detection_fields UDM field.
evidence.imageFile.fileSize target.process.file.size If the evidence.@odata.type log field value matches the regular expression pattern .*processEvidence, then the evidence.imageFile.fileSize log field is mapped to the target.process.file.size UDM field.
evidence.imageFile.issuer security_result.detection_fields[image_file_issuer]
evidence.imageFile.sha1 target.process.file.sha1 If the evidence.@odata.type log field value matches the regular expression pattern .*processEvidence, then the evidence.imageFile.sha1 log field is mapped to the target.process.file.sha1 UDM field.
evidence.imageFile.sha256 target.process.file.sha256 If the evidence.@odata.type log field value matches the regular expression pattern .*processEvidence, then the evidence.imageFile.sha256 log field is mapped to the target.process.file.sha256 UDM field.
evidence.imageFile.signer security_result.detection_fields [image_file_signer]
evidence.instanceId target.resource.product_object_id
evidence.instanceName target.resource.name
evidence.internetMessageId principal.network.email.mail_id
evidence.ipAddress principal.ip If the evidence.@odata.type log field value matches the regular expression pattern (.*ipEvidence), then the evidence.ipAddress log field is mapped to the principal.ip UDM field.
evidence.ipInterfaces principal.asset.attribute.labels[ip_interfaces]
evidence.isPrivileged target.resource_ancestors.attribute.labels[is_privileged]
evidence.language security_result.detection_fields[language]
evidence.location.city principal.location.city
evidence.location.countryName principal.location.name
evidence.location.latitude principal.location.region_coordinates.latitude
evidence.location.longitude principal.location.region_coordinates.longitude
evidence.location.state principal.location.state
evidence.loggedOnUsers.accountName target.user.userid
evidence.loggedOnUsers.domainName principal.domain.name
evidence.mdeDeviceId principal.asset.asset_id
evidence.mdeDeviceId principal.asset_id
security_result.associations.type If the evidence.@odata.type log field value matches the regular expression pattern (.*malwareEvidence), then the security_result.associations.type UDM field is set to MALWARE.
evidence.name security_result.associations.name If the evidence.@odata.type log field value matches the regular expression pattern (.*malwareEvidence), then the evidence.name log field is mapped to the security_result.associations.name UDM field.
evidence.name target.resource_ancestors.name
evidence.namespace.cluster.createdDateTime target.resource_ancestors.attribute.labels[namespace_cluster_created_date_time]
evidence.namespace.cluster.distribution target.resource_ancestors.attribute.labels[namespace_cluster_distribution]
evidence.namespace.cluster.name target.resource_ancestors.attribute.labels[namespace_cluster_name]
evidence.namespace.cluster.platform target.resource_ancestors.attribute.labels[namespace_cluster_platform]
evidence.namespace.cluster.remediationStatus target.resource_ancestors.attribute.labels[namespace_cluster_remediation_status]
evidence.namespace.cluster.remediationStatusDetails target.resource_ancestors.attribute.labels[namespace_cluster_remediation_status_details]
evidence.namespace.cluster.roles target.resource_ancestors.attribute.labels[namespace_cluster_roles]
evidence.namespace.cluster.tags target.resource_ancestors.attribute.labels[namespace_cluster_tags]
evidence.namespace.cluster.verdict target.resource_ancestors.attribute.labels[namespace_cluster_verdict]
evidence.namespace.cluster.version target.resource_ancestors.attribute.labels[namespace_cluster_version]
evidence.namespace.createdDateTime target.resource_ancestors.attribute.labels[namespace_created_date_time]
evidence.namespace.name target.resource_ancestors.attribute.labels[namespace_name]
evidence.namespace.remediationStatus target.resource_ancestors.attribute.labels[namespace_remediation_status]
evidence.namespace.remediationStatusDetails target.resource_ancestors.attribute.labels[namespace_remediation_status_details]
evidence.namespace.roles target.resource_ancestors.attribute.labels[namespace_roles]
evidence.namespace.tags target.resource_ancestors.attribute.labels[namespace_tags]
evidence.namespace.verdict target.resource_ancestors.attribute.labels[namespace_verdict]
evidence.networkMessageId security_result.detection_fields[network_message_id]
evidence.networkMessageIds security_result.detection_fields[network_message_ids]
evidence.objectId target.resource.product_object_id If the evidence.@odata.type log field value matches the regular expression pattern (.*oauthApplicationEvidence or .*cloudApplicationEvidence), then the evidence.objectId log field is mapped to the target.resource.product_object_id UDM field.
evidence.onboardingStatus principal.asset.attribute.labels [onboarding_status] If the evidence.@odata.type log field value matches the regular expression pattern .*deviceEvidence, then the evidence.onboardingStatus log field is mapped to the principal.asset.attribute.labels UDM field.
evidence.osBuild principal.asset.platform_software.platform_patch_level If the evidence.@odata.type log field value matches the regular expression pattern .*deviceEvidence, then the evidence.osBuild log field is mapped to the principal.asset.platform_software.platform_patch_level UDM field.
evidence.osBuild principal.platform_patch_level If the evidence.@odata.type log field value matches the regular expression pattern .*deviceEvidence, then the evidence.osBuild log field is mapped to the principal.platform_patch_level UDM field.
principal.platform The principal.platform UDM field is set to one of the following values:
  • WINDOWS when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*deviceEvidence
    • The value in the evidence.osPlatform field matches the regular expression pattern (?i)win
  • MAC when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*deviceEvidence
    • The value in the evidence.osPlatform field matches the regular expression pattern (?i)mac
  • LINUX when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*deviceEvidence
    • The value in the evidence.osPlatform field matches the regular expression pattern (?i)lin
  • ANDROID when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*deviceEvidence
    • The value in the evidence.osPlatform field matches the regular expression pattern (?i)android
  • IOS when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*deviceEvidence
    • The value in the evidence.osPlatform field matches the regular expression pattern (?i)ios
principal.asset.platform_software.platform The principal.asset.platform_software.platform UDM field is set to one of the following values:
  • WINDOWS when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*deviceEvidence
    • The value in the evidence.osPlatform field matches the regular expression pattern (?i)win
  • MAC when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*deviceEvidence
    • The value in the evidence.osPlatform field matches the regular expression pattern (?i)mac
  • LINUX when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*deviceEvidence
    • The value in the evidence.osPlatform field matches the regular expression pattern (?i)lin
  • ANDROID when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*deviceEvidence
    • The value in the evidence.osPlatform field matches the regular expression pattern (?i)android
  • IOS when the following conditions are met:
    • The value in the evidence.@odata.type field matches the regular expression pattern .*deviceEvidence
    • The value in the evidence.osPlatform field matches the regular expression pattern (?i)ios
evidence.osPlatform principal.asset.attribute.labels[os_platform]
evidence.p1Sender.displayName security_result.about.user.user_display_name If the evidence.p2Sender.displayName log field value does not match the regular expression pattern ^.+@.+$, then the evidence.p1Sender.displayName log field is mapped to the security_result.about.user.user_display_name UDM field.
evidence.p1Sender.displayName security_result.about.user.email_addresses
evidence.p1Sender.domainName security_result.about.domain.name
evidence.p1Sender.emailAddress security_result.about.network.email.from
evidence.p2Sender.displayName security_result.about.user.user_display_name If the evidence.p2Sender.displayName log field value does not match the regular expression pattern ^.+@.+$, then the evidence.p2Sender.displayName log field is mapped to the security_result.about.user.user_display_name UDM field.
evidence.p2Sender.displayName security_result.about.user.email_addresses
evidence.p2Sender.domainName security_result.about.domain.name
evidence.p2Sender.emailAddress security_result.about.network.email.from
evidence.parentProcessCreationDateTime security_result.detection_fields[parent_process_creation_date_time] If the evidence.@odata.type log field value matches the regular expression pattern .*processEvidence, then the evidence.parentProcessCreationDateTime log field is mapped to the security_result.detection_fields UDM field.
evidence.parentProcessId target.process.parent_process.pid If the evidence.@odata.type log field value matches the regular expression pattern .*processEvidence, then the evidence.parentProcessId log field is mapped to the target.process.parent_process.pid UDM field.
evidence.parentProcessImageFile.fileName target.process.parent_process.file.names If the evidence.@odata.type log field value matches the regular expression pattern .*processEvidence, then the evidence.parentProcessImageFile.fileName log field is mapped to the target.process.parent_process.file.names UDM field.
evidence.parentProcessImageFile.filePath target.process.parent_process.file.full_path If the evidence.@odata.type log field value matches the regular expression pattern .*processEvidence, then the evidence.parentProcessImageFile.filePath log field is mapped to the target.process.parent_process.file.full_path UDM field.
evidence.parentProcessImageFile.filePublisher security_result.detection_fields [parent_process_image_file_file_publisher]
evidence.parentProcessImageFile.fileSize target.process.parent_process.file.size If the evidence.@odata.type log field value matches the regular expression pattern .*processEvidence, then the evidence.parentProcessImageFile.fileSize log field is mapped to the target.process.parent_process.file.size UDM field.
evidence.parentProcessImageFile.issuer security_result.detection_fields [parent_process_image_file_issuer]
evidence.parentProcessImageFile.sha1 target.process.parent_process.file.sha1
evidence.parentProcessImageFile.sha256 target.process.parent_process.file.sha256
evidence.parentProcessImageFile.signer security_result.detection_fields [parent_process_image_file_signer]
evidence.platform target.resource_ancestors.attribute.labels [platform]
evidence.pod.namespace.cluster.createdDateTime target.resource_ancestors.attribute.labels[pod_namespace_cluster_created_date_time]
evidence.pod.namespace.cluster.distribution target.resource_ancestors.attribute.labels[pod_namespace_cluster_distribution]
evidence.pod.namespace.cluster.name target.resource_ancestors.attribute.labels[pod_namespace_cluster_name]
evidence.pod.namespace.cluster.platform target.resource_ancestors.attribute.labels[pod_namespace_cluster_platform]
evidence.pod.namespace.cluster.remediationStatus target.resource_ancestors.attribute.labels[pod_namespace_cluster_remediation_status]
evidence.pod.namespace.cluster.remediationStatusDetails target.resource_ancestors.attribute.labels[pod_namespace_cluster_remediation_status_details]
evidence.pod.namespace.cluster.roles target.resource_ancestors.attribute.labels[pod_namespace_cluster_roles]
evidence.pod.namespace.cluster.tags target.resource_ancestors.attribute.labels[pod_namespace_cluster_tags]
evidence.pod.namespace.cluster.verdict target.resource_ancestors.attribute.labels[pod_namespace_cluster_verdict]
evidence.pod.namespace.cluster.version target.resource_ancestors.attribute.labels[pod_namespace_cluster_version]
evidence.pod.namespace.createdDateTime target.resource_ancestors.attribute.labels[pod_namespace_created_date_time]
evidence.pod.namespace.name target.resource_ancestors.attribute.labels[pod_namespace_name]
evidence.pod.namespace.remediationStatus target.resource_ancestors.attribute.labels[pod_namespace_remediation_status]
evidence.pod.namespace.remediationStatusDetails target.resource_ancestors.attribute.labels[pod_namespace_remediation_status_details]
evidence.pod.namespace.roles target.resource_ancestors.attribute.labels[pod_namespace_roles]
evidence.pod.namespace.tags target.resource_ancestors.attribute.labels[pod_namespace_tags]
evidence.pod.namespace.verdict target.resource_ancestors.attribute.labels[pod_namespace_verdict]
evidence.pod.podIp.countryLetterCode target.resource_ancestors.attribute.labels [pod_pod_ip_country_letter_code]
evidence.pod.podIp.ipAddress target.resource_ancestors.attribute.labels [pod_pod_ip_ip_address]
evidence.primaryAddress principal.user.email_addresses If the evidence.primaryAddress log field value matches the regular expression pattern ^.+@.+$, and if the title log field value does not contain one of the following values, then the evidence.primaryAddress log field is mapped to the principal.user.email_addresses UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.primaryAddress target.user.email_addresses If the evidence.primaryAddress log field value matches the regular expression pattern ^.+@.+$, and if the title log field value contain one of the following values, then the evidence.primaryAddress log field is mapped to the target.user.email_addresses UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.primaryAddress principal.user.attribute.labels[primary_address] If the evidence.primaryAddress log field value does not match the regular expression pattern ^.+@.+$, and if the title log field value does not contain one of the following values, then the evidence.primaryAddress log field is mapped to the principal.user.attribute.labels UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.primaryAddress target.user.attribute.labels[primary_address] If the evidence.primaryAddress log field value does not match the regular expression pattern ^.+@.+$, and if the title log field value contain one of the following values, then the evidence.primaryAddress log field is mapped to the target.user.attribute.labels UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.processCommandLine target.process.command_line
evidence.processCreationDateTime security_result.detection_fields [process_creation_date_time]
evidence.processId target.process.pid
  • The evidence.processId is mapped to target.process.pid when the following conditions are met:
    • The value in the evidence.@odata.type field value matches the regular expression pattern .*processEvidence
    • The value in the target.process.pid field value is empty.
  • The evidence.processId is mapped to about.process.pid when the following conditions are met:
    • The value in the evidence.@odata.type field value matches the regular expression pattern .*processEvidence
    • The value in the target.process.pid field value is not empty.
evidence.publisher target.resource_ancestors.attribute.labels[publisher]
evidence.query security_result.detection_fields[query]
evidence.rbacGroupId security_result.detection_fields[rbac_group_id]
evidence.rbacGroupName security_result.detection_fields[rbac_group_name]
evidence.receivedDateTime security_result.detection_fields[received_date_time]
evidence.recipientEmailAddress principal.network.email.to
evidence.registry.createdDateTime target.resource_ancestors.attribute.labels[registry_created_date_time]
evidence.registry.registry target.resource_ancestors.attribute.labels[registry_registry]
evidence.registry.remediationStatus target.resource_ancestors.attribute.labels[registry_remediation_status]
evidence.registry.remediationStatusDetails target.resource_ancestors.attribute.labels[registry_remediation_status_details]
evidence.registry.roles target.resource_ancestors.attribute.labels[registry_roles]
evidence.registry.tags target.resource_ancestors.attribute.labels[registry_tags]
evidence.registry.verdict target.resource_ancestors.attribute.labels[registry_verdict]
evidence.registry target.resource_ancestors.attribute.labels[registry]
evidence.registryHive security_result.detection_fields[registry_hive]
evidence.registryKey target.registry.registry_key
evidence.registryValue target.registry.registry_value_data
evidence.registryValueName target.registry.registry_value_name
evidence.registryValueType security_result.detection_fields [registry_value_type]
evidence.remediationStatus target.group.attribute.labels[remediation_status] If the evidence.@odata.type log field value matches the regular expression pattern .*securityGroupEvidence, then the evidence.remediationStatus log field is mapped to the target.group.attribute.labels UDM field.
evidence.remediationStatus target.resource_ancestors.attribute.labels[remediation_status]
evidence.remediationStatusDetails target.group.attribute.labels[remediation_status_details] If the evidence.@odata.type log field value matches the regular expression pattern .*securityGroupEvidence, then the evidence.remediationStatusDetails log field is mapped to the target.group.attribute.labels UDM field.
evidence.remediationStatusDetails target.resource_ancestors.attribute.labels[remediation_status_details]
evidence.riskScore security_result.detection_fields[risk_score]
evidence.saasAppId target.resource.attribute.labels[saas_app_id]
evidence.secretType target.resource_ancestors.attribute.labels[secret_type]
evidence.securityGroupId target.group.product_object_id If the evidence.@odata.type log field value matches the regular expression pattern .*securityGroupEvidence, then the evidence.securityGroupId log field is mapped to the target.group.product_object_id UDM field.
evidence.senderIp principal.ip
evidence.servicePorts.appProtocol about.security_result.detection_fields [service_ports_app_protocol]
evidence.servicePorts.name about.security_result.detection_fields [service_ports_name]
evidence.servicePorts.nodePort about.security_result.detection_fields [service_ports_node_port]
evidence.servicePorts.port about.port
evidence.servicePorts.protocol about.network.ip_protocol
evidence.servicePorts.targetPort about.security_result.detection_fields [service_ports_target_port]
evidence.serviceType target.resource_ancestors.attribute.labels[service_type]
evidence.storageResource.createdDateTime target.resource_ancestors.attribute.labels[storage_resource_created_date_time]
evidence.storageResource.detailedRoles target.resource_ancestors.attribute.labels[storage_resource_detailed_roles]
evidence.storageResource.remediationStatus target.resource_ancestors.attribute.labels[storage_resource_remediation_status]
evidence.storageResource.remediationStatusDetails target.resource_ancestors.attribute.labels[storage_resource_remediation_status_details]
evidence.storageResource.resourceId target.resource_ancestors.attribute.labels[storage_resource_resource_id]
evidence.storageResource.resourceName target.resource_ancestors.attribute.labels[storage_resource_resource_name]
evidence.storageResource.resourceType target.resource_ancestors.attribute.labels[storage_resource_resource_type]
evidence.storageResource.roles target.resource_ancestors.attribute.labels[storage_resource_roles]
evidence.storageResource.tags target.resource_ancestors.attribute.labels[storage_resource_tags]
evidence.storageResource.verdict target.resource_ancestors.attribute.labels[storage_resource_verdict]
evidence.subject principal.network.email.subject
evidence.threatDetectionMethods security_result.detection_fields[threat_detection_methods]
evidence.threats security_result.detection_fields[threats]
evidence.type security_result.detection_fields[type]
evidence.url target.url If the evidence.@odata.type log field value matches the regular expression pattern .*urlEvidence, then the evidence.url log field is mapped to the target.url UDM field.
evidence.url target.resource_ancestors.attribute.labels[url] If the evidence.@odata.type log field value matches the regular expression pattern .*blobContainerEvidence, then the evidence.url log field is mapped to the target.resource_ancestors.attribute.labels UDM field.
evidence.urlCount security_result.detection_fields[url_count]
evidence.urls security_result.detection_fields[urls]
evidence.urn security_result.detection_fields[urn]
evidence.userAccount.accountName principal.user.userid If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value does not contain one of the following values, then the evidence.userAccount.accountName log field is mapped to the principal.user.userid UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.userAccount.accountName target.user.userid If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value contain one of the following values, then the evidence.userAccount.accountName log field is mapped to the target.user.userid UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.userAccount.azureAdUserId principal.user.product_object_id If the title log field value does not contain one of the following values, then the evidence.userAccount.azureAdUserId log field is mapped to the principal.user.product_object_id UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.userAccount.azureAdUserId target.user.product_object_id If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value contain one of the following values, then the evidence.userAccount.azureAdUserId log field is mapped to the target.user.product_object_id UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.userAccount.displayName principal.user.user_display_name If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value does not contain one of the following values, then the evidence.userAccount.displayName log field is mapped to the principal.user.user_display_name UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.userAccount.displayName target.user.user_display_name If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value contain one of the following values, then the evidence.userAccount.displayName log field is mapped to the target.user.user_display_name UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.userAccount.domainName principal.administrative_domain If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value does not contain one of the following values, then the evidence.userAccount.domainName log field is mapped to the principal.administrative_domain UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.userAccount.domainName target.administrative_domain If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value contain one of the following values, then the evidence.userAccount.domainName log field is mapped to the target.administrative_domain UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.userAccount.userPrincipalName principal.user.email_addresses If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value does not contain one of the following values, then the evidence.userAccount.userPrincipalName log field is mapped to the principal.user.email_addresses UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.userAccount.userPrincipalName target.user.email_addresses If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value contain one of the following values, then the evidence.userAccount.userPrincipalName log field is mapped to the target.user.email_addresses UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.userAccount.userSid principal.user.windows_sid If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value does not contain one of the following values, then the evidence.userAccount.userSid log field is mapped to the principal.user.windows_sid UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.userAccount.userSid target.user.windows_sid If the evidence.@odata.type log field value matches the regular expression pattern (.*)(userEvidence or mailboxEvidence), and if the title log field value contain one of the following values, then the evidence.userAccount.userSid log field is mapped to the target.user.windows_sid UDM field.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
evidence.version principal.asset.platform_software.platform_version If the evidence.@odata.type log field value matches the regular expression pattern .*deviceEvidence, then the evidence.osPlatform, evidence.version, evidence.osBuild log field is mapped to the principal.asset.platform_software.platform_version UDM field.
evidence.version principal.platform_version If the evidence.@odata.type log field value matches the regular expression pattern .*deviceEvidence, then the evidence.osPlatform, evidence.version, evidence.osBuild log field is mapped to the principal.platform_version UDM field.
evidence.version target.resource_ancestors.attribute.labels[version]
evidence.vmMetadata.cloudProvider principal.asset.attribute.labels[vm_metadata_cloud_provider]
evidence.vmMetadata.resourceId principal.asset.product_object_id
evidence.vmMetadata.subscriptionId principal.asset.attribute.labels[vm_metadata_subscription_id]
evidence.vmMetadata.vmId principal.asset.attribute.labels[vm_metadata_vm_id]
firstActivityDateTime security_result.first_discovered_time
id metadata.product_log_id
incidentId security_result.detection_fields[incident_id]
incidentWebUrl security_result.url_back_to_product
lastActivityDateTime security_result.last_discovered_time
lastUpdateDateTime security_result.last_updated_time
mitreTechniques security_result.attack_details.techniques.id
mitreTechniques security_result.attack_details.techniques.name
productName metadata.product_name
providerAlertId additional.fields[provider_alert_id]
recommendedActions security_result.action_details
resolvedDateTime security_result.detection_fields[resolved_date_time] If the resolvedDateTime log field value is not equal to null, then the resolvedDateTime log field is mapped to the security_result.detection_fields UDM field.
serviceSource additional.fields[service_source]
severity security_result.severity
status security_result.detection_fields[status]
systemTags security_result.detection_fields[system_tags] The systemTags log field is mapped to the security_result.detection_fields UDM field.
tenantId metadata.product_deployment_id
threatDisplayName security_result.threat_name If the threatDisplayName log field value is not equal to null, then the threatDisplayName log field is mapped to the security_result.threat_name UDM field.
threatFamilyName security_result.threat_feed_name If the threatFamilyName log field value is not equal to null, then the threatFamilyName log field is mapped to the security_result.threat_feed_name UDM field.
title security_result.rule_name
target.resource_ancestors.resource_type If the evidence.@odata.type log field value matches the regular expression pattern .*blobEvidence, then the target.resource_ancestors.resource_type UDM field is set to STORAGE_OBJECT.
evidence.blobContainer.storageResource.createdDateTime target.resource_ancestors.attribute.creation_time
evidence.blobContainer.storageResource.remediationStatus target.resource_ancestors.attribute.labels [pod_storage_resource_remediation_status]
evidence.blobContainer.storageResource.remediationStatusDetails target.resource_ancestors.attribute.labels [pod_storage_resource_remediation_status_details]
evidence.blobContainer.storageResource.resourceId target.resource_ancestors.product_object_id
evidence.blobContainer.storageResource.resourceName target.resource_ancestors.name
evidence.blobContainer.storageResource.resourceType target.resource_ancestors.resource_subtype
evidence.blobContainer.storageResource.verdict target.resource_ancestors.attribute.labels [pod_storage_resource_verdict]
evidence.category security_result.detection_fields[category]
evidence.destinationPort target.port
evidence.etag target.resource_ancestors.attribute.labels[etag]
evidence.files.createdDateTime security_result.detection_fields [files_created_date_time]
evidence.files.detectionStatus security_result.detection_fields [files_detection_status]
evidence.files.fileDetails.fileName target.file.names
evidence.files.fileDetails.filePath target.file.full_path
evidence.files.fileDetails.filePublisher security_result.detection_fields [files_file_details_file_publisher]
evidence.files.fileDetails.fileSize target.file.size
evidence.files.fileDetails.issuer security_result.detection_fields [files_file_details_issuer]
evidence.files.fileDetails.sha1 target.file.sha1
evidence.files.fileDetails.sha256 target.file.sha256
evidence.files.fileDetails.signer security_result.detection_fields [files_file_details_signer]
evidence.files.mdeDeviceId security_result.detection_fields [files_mde_device_id]
evidence.files.remediationStatus security_result.detection_fields [files_remediation_status]
evidence.files.remediationStatusDetails security_result.detection_fields [files_remediation_status_details]
evidence.files.verdict security_result.detection_fields [files_verdict]
evidence.fullResourceName target.resource_ancestors.attribute.labels[full_resource_name]
evidence.imageId target.resource_ancestors.attribute.labels[image_id]
evidence.protocol network.ip_protocol
evidence.sourceAddress.countryLetterCode security_result.detection_fields[source_address_country_letter_code]
evidence.sourceAddress.createdDateTime security_result.detection_fields[source_address_created_date_time]
evidence.sourceAddress.ipAddress security_result.about.ip
evidence.sourceAddress.location.city security_result.about.location.city
evidence.sourceAddress.location.countryName security_result.about.location.name
evidence.sourceAddress.location.latitude security_result.about.location.region_coordinates.latitude
evidence.sourceAddress.location.longitude security_result.about.location.region_coordinates.longitude
evidence.sourceAddress.location.state security_result.about.location.state
evidence.sourceAddress.remediationStatus security_result.detection_fields[source_address_remediation_status]
evidence.sourceAddress.remediationStatusDetails security_result.detection_fields[source_address_remediation_status_details]
evidence.sourceAddress.stream security_result.detection_fields[source_address_stream]
evidence.sourceAddress.verdict security_result.detection_fields[source_address_verdict]
evidence.sourcePort principal.port
evidence.stream.name target.resource.attribute.labels[stream_name]
evidence.algorithm security_result.detection_fields[algorithm]
evidence.value security_result.detection_fields[value]
evidence.lastExternalIpAddress principal.asset.attribute.labels[last_external_ip_address]
security_result.action If the title log field value matches the regular expression pattern (malware was blocked or Unsanctioned cloud app access was blocked or Activity from an anonymous proxy or Network - NT - Possible Ursnif/Gozi Phish or Network - SSH Potential Brute Force or Multiple failed login attempts or Brute force attack against Azure Portal or Block download based on real-time content inspection), then the security_result.action UDM field is set to BLOCK.

Else, If the title log field value matches the regular expression pattern (Failed SSH brute force attack), then the security_result.action UDM field is set to FAIL.

Else, If the title log field value contain one of the following values, then the security_result.action UDM field is set to ALLOW.
  • Mass delete
  • Multiple delete VM activities
metadata.vendor_name The metadata.vendor_name UDM field is set to Microsoft.
principal.hostname The src_host field is extracted from description log field using the Grok pattern and the src_host extracted field is mapped to the principal.hostname UDM field.
principal.asset.hostname The src_host field is extracted from description log field using the Grok pattern and the src_host extracted field is mapped to the principal.asset.hostname UDM field.
extensions.auth.type If the title log field value contain one of the following values, then the extensions.auth.type UDM field is set to AUTHTYPE_UNSPECIFIED.
  • Malware linked IP address
  • Unfamiliar sign-in properties
  • Malicious IP address
  • Anonymous IP address
  • Verified threat actor IP
  • Suspected Brute Force attack (LDAP)
  • Suspected Brute Force attack (Kerberos, NTLM)
  • Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate
  • Suspected DFSCoerce attack using Distributed File System Protocol
  • Multiple failed login attempts
  • Activity from a TOR IP address
  • Anomalous SSH login detected
  • Azure High Risk User account - Signin
  • Brute force attack against Azure Portal
  • Identity - Attempts to sign in to disabled accounts
  • Network - SSH Potential Brute Force
  • A logon from a malicious IP has been detected. [seen multiple times]
  • Successful brute force attack
  • Failed SSH brute force attack
  • Successful SSH brute force attack
  • Attempted logon by a potentially harmful application
  • Log on from an unusual Azure Data Center
  • Log on from an unusual location
  • Login from a principal user not seen in 60 days
  • Login from a domain not seen in 60 days
  • Login from a suspicious IP
  • Suspected brute force attack using a valid user
  • Suspected brute force attack
  • Suspected successful brute force attack
  • Logon from an unusual cloud provider
  • Logon by an unfamiliar principal
network.application_protocol If the title log field value is equal to Network - Rare RDP Connections, then the network.application_protocol UDM field is set to RDP.
idm.is_alert The idm.is_alert UDM field is set to True.
idm.is_significant The idm.is_significant UDM field is set to True.
security_result.alert_state The security_result.alert_state UDM field is set to ALERTING.
security_result.attack_details.tactics.name If the title log field value contain one of the following values, then the security_result.attack_details.techniques.id UDM field is set to T1530 and T1567 values and the security_result.attack_details.tactics.name UDM field is set to Exfiltration.
  • Mass download by a single user
  • Mass delete
  • Mass share
  • Data exfiltration to an app that is not sanctioned
Else, If the title log field value contain one of the following values, then the security_result.attack_details.techniques.id UDM field is set to T1078.
  • Activity by terminated user
  • Suspicious administrative activity
  • UserAccessAdministrator-Flag
Else, If the title log field value contain one of the following values, then the security_result.attack_details.techniques.id UDM field is set to T1090.
  • Activity from a Tor IP address
  • Activity from infrequent country
  • Impossible travel activity
  • Login from unfriendly country
Else, If the title log field value contain one of the following values, then the security_result.attack_details.techniques.id UDM field is set to T1098.
  • Add user to GitHub repo
  • OAuth Application granted Sharepoint Sites.ReadWrite.All exessive permission
  • Role added or removed from a User
  • Unusual addition of credentials to an OAuth app
Else, If the title log field value contain one of the following values, then the security_result.attack_details.techniques.id UDM field is set to T1589.
  • IR - Multiple failed user log on attempts to an app within 2 minutes
  • Multiple failed login attempts
  • Multiple failed user logon attempts to a service
Else, If the title log field value is equal to Failed login for admin account, then the security_result.attack_details.techniques.id UDM field is set to T1589 and the security_result.attack_details.techniques.id UDM field is set to T1110 and the security_result.attack_details.tactics.name UDM field is set to CredentialAccess.

Else, If the title log field value is equal to New risky app, then the security_result.attack_details.techniques.id UDM field is set to T1199.

Else, If the title log field value is equal to Creation of forwarding/redirect rule, then the security_result.attack_details.techniques.id UDM field is set to T1137.

If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to Reconnaissance.
  • T1595
  • T1592
  • T1589
  • T1590
  • T1591
  • T1598
  • T1597
  • T1596
  • T1593
  • T1594
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to ResourceDevelopment.
  • T1583
  • T1586
  • T1584
  • T1587
  • T1585
  • T1588
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to InitialAccess.
  • T1189
  • T1190
  • T1133
  • T1200
  • T1566
  • T1091
  • T1195
  • T1199
  • T1078
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to Execution.
  • T1059
  • T1203
  • T1559
  • T1106
  • T1053
  • T1129
  • T1072
  • T1569
  • T1204
  • T1047
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to Persistence.
  • T1098
  • T1197
  • T1547
  • T1037
  • T1176
  • T1554
  • T1136
  • T1543
  • T1546
  • T1133
  • T1574
  • T1525
  • T1137
  • T1542
  • T1053
  • T1505
  • T1205
  • T1078
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to PrivilegeEscalation.
  • T1548
  • T1134
  • T1547
  • T1037
  • T1543
  • T1484
  • T1546
  • T1068
  • T1574
  • T1055
  • T1053
  • T1078
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to DefenseEvasion.
  • T1548
  • T1134
  • T1197
  • T1140
  • T1006
  • T1484
  • T1480
  • T1211
  • T1222
  • T1564
  • T1574
  • T1562
  • T1070
  • T1202
  • T1036
  • T1556
  • T1578
  • T1112
  • T1601
  • T1599
  • T1027
  • T1542
  • T1055
  • T1207
  • T1014
  • T1218
  • T1216
  • T1553
  • T1221
  • T1205
  • T1127
  • T1535
  • T1550
  • T1078
  • T1497
  • T1600
  • T1220
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to CredentialAccess.
  • T1110
  • T1555
  • T1212
  • T1187
  • T1606
  • T1056
  • T1557
  • T1556
  • T1040
  • T1003
  • T1528
  • T1558
  • T1539
  • T1111
  • T1552
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to Discovery.
  • T1087
  • T1010
  • T1217
  • T1580
  • T1538
  • T1526
  • T1482
  • T1083
  • T1046
  • T1135
  • T1040
  • T1201
  • T1120
  • T1069
  • T1057
  • T1012
  • T1018
  • T1518
  • T1082
  • T1016
  • T1049
  • T1033
  • T1007
  • T1124
  • T1497
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to LateralMovement.
  • T1210
  • T1534
  • T1570
  • T1563
  • T1021
  • T1091
  • T1072
  • T1080
  • T1550
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to Collection.
  • T1560
  • T1123
  • T1119
  • T1115
  • T1530
  • T1602
  • T1213
  • T1005
  • T1039
  • T1025
  • T1074
  • T1114
  • T1056
  • T1185
  • T1557
  • T1113
  • T1125
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to CommandAndControl.
  • T1071
  • T1092
  • T1132
  • T1001
  • T1568
  • T1573
  • T1008
  • T1105
  • T1104
  • T1095
  • T1571
  • T1572
  • T1090
  • T1219
  • T1205
  • T1102
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to Exfiltration.
  • T1020
  • T1030
  • T1048
  • T1041
  • T1011
  • T1052
  • T1567
  • T1029
  • T1537
If the mitre_technique_data.id log field value contain one of the following values, then the security_result.attack_details.tactics.name UDM field is set to Impact.
  • T1531
  • T1485
  • T1486
  • T1565
  • T1491
  • T1561
  • T1499
  • T1495
  • T1490
  • T1498
  • T1496
  • T1489
  • T1529

다음 단계