Muokkaa

Jaa


CommonSecurityLog

This table is for collecting events in the Common Event Format, that are most often sent from different security appliances such as Check Point, Palo Alto and more.

Table attributes

Attribute Value
Resource types microsoft.securityinsights/cef,
microsoft.compute/virtualmachines,
microsoft.conenctedvmwarevsphere/virtualmachines,
microsoft.azurestackhci/virtualmachines,
microsoft.scvmm/virtualmachines,
microsoft.compute/virtualmachinescalesets
Categories Security
Solutions Security, SecurityInsights
Basic log No
Ingestion-time transformation Yes
Sample Queries Yes

Columns

Column Type Description
Activity string A string that represents a human-readable and understandable description of the event.
AdditionalExtensions string A placeholder for additional fields. Fields are logged as key-value pairs.
ApplicationProtocol string The protocol used in the application, such as HTTP, HTTPS, SSHv2, Telnet, POP, IMPA, IMAPS, and so on.
_BilledSize real The record size in bytes
CollectorHostName string The hostname of the collector machine running the agent.
CommunicationDirection string Any information about the direction the observed communication has taken. Valid values: 0 = Inbound, 1 = Outbound.
Computer string Host, from Syslog.
DestinationDnsDomain string The DNS part of the fully-qualified domain name (FQDN).
DestinationHostName string The destination that the event refers to in an IP network. The format should be an FQDN associated with the destination node, when a node is available. For example: host.domain.com or host.
DestinationIP string The destination IpV4 address that the event refers to in an IP network.
DestinationMACAddress string The destination MAC address (FQDN).
DestinationNTDomain string The Windows domain name of the destination address.
DestinationPort int Destination port. Valid values: 0 - 65535.
DestinationProcessId int The ID of the destination process associated with the event.
DestinationProcessName string The name of the event's destination process, such as telnetd or sshd.
DestinationServiceName string The service that is targeted by the event. For example: sshd.
DestinationTranslatedAddress string Identifies the translated destination referred to by the event in an IP network, as an IPv4 IP address.
DestinationTranslatedPort int Port after translation, such as a firewall Valid port numbers: 0 - 65535.
DestinationUserID string Identifies the destination user by ID. For example: in Unix, the root user is generally associated with the user ID 0.
DestinationUserName string Identifies the destination user by name.
DestinationUserPrivileges string Defines the destination use's privileges. Valid values: Admninistrator, User, Guest.
DeviceAction string The action mentioned in the event.
DeviceAddress string The IPv4 address of the device generating the event.
DeviceCustomDate1 string One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomDate1Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomDate2 string One of two timestamp fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomDate2Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomFloatingPoint1 real One of four floating point fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomFloatingPoint1Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomFloatingPoint2 real One of four floating point fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomFloatingPoint2Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomFloatingPoint3 real One of four floating point fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomFloatingPoint3Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomFloatingPoint4 real One of four floating point fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomFloatingPoint4Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomIPv6Address1 string One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomIPv6Address1Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomIPv6Address2 string One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomIPv6Address2Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomIPv6Address3 string One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomIPv6Address3Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomIPv6Address4 string One of four IPv6 address fields available to map fields that do not apply to any other in this dictionary.
DeviceCustomIPv6Address4Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomNumber1 int Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber1.
DeviceCustomNumber1Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomNumber2 int Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber2.
DeviceCustomNumber2Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomNumber3 int Soon to be a deprecated field. Will be replaced by FieldDeviceCustomNumber3.
DeviceCustomNumber3Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString1 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString1Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString2 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString2Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString3 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString3Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString4 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString4Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString5 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString5Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceCustomString6 string One of six strings available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible.
DeviceCustomString6Label string All custom fields have a corresponding label field. Each of these fields is a string and describes the purpose of the custom field.
DeviceDnsDomain string The DNS domain part of the full qualified domain name (FQDN).
DeviceEventCategory string Represents the category assigned by the originating device. Devices often use their own categorization schema to classify event. Example: '/Monitor/Disk/Read'.
DeviceEventClassID string String or integer that serves as a unique identifier per event type.
DeviceExternalID string A name that uniquely identifies the device generating the event.
DeviceFacility string The facility generating the event. For example: auth or local1.
DeviceInboundInterface string The interface on which the packet or data entered the device. For example: ethernet1/2.
DeviceMacAddress string The MAC address of the device generating the event.
DeviceName string The FQDN associated with the device node, when a node is available. For example: host.domain.com or host.
DeviceNtDomain string The Windows domain of the device address.
DeviceOutboundInterface string Interface on which the packet or data left the device.
DevicePayloadId string Unique identifier for the payload associated with the event.
DeviceProduct string String that together with device product and version definitions, uniquely identifies the type of sending device.
DeviceTimeZone string Timezone of the device generating the event.
DeviceTranslatedAddress string Identifies the translated device address that the event refers to, in an IP network. The format is an Ipv4 address.
DeviceVendor string String that together with device product and version definitions, uniquely identifies the type of sending device.
DeviceVersion string String that together with device product and version definitions, uniquely identifies the type of sending device.
EndTime datetime The time at which the activity related to the event ended.
EventCount int A count associated with the event, showing how many times the same event was observed.
EventOutcome string Displays the outcome, usually as 'success' or 'failure'.
EventType int Event type. Value values include: 0: base event, 1: aggregated, 2: correlation event, 3: action event. Note: This event can be omitted for base events.
ExternalID int Soon to be a deprecated field. Will be replaced by ExtID.
ExtID string An ID used by the originating device (will replace legacy ExternalID). Typically, these values have increasing values that are each associated with an event.
FieldDeviceCustomNumber1 long One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber1). Use sparingly and seek a more specific, dictionary supplied field when possible.
FieldDeviceCustomNumber2 long One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber2). Use sparingly and seek a more specific, dictionary supplied field when possible.
FieldDeviceCustomNumber3 long One of three number fields available to map fields that do not apply to any other in this dictionary (will replace legacy DeviceCustomNumber3). Use sparingly and seek a more specific, dictionary supplied field when possible.
FileCreateTime string Time when the file was created.
FileHash string Hash of a file.
FileID string An ID associated with a file, such as the inode.
FileModificationTime string Time when the file was last modified.
FileName string The file's name, without the path.
FilePath string Full path to the file, including the filename. For example: C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip.
FilePermission string The file's permissions. For example: '2,1,1'.
FileSize int The size of the file in bytes.
FileType string File type, such as pipe, socket, and so on.
FlexDate1 string A timestamp field available to map a timestamp that does not apply to any other defined timestamp field in this dictionary. Use all flex fields sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
FlexDate1Label string The label field is a string and describes the purpose of the flex field.
FlexNumber1 int Number fields available to map Int data that does not apply to any other field in this dictionary.
FlexNumber1Label string The label that describes the value in FlexNumber1
FlexNumber2 int Number fields available to map Int data that does not apply to any other field in this dictionary.
FlexNumber2Label string The label that describes the value in FlexNumber2
FlexString1 string One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
FlexString1Label string The label field is a string and describes the purpose of the flex field.
FlexString2 string One of four floating point fields available to map fields that do not apply to any other in this dictionary. Use sparingly and seek a more specific, dictionary supplied field when possible. These fields are typically reserved for customer use and should not be set by vendors unless necessary.
FlexString2Label string The label field is a string and describes the purpose of the flex field.
IndicatorThreatType string The threat type of the MaliciousIP according to our TI feed.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
LogSeverity string A string or integer that describes the importance of the event. Valid string values: Unknown , Low, Medium, High, Very-High Valid integer values are: 0-3 = Low, 4-6 = Medium, 7-8 = High, 9-10 = Very-High.
MaliciousIP string If one of the IP in the message was correlate with the current TI feed we have it will show up here.
MaliciousIPCountry string The country of the MaliciousIP according to the GEO information at the time of the record ingestion.
MaliciousIPLatitude real The Latitude of the MaliciousIP according to the GEO information at the time of the record ingestion.
MaliciousIPLongitude real The Longitude of the MaliciousIP according to the GEO information at the time of the record ingestion.
Message string A message that gives more details about the event.
OldFileCreateTime string Time when the old file was created.
OldFileHash string Hash of the old file.
OldFileID string And ID associated with the old file, such as the inode.
OldFileModificationTime string Time when the old file was last modified.
OldFileName string Name of the old file.
OldFilePath string Full path to the old file, including the filename. For example: C:\ProgramFiles\WindowsNT\Accessories\wordpad.exe or /usr/bin/zip.
OldFilePermission string Permissions of the old file. For example: '2,1,1'.
OldFileSize int The size of the old file in bytes.
OldFileType string File type of the old file, such as a pipe, socket, and so on.
OriginalLogSeverity string A non-mapped version of LogSeverity. For example: Warning/Critical/Info insted of the normilized Low/Medium/High in the LogSeverity Field
ProcessID int Defines the ID of the process on the device generating the event.
ProcessName string Process name associated with the event. For example: in UNIX, the process generating the syslog entry.
Protocol string Transport protocol that identifies the Layer-4 protocol used. Possible values include protocol names, such as TCP or UDP.
Reason string The reason an audit event was generated. For example 'bad password' or 'unknown user'. This could also be an error or return code. Example: '0x1234'.
ReceiptTime string The time at which the event related to the activity was received. Different then the 'Timegenerated' field, which is when the event was recieved in the log collector machine.
ReceivedBytes long Number of bytes transferred inbound.
RemoteIP string The remote IP address, derived from the event's direction value, if possible.
RemotePort string The remote port, derived from the event's direction value, if possible.
ReportReferenceLink string Link to the report of the TI feed.
RequestClientApplication string The user agent associated with the request.
RequestContext string Describes the content from which the request originated, such as the HTTP Referrer.
RequestCookies string Cookies associated with the request.
RequestMethod string The method used to access a URL. Valid values include methods such as POST, GET, and so on.
RequestURL string The URL accessed for an HTTP request, including the protocol. For example: http://www/secure.com.
_ResourceId string A unique identifier for the resource that the record is associated with
SentBytes long Number of bytes transferred outbound.
SimplifiedDeviceAction string A mapped version of DeviceAction, such as Denied > Deny.
SourceDnsDomain string The DNS domain part of the complete FQDN.
SourceHostName string Identifies the source that event refers to in an IP network. Format should be a fully qualified domain name (DQDN) associated with the source node, when a node is available. For example: host or host.domain.com.
SourceIP string The source that an event refers to in an IP network, as an IPv4 address.
SourceMACAddress string Source MAC address.
SourceNTDomain string The Windows domain name for the source address.
SourcePort int The source port number. Valid port numbers are 0 - 65535.
SourceProcessId int The ID of the source process associated with the event.
SourceProcessName string The name of the event's source process.
SourceServiceName string The service responsible for generating the event.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
SourceTranslatedAddress string Identifies the translated source that the event refers to in an IP network.
SourceTranslatedPort int Source port after translation, such as a firewall. Valid port numbers are 0 - 65535.
SourceUserID string Identifies the source user by ID.
SourceUserName string Identifies the source user by name. Email addresses are also mapped into the UserName fields. The sender is a candidate to put into this field.
SourceUserPrivileges string The source user's privileges. Valid values include: Administrator, User, Guest.
StartTime datetime The time when the activity that the event refers to started.
_SubscriptionId string A unique identifier for the subscription that the record is associated with
TenantId string The Log Analytics workspace ID
ThreatConfidence string The threat confidence of the MaliciousIP according to our TI feed.
ThreatDescription string The threat description of the MaliciousIP according to our TI feed.
ThreatSeverity int The threat severity of the MaliciousIP according to our TI feed at the time of the record ingestion.
TimeGenerated datetime Event collection time in UTC.
Type string The name of the table