Anomalies

This table contains anomalies generated by the active Anomaly analytics rules in Azure Sentinel.

Categories

  • Security

Solutions

  • Microsoft Sentinel

Columns

Column Type Description
ActivityInsights dynamic Insights about the activites corresponding to the generated anomaly as JSON.
AnomalyDetails dynamic JSON object containing general information about the rule and algorithm that generated the anomaly as well as explanations for the anomaly.
AnomalyReasons dynamic The detailed explanation of the generated anomaly as JSON.
AnomalyTemplateId string The ID of the Anomaly template that generated this anomaly.
AnomalyTemplateName string The name of the Anomaly template that generated this anomaly.
AnomalyTemplateVersion string The version of the Anomaly template that generated this anomaly.
Description string The description of the anomaly.
DestinationDevice string The destination device for which the anomaly was generated.
DestinationIpAddress string The destination ip address for which the anomaly was generated.
DestinationLocation dynamic Info about the destination location for which the anomaly was generated as JSON.
DeviceInsights dynamic Insights about the devices corresponding to the generated anomaly as JSON.
EndTime datetime The time (UTC) when the anomaly ended.
Entities dynamic JSON object containing all entities involved in the generated anomaly.
ExtendedLinks dynamic List of links pointing to the data that generated the anomaly.
ExtendedProperties dynamic JSON object with additional data on the anomaly as key-value pairs.
Id string The ID of the generated anomaly.
RuleConfigVersion string The configuration version of the Anomaly analytics rule that generated this anomaly.
RuleId string The ID of the Anomaly analytics rule that generated this anomaly.
RuleName string The name of the Anomaly analytics rule that generated this anomaly.
RuleStatus string The status (Flighting/Production) of the Anomaly analytics rule that generated this anomaly.
Score real The score of the anomaly.
SourceDevice string The source device for which the anomaly was generated.
SourceIpAddress string The source ip address for which the anomaly was generated.
SourceLocation dynamic Info about the source location for which the anomaly was generated as JSON.
SourceSystem string
StartTime datetime The time (UTC) when the anomaly started.
Tactics string List of MITRE ATT&CK tactics (strings) corresponding to the anomaly.
Techniques string List MITRE ATT&CK techniques (strings) corresponding to the anomaly.
TenantId string
TimeGenerated datetime The timestamp (UTC) of when the anomaly was generated.
Type string The name of the table
UserInsights dynamic Insights about the users corresponding to the generated anomaly as JSON.
UserName string The username for which the anomaly was generated.
UserPrincipalName string The UPN of the user for which the anomaly was generated.
VendorName string The name of the vendor that generated this anomaly.
WorkspaceId string The ID of the Sentinel workspace.