Microsoft 365 Defender Blog articles

Microsoft 365 Defender Blog articles

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/bg-p/MicrosoftThreatProtectionBlog

Microsoft 365 Defender Blog articles

Microsoft 365 Defender Streaming API: Identity and CloudApp Events in General Availability

Published

Microsoft 365 Defender Streaming API: Identity and CloudApp Events in General Availability

Microsoft 365 Defender Streaming API: Identity and CloudApp events now in General Availability

 

We're happy to share that Microsoft 365 Defender Streaming API support for the following event types (tables) is General Availability:

  • Identity events
    • IdentityLogonEvents
    • IdentityQueryEvents
    • IdentityDirectoryEvents
  • CloudAppEvents

These new event types enable automating queries and enrichment about user accounts, on-premises and online services authentication activities, and queries about Active Directory objects and cloud app and identity-related events, significantly extending custom enrichment and analytics possibilities from endpoint and email to identity and cloud apps.

 

Identity use cases and queries that are now possible include account brute force attempts, credential access/dump attempts, reconnaissance and discovery activities, sensitive Active Directory group modification, sensitive LDAP queries, and much more.

 

Cloud app use cases and queries include cloud service-based exfiltration attempts such as adding mail permissions to applications, changing ADFS trust settings and other techniques - many of which have been used by actors.

 

Here are some links to related blogs about these tables being added to Microsoft 365 Defender Advanced Hunting that go deeper into queries and use cases these event types enable:

 

These event types are also now available in Microsoft Sentinel - for more information see:

 

Here are the Event Types/Tables' schemas for easy access (event type titles link directly to the respective online documentation):

 

IdentityLogonEvents

The IdentityLogonEvents table in the advanced hunting schema contains information about authentication activities made through your on-premises Active Directory captured by Microsoft Defender for Identity and authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.

 

Column name

Data type

Description

Timestamp

datetime

Date and time when the event was recorded

ActionType

string

Type of activity that triggered the event. See the in-portal schema reference for details

Application

string

Application that performed the recorded action

LogonType

string

Type of logon session, specifically:

  • Interactive: User physically interacts with the machine using the local keyboard and screen
  • Remote interactive (RDP): User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients
  • Network: Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed
  • Batch: Session initiated by scheduled tasks
  • Service: Session initiated by services as they start

Protocol

string

Network protocol used

FailureReason

string

Information explaining why the recorded action failed

AccountName

string

User name of the account

AccountDomain

string

Domain of the account

AccountUpn

string

User principal name (UPN) of the account

AccountSid

string

Security Identifier (SID) of the account

AccountObjectId

string

Unique identifier for the account in Azure AD

AccountDisplayName

string

Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname.

DeviceName

string

Fully qualified domain name (FQDN) of the device

DeviceType

string

Type of device

OSPlatform

string

Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, etc.

IPAddress

string

IP address assigned to the endpoint and used during related network communications

Port

string

TCP port used during communication

DestinationDeviceName

string

Name of the device running the server application that processed the recorded action

DestinationIPAddress

string

IP address of the device running the server application that processed the recorded action

DestinationPort

string

Destination port of related network communications

TargetDeviceName

string

Fully qualified domain name (FQDN) of the device that the recorded action was applied to

TargetAccountDisplayName

string

Display name of the account that the recorded action was applied to

Location

string

City, country, or other geographic location associated with the event

Isp

string

Internet service provider (ISP) associated with the endpoint IP address

ReportId

long

Unique identifier for the event

AdditionalFields

string

Additional information about the entity or event


IdentityQueryEvents

The IdentityQueryEvents table in the advanced hunting schema contains information about queries performed against Active Directory objects, such as users, groups, devices, and domains.

 

Column name

Data type

Description

Timestamp

datetime

Date and time when the event was recorded

ActionType

string

Type of activity that triggered the event. See the in-portal schema reference for details

Application

string

Application that performed the recorded action

QueryType

string

Type of query, such as QueryGroup, QueryUser, or EnumerateUsers

QueryTarget

string

Name of user, group, device, domain, or any other entity type being queried

Query

string

String used to run the query

Protocol

string

Protocol used during the communication

AccountName

string

User name of the account

AccountDomain

string

Domain of the account

AccountUpn

string

User principal name (UPN) of the account

AccountSid

string

Security Identifier (SID) of the account

AccountObjectId

string

Unique identifier for the account in Azure AD

AccountDisplayName

string

Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname.

DeviceName

string

Fully qualified domain name (FQDN) of the endpoint

IPAddress

string

IP address assigned to the endpoint and used during related network communications

Port

string

TCP port used during communication

DestinationDeviceName

string

Name of the device running the server application that processed the recorded action

DestinationIPAddress

string

IP address of the device running the server application that processed the recorded action

DestinationPort

string

Destination port of related network communications

TargetDeviceName

string

Fully qualified domain name (FQDN) of the device that the recorded action was applied to

TargetAccountUpn

string

User principal name (UPN) of the account that the recorded action was applied to

TargetAccountDisplayName

string

Display name of the account that the recorded action was applied to

Location

string

City, country, or other geographic location associated with the event

ReportId

long

Unique identifier for the event

AdditionalFields

string

Additional information about the entity or event

 

IdentityDirectoryEvents

The IdentityDirectoryEvents table in the advanced hunting schema contains events involving an on-premises domain controller running Active Directory (AD). This table captures various identity-related events, like password changes, password expiration, and user principal name (UPN) changes. It also captures system events on the domain controller, like scheduling of tasks and PowerShell activity.

 

Column name

Data type

Description

Timestamp

datetime

Date and time when the event was recorded

ActionType

string

Type of activity that triggered the event. See the in-portal schema reference for details

Application

string

Application that performed the recorded action

TargetAccountUpn

string

User principal name (UPN) of the account that the recorded action was applied to

TargetAccountDisplayName

string

Display name of the account that the recorded action was applied to

TargetDeviceName

string

Fully qualified domain name (FQDN) of the device that the recorded action was applied to

DestinationDeviceName

string

Name of the device running the server application that processed the recorded action

DestinationIPAddress

string

IP address of the device running the server application that processed the recorded action

DestinationPort

string

Destination port of the activity

Protocol

string

Protocol used during the communication

AccountName

string

User name of the account

AccountDomain

string

Domain of the account

AccountUpn

string

User principal name (UPN) of the account

AccountSid

string

Security Identifier (SID) of the account

AccountObjectId

string

Unique identifier for the account in Azure Active Directory

AccountDisplayName

string

Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname.

DeviceName

string

Fully qualified domain name (FQDN) of the device

IPAddress

string

IP address assigned to the device during communication

Port

string

TCP port used during communication

Location

string

City, country, or other geographic location associated with the event

ISP

string

Internet service provider associated with the IP address

ReportId

long

Unique identifier for the event

AdditionalFields

string

Additional information about the entity or event

 

CloudAppEvents

The CloudAppEvents table in the advanced hunting schema contains information about activities in various cloud apps and services covered by Microsoft Defender for Cloud Apps.

 

Column name

Data type

Description

Timestamp

datetime

Date and time when the event was recorded

ActionType

string

Type of activity that triggered the event

Application

string

Application that performed the recorded action

ApplicationId

string

Unique identifier for the application

AccountObjectId

string

Unique identifier for the account in Azure Active Directory

AccountId

string

An identifier for the account as found by Microsoft Defender for Cloud Apps. Can be Azure Active Directory ID, user principal name, or other identifiers.

AccountDisplayName

string

Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname.

IsAdminOperation

string

Indicates whether the activity was performed by an administrator

DeviceType

string

Type of device based on purpose and functionality, such as "Network device", "Workstation", "Server", "Mobile", "Gaming console", or "Printer"

OSPlatform

string

Platform of the operating system running on the device. This column indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, etc.

IPAddress

string

IP address assigned to the endpoint and used during related network communications

IsAnonymousProxy

string

Indicates whether the IP address belongs to a known anonymous proxy

CountryCode

string

Two-letter code indicating the country where the client IP address is geolocated

City

string

City where the client IP address is geolocated

Isp

string

Internet service provider (ISP) associated with the IP address

UserAgent

string

User agent information from the web browser or other client application

ActivityType

string

Type of activity that triggered the event

ActivityObjects

dynamic

List of objects, such as files or folders, that were involved in the recorded activity

ObjectName

string

Name of the object that the recorded action was applied to

ObjectType

string

Type of object, such as a file or a folder, that the recorded action was applied to

ObjectId

string

Unique identifier of the object that the recorded action was applied to

ReportId

string

Unique identifier for the event

RawEventData

string

Raw event information from the source application or service in JSON format

AdditionalFields

dynamic

Additional information about the entity or event

AccountType

string

Type of user account, indicating its general role and access levels, such as Regular, System, Admin, DcAdmin, System, Application

IsExternalUser

boolean

Indicates whether a user inside the network doesn't belong to the organization's domain

IsImpersonated

boolean

Indicates whether the activity was performed by one user for another (impersonated) user

IPTags

dynamic

Customer-defined information applied to specific IP addresses and IP address ranges

IPCategory

string

Additional information about the IP address

UserAgentTags

dynamic

More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Possible values: Native client, Outdated browser, Outdated operating system, Robot

 

We would love to hear your feedback about these additions to Microsoft 365 Defender Streaming API: how you're making use of them, what scenarios they enable, and anything else you would like to share by emailing [email protected].

 

Microsoft 365 Defender API team

Continue to website...

More from Microsoft 365 Defender Blog articles

Related Posts