{ "cells": [ { "cell_type": "markdown", "metadata": { "toc": true }, "source": [ "
\n", " | type | \n", "properties.Category | \n", "properties.DisplayName | \n", "properties.Query | \n", "properties.Version | \n", "properties.Tags | \n", "properties.FunctionAlias | \n", "properties.FunctionParameters | \n", "
---|---|---|---|---|---|---|---|---|
2 | \n", "Microsoft.OperationalInsights/savedSearches | \n", "Hunting Queries | \n", "Powershell | \n", "SecurityEvent\\r\\n| where ParentProcessName con... | \n", "2 | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
5 | \n", "Microsoft.OperationalInsights/savedSearches | \n", "Hunting Queries | \n", "Anomalous AAD Account Creation | \n", "\\nBehaviorAnalytics\\n| where ActionType == \"Ad... | \n", "2 | \n", "[{'Name': 'description', 'Value': ''}, {'Name'... | \n", "NaN | \n", "NaN | \n", "
7 | \n", "Microsoft.OperationalInsights/savedSearches | \n", "Hunting Queries | \n", "Entropy for Processes for a given Host | \n", "\\n// May need to reduce the number of days if ... | \n", "2 | \n", "[{'Name': 'description', 'Value': ''}, {'Name'... | \n", "NaN | \n", "NaN | \n", "
9 | \n", "Microsoft.OperationalInsights/savedSearches | \n", "Hunting Queries | \n", "RareDNSLookupWithDataTransfer | \n", "\\nlet lookbackint = 7;\\nlet lookupThreshold = ... | \n", "2 | \n", "[{'Name': 'description', 'Value': ''}, {'Name'... | \n", "NaN | \n", "NaN | \n", "
12 | \n", "Microsoft.OperationalInsights/savedSearches | \n", "Hunting Queries | \n", "Least Common Processes by Command Line | \n", "\\nlet Allowlist = dynamic (['foo.exe', 'baz.ex... | \n", "2 | \n", "[{'Name': 'description', 'Value': ''}, {'Name'... | \n", "NaN | \n", "NaN | \n", "
\n", " | TimeGenerated | \n", "EventID | \n", "Computer | \n", "SubjectUserSid | \n", "Account | \n", "Weight | \n", "AdjustedProcessEntropy | \n", "FullDecimalProcessEntropy | \n", "Process | \n", "NewProcessName | \n", "CommandLine | \n", "ParentProcessName | \n", "TotalProcessCountOnHost | \n", "ProcessCountOnHost | \n", "DistinctComputersWithProcessCount | \n", "timestamp | \n", "HostCustomEntity | \n", "AccountCustomEntity | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "2020-11-21 21:18:51.317000+00:00 | \n", "4688 | \n", "WinAttackSim | \n", "S-1-5-18 | \n", "WORKGROUP\\WinAttackSim$ | \n", "10.743361 | \n", "10.743361 | \n", "0.001074 | \n", "Defrag.exe | \n", "C:\\Windows\\System32\\Defrag.exe | \n", "C:\\windows\\system32\\defrag.exe -c -h -k -g -$ | \n", "C:\\Windows\\System32\\svchost.exe | \n", "12688 | \n", "1 | \n", "1 | \n", "2020-11-21 21:18:51.317000+00:00 | \n", "WinAttackSim | \n", "WORKGROUP\\WinAttackSim$ | \n", "
1 | \n", "2020-11-23 01:31:49.930000+00:00 | \n", "4688 | \n", "WinAttackSim | \n", "S-1-5-18 | \n", "WORKGROUP\\WinAttackSim$ | \n", "10.743361 | \n", "10.743361 | \n", "0.001074 | \n", "SppExtComObj.Exe | \n", "C:\\Windows\\System32\\SppExtComObj.Exe | \n", "C:\\windows\\system32\\SppExtComObj.exe -Embedding | \n", "C:\\Windows\\System32\\svchost.exe | \n", "12688 | \n", "1 | \n", "1 | \n", "2020-11-23 01:31:49.930000+00:00 | \n", "WinAttackSim | \n", "WORKGROUP\\WinAttackSim$ | \n", "
2 | \n", "2020-11-20 17:18:36.960000+00:00 | \n", "4688 | \n", "WinAttackSim | \n", "S-1-5-18 | \n", "WORKGROUP\\WinAttackSim$ | \n", "10.743361 | \n", "10.743361 | \n", "0.001074 | \n", "makecab.exe | \n", "C:\\Windows\\System32\\makecab.exe | \n", "\"C:\\windows\\system32\\makecab.exe\" C:\\windows\\L... | \n", "C:\\Windows\\WinSxS\\amd64_microsoft-windows-serv... | \n", "12688 | \n", "1 | \n", "1 | \n", "2020-11-20 17:18:36.960000+00:00 | \n", "WinAttackSim | \n", "WORKGROUP\\WinAttackSim$ | \n", "
3 | \n", "2020-11-21 21:18:51.303000+00:00 | \n", "4688 | \n", "WinAttackSim | \n", "S-1-5-18 | \n", "WORKGROUP\\WinAttackSim$ | \n", "10.743361 | \n", "10.743361 | \n", "0.001074 | \n", "rundll32.exe | \n", "C:\\Windows\\System32\\rundll32.exe | \n", "C:\\windows\\system32\\rundll32.exe Windows.Stora... | \n", "C:\\Windows\\System32\\svchost.exe | \n", "12688 | \n", "1 | \n", "1 | \n", "2020-11-21 21:18:51.303000+00:00 | \n", "WinAttackSim | \n", "WORKGROUP\\WinAttackSim$ | \n", "
4 | \n", "2020-11-21 21:18:51.310000+00:00 | \n", "4688 | \n", "WinAttackSim | \n", "S-1-5-18 | \n", "WORKGROUP\\WinAttackSim$ | \n", "10.743361 | \n", "10.743361 | \n", "0.001074 | \n", "tzsync.exe | \n", "C:\\Windows\\System32\\tzsync.exe | \n", "C:\\windows\\system32\\tzsync.exe | \n", "C:\\Windows\\System32\\svchost.exe | \n", "12688 | \n", "1 | \n", "1 | \n", "2020-11-21 21:18:51.310000+00:00 | \n", "WinAttackSim | \n", "WORKGROUP\\WinAttackSim$ | \n", "
5 | \n", "2020-11-18 01:18:36.913000+00:00 | \n", "4688 | \n", "WinAttackSim | \n", "S-1-5-18 | \n", "WORKGROUP\\WinAttackSim$ | \n", "39.820861 | \n", "19.910430 | \n", "0.001991 | \n", "lpremove.exe | \n", "C:\\Windows\\System32\\lpremove.exe | \n", "C:\\windows\\system32\\lpremove.exe | \n", "C:\\Windows\\System32\\svchost.exe | \n", "12688 | \n", "2 | \n", "1 | \n", "2020-11-18 01:18:36.913000+00:00 | \n", "WinAttackSim | \n", "WORKGROUP\\WinAttackSim$ | \n", "
6 | \n", "2020-11-21 03:18:49.223000+00:00 | \n", "4688 | \n", "WinAttackSim | \n", "S-1-5-18 | \n", "WORKGROUP\\WinAttackSim$ | \n", "39.820861 | \n", "19.910430 | \n", "0.001991 | \n", "lpremove.exe | \n", "C:\\Windows\\System32\\lpremove.exe | \n", "C:\\windows\\system32\\lpremove.exe | \n", "C:\\Windows\\System32\\svchost.exe | \n", "12688 | \n", "2 | \n", "1 | \n", "2020-11-21 03:18:49.223000+00:00 | \n", "WinAttackSim | \n", "WORKGROUP\\WinAttackSim$ | \n", "
7 | \n", "2020-11-23 01:31:49.957000+00:00 | \n", "4688 | \n", "WinAttackSim | \n", "S-1-5-20 | \n", "WORKGROUP\\WinAttackSim$ | \n", "39.820861 | \n", "19.910430 | \n", "0.001991 | \n", "slui.exe | \n", "C:\\Windows\\System32\\slui.exe | \n", "\"C:\\windows\\System32\\SLUI.exe\" RuleId=502ff3ba... | \n", "C:\\Windows\\System32\\SppExtComObj.Exe | \n", "12688 | \n", "2 | \n", "1 | \n", "2020-11-23 01:31:49.957000+00:00 | \n", "WinAttackSim | \n", "WORKGROUP\\WinAttackSim$ | \n", "
8 | \n", "2020-11-23 01:31:54.340000+00:00 | \n", "4688 | \n", "WinAttackSim | \n", "S-1-5-20 | \n", "WORKGROUP\\WinAttackSim$ | \n", "39.820861 | \n", "19.910430 | \n", "0.001991 | \n", "slui.exe | \n", "C:\\Windows\\System32\\slui.exe | \n", "\"C:\\windows\\System32\\SLUI.exe\" RuleId=379cccfb... | \n", "C:\\Windows\\System32\\SppExtComObj.Exe | \n", "12688 | \n", "2 | \n", "1 | \n", "2020-11-23 01:31:54.340000+00:00 | \n", "WinAttackSim | \n", "WORKGROUP\\WinAttackSim$ | \n", "
\n", " | type | \n", "kind | \n", "properties.severity | \n", "properties.query | \n", "properties.queryFrequency | \n", "properties.queryPeriod | \n", "properties.triggerOperator | \n", "properties.triggerThreshold | \n", "properties.suppressionDuration | \n", "properties.suppressionEnabled | \n", "... | \n", "properties.description | \n", "properties.tactics | \n", "properties.alertRuleTemplateName | \n", "properties.lastModifiedUtc | \n", "properties.customFields.Filename | \n", "properties.customFields.Reason | \n", "properties.productFilter | \n", "properties.severitiesFilter | \n", "properties.displayNamesFilter | \n", "properties.displayNamesExcludeFilter | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "Microsoft.SecurityInsights/alertRules | \n", "Scheduled | \n", "Medium | \n", "let failureCountThreshold = 5;\\nlet successCou... | \n", "P1D | \n", "P1D | \n", "GreaterThan | \n", "0.0 | \n", "PT5H | \n", "False | \n", "... | \n", "Identifies evidence of brute force activity ag... | \n", "[CredentialAccess] | \n", "28b42356-45af-40a6-a0b4-a554cdfd5d8a | \n", "2020-11-17T08:15:49.636781Z | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
1 | \n", "Microsoft.SecurityInsights/alertRules | \n", "Scheduled | \n", "Medium | \n", "let timeframe = 1d;\\n//Set a threshold of fail... | \n", "P1D | \n", "P1D | \n", "GreaterThan | \n", "0.0 | \n", "PT5H | \n", "False | \n", "... | \n", "This query creates a list of IP addresses with... | \n", "[InitialAccess, CredentialAccess] | \n", "ba144bf8-75b8-406f-9420-ed74397f9479 | \n", "2020-11-11T05:16:14.5036485Z | \n", "FileName | \n", "Reason | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
2 | \n", "Microsoft.SecurityInsights/alertRules | \n", "Scheduled | \n", "Medium | \n", "let timeframe = 1d;\\nSecurityEvent\\n| where Ti... | \n", "P1D | \n", "P1D | \n", "GreaterThan | \n", "0.0 | \n", "PT5H | \n", "False | \n", "... | \n", "Checks for event id 1102 which indicates the s... | \n", "[DefenseEvasion] | \n", "80da0a8f-cfe1-4cd0-a895-8bc1771a720e | \n", "2020-11-11T01:46:53.4905768Z | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
3 | \n", "Microsoft.SecurityInsights/alertRules | \n", "Scheduled | \n", "Medium | \n", "AzureActivity\\n| take 1\\n| extend IPCustomEnti... | \n", "P1D | \n", "P14D | \n", "GreaterThan | \n", "0.0 | \n", "PT5H | \n", "False | \n", "... | \n", "This analytic matches Azure Activity logs to k... | \n", "[Impact] | \n", "None | \n", "2020-11-04T22:43:33.9845152Z | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
4 | \n", "Microsoft.SecurityInsights/alertRules | \n", "Scheduled | \n", "Medium | \n", "let timeframe = 1d;\\nSecurityEvent\\n| where Ti... | \n", "P1D | \n", "P1D | \n", "GreaterThan | \n", "0.0 | \n", "PT5H | \n", "False | \n", "... | \n", "Checks for event id 1102 which indicates the s... | \n", "[DefenseEvasion] | \n", "80da0a8f-cfe1-4cd0-a895-8bc1771a720e | \n", "2020-11-11T07:19:24.7658031Z | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
5 rows × 29 columns
\n", "\n", " | type | \n", "properties.displayName | \n", "properties.created | \n", "properties.updated | \n", "properties.createdBy.objectId | \n", "properties.createdBy.email | \n", "properties.createdBy.name | \n", "properties.updatedBy.objectId | \n", "properties.updatedBy.email | \n", "properties.updatedBy.name | \n", "... | \n", "properties.labels | \n", "properties.query | \n", "properties.queryResult | \n", "properties.queryStartTime | \n", "properties.queryEndTime | \n", "properties.incidentInfo.incidentId | \n", "properties.incidentInfo.title | \n", "properties.incidentInfo.relationName | \n", "properties.incidentInfo.severity | \n", "properties.notes | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "Microsoft.SecurityInsights/Bookmarks | \n", "mercury IP | \n", "2020-11-18T09:26:54.1605891+00:00 | \n", "2020-11-18T09:26:54.1605891+00:00 | \n", "e0139aae-7811-40ca-abc6-3fcb79140a6b | \n", "Tim.Burrell@microsoft.com | \n", "Tim Burrell (MSTIC) | \n", "e0139aae-7811-40ca-abc6-3fcb79140a6b | \n", "Tim.Burrell@microsoft.com | \n", "Tim Burrell (MSTIC) | \n", "... | \n", "[] | \n", "print \"192.168.15.6\" \\n | \n", "{\"print_0\":\"192.168.15.6\",\"__entityMapping\":{\"... | \n", "2020-11-17T09:26:33.557+00:00 | \n", "2020-11-18T09:26:33.557+00:00 | \n", "None | \n", "None | \n", "None | \n", "None | \n", "NaN | \n", "
1 | \n", "Microsoft.SecurityInsights/Bookmarks | \n", "test 1 | \n", "2020-11-18T15:25:01.1843361+00:00 | \n", "2020-11-18T15:25:01.1843361+00:00 | \n", "b3a76793-1a0d-4bfe-95f6-96919d4b9acf | \n", "bnick@microsoft.com | \n", "Ben Nick | \n", "b3a76793-1a0d-4bfe-95f6-96919d4b9acf | \n", "bnick@microsoft.com | \n", "Ben Nick | \n", "... | \n", "[fluffyDogCampaign] | \n", "let auditLookback = 14d;\\n// Setting threshold... | \n", "{\"InitiatedBy\":\"seb@seccxp.ninja\",\"IpAddress\":... | \n", "NaN | \n", "NaN | \n", "None | \n", "None | \n", "None | \n", "None | \n", "this looks suspicious | \n", "
2 | \n", "Microsoft.SecurityInsights/Bookmarks | \n", "failed logons - decb171c8160 (1) | \n", "2020-11-19T11:26:31.3053573+00:00 | \n", "2020-11-19T11:26:31.3053573+00:00 | \n", "518a3ca6-44f0-4ac7-8179-97d18e48d65c | \n", "pascals@microsoft.com | \n", "Pascal Sauliere | \n", "518a3ca6-44f0-4ac7-8179-97d18e48d65c | \n", "pascals@microsoft.com | \n", "Pascal Sauliere | \n", "... | \n", "[] | \n", "// Event: An account failed to log on\\nSecurit... | \n", "{\"TenantId\":\"8ecf8077-cf51-4820-aadd-14040956f... | \n", "NaN | \n", "NaN | \n", "None | \n", "None | \n", "None | \n", "None | \n", "NaN | \n", "
3 | \n", "Microsoft.SecurityInsights/Bookmarks | \n", "Rare Audit activity initiated by App - cbade9... | \n", "2020-11-11T18:39:16.6537628+00:00 | \n", "2020-11-11T18:39:16.6537628+00:00 | \n", "f6b78447-93dc-4041-a22a-6eb1c34265e2 | \n", "Umesh.Nagdev@microsoft.com | \n", "Umesh Nagdev | \n", "f6b78447-93dc-4041-a22a-6eb1c34265e2 | \n", "Umesh.Nagdev@microsoft.com | \n", "Umesh Nagdev | \n", "... | \n", "[] | \n", "let current = 1d;\\nlet auditLookback = 14d;\\nl... | \n", "{\"InitiatedByApp\":\"Microsoft Azure AD Group-Ba... | \n", "2020-11-10T18:39:01.061+00:00 | \n", "2020-11-11T18:39:01.061+00:00 | \n", "None | \n", "None | \n", "None | \n", "None | \n", "NaN | \n", "
4 | \n", "Microsoft.SecurityInsights/Bookmarks | \n", "ThreatIntelligenceIndicator - 4193cb45b90a (2) | \n", "2020-11-11T16:08:45.6964987+00:00 | \n", "2020-11-11T16:08:45.6964987+00:00 | \n", "525c09b5-61ef-4e10-8150-b44c97ead3a1 | \n", "Andrew.Blumhardt@microsoft.com | \n", "Andrew Blumhardt | \n", "525c09b5-61ef-4e10-8150-b44c97ead3a1 | \n", "Andrew.Blumhardt@microsoft.com | \n", "Andrew Blumhardt | \n", "... | \n", "[] | \n", "ThreatIntelligenceIndicator | \n", "{\"TenantId\":\"8ecf8077-cf51-4820-aadd-14040956f... | \n", "2020-11-10T16:08:26.089+00:00 | \n", "2020-11-11T16:08:26.089+00:00 | \n", "None | \n", "None | \n", "None | \n", "None | \n", "My Bookmark | \n", "
5 rows × 21 columns
\n", "\n", " | id | \n", "name | \n", "etag | \n", "type | \n", "properties.title | \n", "properties.severity | \n", "properties.status | \n", "properties.owner.objectId | \n", "properties.owner.email | \n", "properties.owner.assignedTo | \n", "... | \n", "properties.additionalData.commentsCount | \n", "properties.additionalData.alertProductNames | \n", "properties.additionalData.tactics | \n", "properties.firstActivityTimeGenerated | \n", "properties.lastActivityTimeGenerated | \n", "properties.relatedAnalyticRuleIds | \n", "properties.incidentUrl | \n", "properties.description | \n", "properties.firstActivityTimeUtc | \n", "properties.lastActivityTimeUtc | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... | \n", "aabf6bcd-4134-b07b-1152-040aa0cdf069 | \n", "\"0402f99f-0000-0100-0000-5fbd43d50000\" | \n", "Microsoft.SecurityInsights/Incidents | \n", "Time series anomaly detection for total volume... | \n", "High | \n", "New | \n", "None | \n", "None | \n", "None | \n", "... | \n", "2 | \n", "[Azure Sentinel] | \n", "[Exfiltration] | \n", "2020-11-24T17:10:35.7652885Z | \n", "2020-11-24T17:10:35.7652885Z | \n", "[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... | \n", "https://portal.azure.com/#asset/Microsoft_Azur... | \n", "NaN | \n", "NaN | \n", "NaN | \n", "
1 | \n", "/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... | \n", "e917efd0-331d-48b7-81d7-6205cee787f5 | \n", "\"0302de84-0000-0100-0000-5fbd23f30000\" | \n", "Microsoft.SecurityInsights/Incidents | \n", "XASE SENSITIVITY TEST | \n", "Medium | \n", "New | \n", "None | \n", "None | \n", "None | \n", "... | \n", "0 | \n", "[Azure Sentinel] | \n", "[] | \n", "2020-11-24T15:17:06.8646498Z | \n", "2020-11-24T15:17:06.8646498Z | \n", "[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... | \n", "https://portal.azure.com/#asset/Microsoft_Azur... | \n", "LOWER CASE | \n", "2020-11-24T14:55:03.95Z | \n", "2020-11-24T14:55:03.95Z | \n", "
2 | \n", "/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... | \n", "81d59f6e-988f-4758-a2d2-90886befccab | \n", "\"03029c83-0000-0100-0000-5fbd23d10000\" | \n", "Microsoft.SecurityInsights/Incidents | \n", "Case Sensitivity test UPPER | \n", "Medium | \n", "New | \n", "None | \n", "None | \n", "None | \n", "... | \n", "0 | \n", "[Azure Sentinel] | \n", "[] | \n", "2020-11-24T15:16:33.5131821Z | \n", "2020-11-24T15:16:33.5131821Z | \n", "[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... | \n", "https://portal.azure.com/#asset/Microsoft_Azur... | \n", "sdff | \n", "2020-11-24T14:57:49.43Z | \n", "2020-11-24T14:57:49.43Z | \n", "
3 | \n", "/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... | \n", "b68151e7-890f-48aa-befb-3de2bc987557 | \n", "\"03022274-0000-0100-0000-5fbd222f0000\" | \n", "Microsoft.SecurityInsights/Incidents | \n", "Potential Password Spray | \n", "Medium | \n", "New | \n", "None | \n", "None | \n", "None | \n", "... | \n", "0 | \n", "[Azure Sentinel] | \n", "[Persistence] | \n", "2020-11-24T15:09:35.0020779Z | \n", "2020-11-24T15:09:35.0020779Z | \n", "[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... | \n", "https://portal.azure.com/#asset/Microsoft_Azur... | \n", "Description with a link | \n", "2020-11-24T10:04:32.5297051Z | \n", "2020-11-24T15:04:32.5297051Z | \n", "
4 | \n", "/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... | \n", "49f91f51-30ce-4028-9117-96ca3debbe14 | \n", "\"0302f05f-0000-0100-0000-5fbd204e0000\" | \n", "Microsoft.SecurityInsights/Incidents | \n", "Case Sensitivity test UPPER | \n", "Medium | \n", "New | \n", "None | \n", "None | \n", "None | \n", "... | \n", "0 | \n", "[Azure Sentinel] | \n", "[] | \n", "2020-11-24T15:01:33.9949456Z | \n", "2020-11-24T15:01:33.9949456Z | \n", "[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... | \n", "https://portal.azure.com/#asset/Microsoft_Azur... | \n", "sdff | \n", "2020-11-24T14:41:32.13Z | \n", "2020-11-24T14:41:32.13Z | \n", "
5 rows × 27 columns
\n", "\n", " | id | \n", "name | \n", "etag | \n", "type | \n", "properties.title | \n", "properties.severity | \n", "properties.status | \n", "properties.owner.objectId | \n", "properties.owner.email | \n", "properties.owner.assignedTo | \n", "... | \n", "properties.incidentNumber | \n", "properties.additionalData.alertsCount | \n", "properties.additionalData.bookmarksCount | \n", "properties.additionalData.commentsCount | \n", "properties.additionalData.alertProductNames | \n", "properties.additionalData.tactics | \n", "properties.firstActivityTimeGenerated | \n", "properties.lastActivityTimeGenerated | \n", "properties.relatedAnalyticRuleIds | \n", "properties.incidentUrl | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8de... | \n", "aabf6bcd-4134-b07b-1152-040aa0cdf069 | \n", "\"0402f99f-0000-0100-0000-5fbd43d50000\" | \n", "Microsoft.SecurityInsights/Incidents | \n", "Time series anomaly detection for total volume... | \n", "High | \n", "New | \n", "None | \n", "None | \n", "None | \n", "... | \n", "4601 | \n", "1 | \n", "0 | \n", "2 | \n", "[Azure Sentinel] | \n", "[Exfiltration] | \n", "2020-11-24T17:10:35.7652885Z | \n", "2020-11-24T17:10:35.7652885Z | \n", "[/subscriptions/d1d8779d-38d7-4f06-91db-9cbc8d... | \n", "https://portal.azure.com/#asset/Microsoft_Azur... | \n", "
1 rows × 24 columns
\n", "