Security Center uses the Microsoft Monitoring Agent to collect various security related configurations and events from your machines and stores these events in your workspace(s). Examples of such data are: operating system logs (Windows event logs), running processes, and events from security solutions integrated with Security Center. The built-in notable events are:
Distinct malicious IP addresses accessed
union isfuzzy=true (WireData | where Direction == 'Outbound'), (WindowsFirewall | where CommunicationDirection == 'SEND'), (CommonSecurityLog | where CommunicationDirection == 'Outbound') | where isnotempty(MaliciousIP) | summarize by MaliciousIP
Computers with detected threats
ProtectionStatus | summarize (TimeGenerated, ThreatStatusRank) = argmax(TimeGenerated, ThreatStatusRank) by Computer | where ThreatStatusRank > 199 and ThreatStatusRank != 470
Computer with guest account logons
SecurityEvent | where EventID == 4624 and TargetUserName == 'Guest' and LogonType in (10, 3) | summarize count() by Computer
High priority Active Directory assessment security recommendations
let schemaColumns = datatable(TimeGenerated:datetime, RecommendationId:string)[]; union isfuzzy=true schemaColumns, (ADAssessmentRecommendation | where FocusArea == 'Security and Compliance' and RecommendationResult == 'Failed' and RecommendationScore>=35) | summarize arg_max(TimeGenerated, *) by RecommendationId
High priority SQL assessment security recommendations
let schemaColumns = datatable(TimeGenerated:datetime, RecommendationId:string)[]; union isfuzzy=true schemaColumns, (SQLAssessmentRecommendation | where FocusArea == 'Security and Compliance' and RecommendationResult == 'Failed' and RecommendationScore>=35) | summarize arg_max(TimeGenerated, *) by RecommendationId
Members added To security-enabled groups
SecurityEvent | where EventID in (4728, 4732, 4756) | summarize count() by SubjectAccount
Domain security policy changes
SecurityEvent | where EventID == 4739 | summarize count() by DomainPolicyChanged
Computers with system audit policy changes
SecurityEvent | where EventID == 4719 | summarize count() by Computer
Suspicious executables
SecurityEvent | where EventID == 8002 and Fqbn == '-' | summarize ExecutionCountHash=count() by FileHash | where ExecutionCountHash <= 5
Computers missing critical updates
Update | where UpdateState == 'Needed' and Optional == false and Classification == 'Critical Updates' and Approved != false | summarize count() by Computer
Low priority AD assessment security recommendations
let schemaColumns = datatable(TimeGenerated:datetime, RecommendationId:string)[]; union isfuzzy=true schemaColumns, (ADAssessmentRecommendation | where FocusArea == 'Security and Compliance' and RecommendationResult == 'Failed' and RecommendationScore<35) | summarize arg_max(TimeGenerated, *) by RecommendationId
Low priority SQL assessment security recommendations
let schemaColumns = datatable(TimeGenerated:datetime, RecommendationId:string)[]; union isfuzzy=true schemaColumns, (SQLAssessmentRecommendation | where FocusArea == 'Security and Compliance' and RecommendationResult == 'Failed' and RecommendationScore<35) | summarize arg_max(TimeGenerated, *) by RecommendationId
Accounts failed to log on
SecurityEvent | where EventID == 4625 | summarize count() by TargetAccount
Locked accounts
SecurityEvent | where EventID == 4740 | summarize count() by TargetAccount
Change or reset passwords attempts
SecurityEvent | where EventID in (4723, 4724) | summarize count() by TargetAccount
Security groups created or modified
SecurityEvent | where EventID in (4727, 4731, 4735, 4737, 4754, 4755) | summarize count() by TargetAccount
Remote procedure call(RPC) attempts
SecurityEvent | where EventID == 5712 | summarize count() by Computer
User accounts created or enabled
SecurityEvent | where EventID in (4720, 4722) | summarize by TargetAccount
Computers with users added to a Linux group
Syslog | where Facility == 'authpriv' and SyslogMessage has 'to group' and (SyslogMessage has 'add' or SyslogMessage has 'added') | summarize by Computer
Computers with new Linux group created
Syslog | where Facility == 'authpriv' and SyslogMessage has 'new group' | summarize count() by Computer
Computers with failed Linux user password change
Syslog | where Facility == 'authpriv' and ((SyslogMessage has 'passwd:chauthtok' and SyslogMessage has 'authentication failure') or SyslogMessage has 'password change failed') | summarize count() by Computer
Computers with failed ssh logons
Syslog | where (Facility == 'authpriv' and SyslogMessage has 'sshd:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and ((SyslogMessage has 'Failed' and SyslogMessage has 'invalid user' and SyslogMessage has 'ssh2') or SyslogMessage has 'error: PAM: Authentication failure')) | summarize count() by Computer
Computers with failed su logons
Syslog | where (Facility == 'authpriv' and SyslogMessage has 'su:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and SyslogMessage has 'FAILED SU') | summarize count() by Computer
Computers with failed sudo logons
Syslog | where (Facility == 'authpriv' and SyslogMessage has 'sudo:auth' and (SyslogMessage has 'authentication failure' or SyslogMessage has 'conversation failed')) or ((Facility == 'auth' or Facility == 'authpriv') and SyslogMessage has 'user NOT in sudoers') | summarize count() by Computer
Distinct clients resolving malicious domains
let schemaColumns = datatable(ClientIP:string)[]; union isfuzzy=true schemaColumns, (DnsEvents | where SubType == 'LookupQuery' and isnotempty(MaliciousIP)) | summarize count() by ClientIP
Computers with web vulnerabilities
SecurityBaselineSummary | where PercentageOfPassedRules < 100 and BaselineType == "Web" | summarize count() by Computer
You can create your own notable event, and add on top of the built-in ones. Read Creating Custom Notable Event in Azure Security Center for more information on that. Notable events can also appear as contextual information in a Security Incident, read Exploring Notable Events in Security Incidents for more information on that.
