DynamicSummary

  • Article

Azure Sentinel Dynamic Summary provides a security data storage to persist concentrated findings and summaries for hunting, investigation, search, detection. Summary description and detailed observables can be stored in Log Analytics for further analysis and report generation.

Table attributes

Attribute Value
Resource types -
Categories -
Solutions SecurityInsights
Basic log No
Ingestion-time transformation No
Sample Queries -

Columns

Column Type Description
AzureTenantId string The AAD tenant ID to which this DynamicSummary table belongs.
_BilledSize real The record size in bytes
CreatedBy dynamic The JSON object with the user who created summary, including: object ID, email and name.
CreatedTimeUTC datetime The time (UTC) when the summary was created.
EventTimeUTC datetime The time (UTC) when the summary item occurred originally.
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
ObservableType string Observables are stateful events ot properties that are related to the operation of computing system, which are helpful in identifying indicators of compromise. For example, login.
ObservableValue string Value for observable type, such as: anomalous RDP activity.
PackedContent dynamic The JSON object has packed columns which can be generated by using KQL pack_all().
Query string This is the query that was used to generate the result.
QueryEndDate datetime Events that occurred before this datetime will be included in the result.
QueryStartDate datetime Events that occurred after this datetime will be included in the result.
RelationId string The original data source ID
RelationName string The original data source name.
SearchKey string SearchKey is used to optimize query performance when using DynamicSummary for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field to join in other event tables by IP address.
SourceInfo dynamic The JSON object with the data producer info, including source, name, version.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
SummaryDataType string This flag is used to tell if the record is either a summary level or a summary item level record.
SummaryDescription string The description provided by user.
SummaryId string Summary unique ID.
SummaryItemId string Summary item unique ID.
SummaryName string The Summary display name, unique within workspace.
SummaryStatus string Active or deleted.
Tactics dynamic MITRE ATT&CK tactics are what attackers are trying to achieve. For example, exfiltration.
Techniques dynamic MITRE ATT&CK techniques are how those tactics are accomplished.
TenantId string The Log Analytics workspace ID
TimeGenerated datetime The timestamp (UTC) of when the event was ingested to Azure Monitor.
Type string The name of the table
UpdatedBy dynamic The JSON object with the user who updated summary, including: object ID, email and name.
UpdatedTimeUTC datetime The time (UTC) when the summary was updated.