Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

ASimAuditEvent - Missing fields in vimAuditEventMicrosoftSecurityEvents

Open andrewj-t opened this issue 2 months ago • 0 comments

Describe the bug When running vimAuditEventMicrosoftSecurityEvents, Events related to Scheduled Task information results are missing the Value, NewValue, Object and ObjectType fields. These fields are present when running ASimAuditEventMicrosoftSecurityEvents

When

To Reproduce Steps to reproduce the behavior:

  1. Connect to a Sentinel Environment which has ingested 4698 - A scheduled task was created Events
  2. Execute the following tsql:
vimAuditEventMicrosoftSecurityEvents
| where EventOriginalType == 4698
  1. Observer that the Object,ObjectType,NewValue and Value fields are not returned

Expected behavior The fields should be returned, as they do when running the non-paramaterized version of the query

Additional context I have created and fix and will submit a PR shortly

andrewj-t avatar Nov 20 '25 01:11 andrewj-t