| _BilledSize |
|
Double |
| _IsBillable |
|
String |
| Activity |
Indicates the activity type the detected risk is linked to. Possible values are: signin, user, unknownFutureValue. |
String |
| ActivityDateTime |
Date and time when the risky activity occurred. |
DateTime |
| AdditionalInfo |
Additional information associated with the user risk event in JSON format. |
Object |
| CorrelationId |
Correlation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in. |
String |
| DetectedDateTime |
Date and time that the risk was detected. |
DateTime |
| DetectionTimingType |
Timing of the detected risk (real-time/offline). Possible values are: notDefined, realtime, nearRealtime, offline, unknownFutureValue. |
String |
| Id |
Unique ID of the risk event. |
String |
| IpAddress |
The IP address of the client from where the risk occurred. |
String |
| LastUpdatedDateTime |
Date and time when the risk detection was last updated. |
DateTime |
| Location |
Location of the sign-in. |
Object |
| OperationName |
Name of the operation. |
String |
| RequestId |
Request ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in. |
String |
| RiskDetail |
Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue. |
String |
| RiskEventType |
The type of risk event detected. |
String |
| RiskLevel |
Level of the detected risk. Possible values are: low, medium, high, hidden, none, unknownFutureValue. |
String |
| RiskState |
The state of a detected risky user or sign-in. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. |
String |
| Source |
Source of the risk detection. For example, activeDirectory. |
String |
| SourceSystem |
|
String |
| TenantId |
|
String |
| TimeGenerated |
The date and time of the event in UTC. |
DateTime |
| TokenIssuerType |
Indicates the type of token issuer for the detected sign-in risk. Possible values are: AzureAD, ADFederationServices, UnknownFutureValue. |
String |
| Type |
The name of the table |
String |
| UserDisplayName |
The user principal name (UPN) of the user. |
String |
| UserId |
Unique ID of the user. |
String |
| UserPrincipalName |
The user principal name (UPN) of the user. |
String |