| _BilledSize |
|
Double |
| _IsBillable |
|
String |
| _ResourceId |
A unique identifier for the resource that the record is associated with |
String |
| _SubscriptionId |
A unique identifier for the subscription that the record is associated with |
String |
| ActivityStatus |
|
String |
| ActivityStatusValue |
Status of the operation in display-friendly format. Common values include Started, In Progress, Succeeded, Failed, Active, Resolved. |
String |
| ActivitySubstatus |
|
String |
| ActivitySubstatusValue |
Substatus of the operation in display-friendly format. E.g. OK (HTTP Status Code: 200). |
String |
| Authorization |
Blob of RBAC properties of the event. Usually includes the “action”, “role” and “scope” properties. Stored as string. The use of Authorization_d should be preferred going forward. |
String |
| Authorization_d |
Blob of RBAC properties of the event. Usually includes the “action”, “role” and “scope” properties. Stored as dynamic column. |
Object |
| Caller |
GUID of the caller. |
String |
| CallerIpAddress |
IP address of the user who has performed the operation UPN claim or SPN claim based on availability. |
String |
| Category |
Type of threat indicator or breach activity identified by the alert |
String |
| CategoryValue |
Category of the activity log e.g. Administrative, Policy, Security. |
String |
| Claims |
The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. The use of claims_d should be preferred going forward. |
String |
| Claims_d |
The JWT token used by Active Directory to authenticate the user or application to perform this operation in Resource Manager. |
Object |
| CorrelationId |
Usually a GUID in the string format. Events that share a correlationId belong to the same uber action. |
String |
| EventDataId |
Unique identifier of an event. |
String |
| EventSubmissionTimestamp |
Timestamp when the event became available for querying. |
DateTime |
| Hierarchy |
Management group hierarchy of the management group or subscription that event belongs to. |
String |
| HTTPRequest |
Blob describing the Http Request. Usually includes the “clientRequestId”, “clientIpAddress” and “method” (HTTP method. For example, PUT). |
String |
| Level |
Level of the event. One of the following values: Critical, Error, Warning, Informational and Verbose. |
String |
| OperationId |
GUID of the operation |
String |
| OperationName |
Audit event operation name as appeared in the raw event schema. Usually includes both resource type and operation |
String |
| OperationNameValue |
Identifier of the operation e.g. Microsoft.Storage/storageAccounts/listAccountSas/action. |
String |
| Properties |
Set of pairs (i.e. Dictionary) describing the details of the event. Stored as string. Usage of Properties_d is recommended instead. |
String |
| Properties_d |
Set of pairs (i.e. Dictionary) describing the details of the event. Stored as dynamic column. |
Object |
| Resource |
|
String |
| ResourceGroup |
Resource group name of the impacted resource. |
String |
| ResourceId |
Unique identifier of the resource accessed |
String |
| ResourceProvider |
|
String |
| ResourceProviderValue |
Id of the resource provider for the impacted resource - e.g. Microsoft.Storage. |
String |
| SourceSystem |
Azure is used always for AzureActivity |
String |
| SubscriptionId |
Subscription ID of the impacted resource. |
String |
| TenantId |
ID of the worksapce that stores this record |
String |
| TimeGenerated |
Timestamp when the event was generated by the Azure service processing the request corresponding the event. |
DateTime |
| Type |
The name of the table |
String |