| Account |
An identifier for the account as found by Microsoft Defender for Cloud. Could be Microsoft Entra ID, user principal name, IaM role or other identifiers |
String |
| ActionType |
Type of activity that triggered the event |
String |
| AdditionalFields |
Additional information about the entity or event |
Object |
| AuditSource |
Cloud enviorment source of the cloud audit event. Cloud be Azure, AWS, GCP, AliCloud or other |
String |
| AwsResourceName |
An identifier for the Aws cloud resource as found by Microsoft Defender for Cloud. |
String |
| AzureResourceId |
An identifier for the Azure cloud resource as found by Microsoft Defender for Cloud. |
String |
| City |
City where the client IP address is geolocated |
String |
| CountryCode |
Two-letter code indicating the country where the client IP address is geolocated |
String |
| DataSource |
Data source of the cloud audit event. Could be Azure ARM Logs, AWS CloudTrail, GCP Logging or other |
String |
| GcpFullResourceName |
An identifier for the Google cloud resource as found by Microsoft Defender for Cloud. |
String |
| IPAddress |
The client IP address used to access the cloud resource or control plane |
String |
| IsAnonymousProxy |
Indicates whether the IP address belongs to a known anonymous proxy |
Boolean |
| ISP |
Internet service provider associated with the IP address |
String |
| OperationName |
Audit event operation name as appeared in the raw event schema. Usually includes both resource type and operation |
String |
| RawEventData |
Raw event information from the source application or service in JSON format |
Object |
| ReportId |
Unique identifier for the event |
String |
| SourceSystem |
|
String |
| TenantId |
|
String |
| TimeGenerated |
|
DateTime |
| Timestamp |
Date and time when the record was generated |
DateTime |
| Type |
|
String |
| UserAgent |
User agent information from the web browser or other client application |
String |