| _BilledSize |
|
Double |
| _IsBillable |
|
String |
| AccountDisplayName |
Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user. |
String |
| AccountId |
An identifier for the account as found by Microsoft Cloud App Security. Could be Azure Active Directory ID, user principal name, or other identifiers |
String |
| AccountObjectId |
Unique identifier for the account in Azure AD |
String |
| AccountType |
Type of user account, indicating its general role and access levels, such as Regular, System, Admin, Application |
String |
| ActionType |
Type of activity that triggered the event |
String |
| ActivityObjects |
List of objects, such as files or folders, that were involved in the recorded activity |
Object |
| ActivityType |
Type of activity that triggered the event |
String |
| AdditionalFields |
Additional information about the entity or event |
Object |
| AppInstanceId |
Unique identifier for the instance of an application |
Int32 |
| Application |
Application that performed the recorded action |
String |
| ApplicationId |
Unique identifier for the application |
Int32 |
| City |
City where the client IP address is geolocated |
String |
| CountryCode |
Two-letter code indicating the country where the client IP address is geolocated |
String |
| DeviceType |
Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer |
String |
| IPAddress |
IP address assigned to the device during communication |
String |
| IPCategory |
Additional information about the IP address |
String |
| IPTags |
Customer-defined information applied to specific IP addresses and IP address ranges |
Object |
| IsAdminOperation |
Indicates whether the activity was performed by an administrator |
Boolean |
| IsAnonymousProxy |
Indicates whether the IP address belongs to a known anonymous proxy |
Boolean |
| IsExternalUser |
Indicates whether a user inside the network doesn’t belong to the organization’s domain |
Boolean |
| IsImpersonated |
Indicates whether the activity was performed by one user for another (impersonated) user |
Boolean |
| ISP |
Internet service provider associated with the IP address |
String |
| ObjectId |
Unique identifier of the object that the recorded action was applied to |
String |
| ObjectName |
Name of the object that the recorded action was applied to |
String |
| ObjectType |
The type of object, such as a file or a folder, that the recorded action was applied to |
String |
| OSPlatform |
Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
String |
| RawEventData |
Raw event information from the source application or service in JSON format |
Object |
| ReportId |
Unique identifier for the event |
String |
| SourceSystem |
|
String |
| TenantId |
|
String |
| TimeGenerated |
Date and time (UTC) when the record was generated |
DateTime |
| Timestamp |
Date and time when the record was generated |
DateTime |
| Type |
The name of the table |
String |
| UserAgent |
User agent information from the web browser or other client application |
String |
| UserAgentTags |
More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot |
Object |