| AccountDisplayName |
Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user. |
String |
| AccountId |
An identifier for the account as found by Microsoft Cloud App Security. Could be Microsoft Entra ID, user principal name, or other identifiers. |
String |
| AccountObjectId |
Unique identifier for the account in Microsoft Entra ID |
String |
| AccountType |
Type of user account, indicating its general role and access levels, such as Regular, System, Admin, Application |
String |
| ActionType |
Type of activity that triggered the event |
String |
| ActivityObjects |
List of objects, such as files or folders, that were involved in the recorded activity |
Object |
| ActivityType |
Type of activity that triggered the event |
String |
| AdditionalFields |
Additional information about the entity or event |
Object |
| AppInstanceId |
Unique identifier for the instance of an application |
Int32 |
| Application |
Application that performed the recorded action |
String |
| ApplicationId |
Unique identifier for the application |
Int32 |
| AuditSource |
Cloud enviorment source of the cloud audit event. Cloud be Azure, AWS, GCP, AliCloud or other |
String |
| City |
City where the client IP address is geolocated |
String |
| CountryCode |
Two-letter code indicating the country where the client IP address is geolocated |
String |
| DeviceType |
Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer |
String |
| IPAddress |
IP addresses of the clients on which the activity was performed; can contain multiple Ips if related to Microsoft Defender for Cloud Apps alerts |
String |
| IPCategory |
Additional information about the IP address |
String |
| IPTags |
Customer-defined information applied to specific IP addresses and IP address ranges |
Object |
| IsAdminOperation |
Indicates whether the activity was performed by an administrator |
Boolean |
| IsAnonymousProxy |
Indicates whether the IP address belongs to a known anonymous proxy |
Boolean |
| IsExternalUser |
Indicates whether a user inside the network does not belong to the organization’s domain |
Boolean |
| IsImpersonated |
Indicates whether the activity was performed by one user on behalf of another (impersonated) user |
Boolean |
| ISP |
Internet service provider associated with the IP address |
String |
| LastSeenForUser |
Number of days since each statistical feature for the user was last seen |
Object |
| OAuthAppId |
A unique identifier that’s assigned to an application when it’s registered to Entra with OAuth 2.0. |
String |
| ObjectId |
Unique identifier of the object that the recorded action was applied to, in case of files it includes the extension |
String |
| ObjectName |
Name of the object that the recorded action was applied to |
String |
| ObjectType |
The type of object, such as a file or a folder, that the recorded action was applied to |
String |
| OSPlatform |
Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
String |
| RawEventData |
Full raw event information from the source application or service in JSON format |
Object |
| ReportId |
Unique identifier for the event |
String |
| SessionData |
Session identifiers (if provided by the audit source) |
Object |
| SourceSystem |
|
String |
| TenantId |
|
String |
| TimeGenerated |
|
DateTime |
| Timestamp |
Date and time when the record was generated |
DateTime |
| Type |
|
String |
| UncommonForUser |
List of features observed to be statistically uncommon for the user that performed the activity |
Object |
| UserAgent |
User agent information from the web browser or other client application |
String |
| UserAgentTags |
More information provided by Microsoft Cloud App Security in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot |
Object |