| AccountDisplayName |
Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user. |
String |
| AccountObjectId |
Unique identifier for the account in Microsoft Entra ID |
String |
| AccountUpn |
User principal name (UPN) of the account |
String |
| AlternateSignInName |
On-premises user principal name (UPN) of the user signing in to Microsoft Entra ID |
String |
| Application |
Application that performed the recorded action |
String |
| ApplicationId |
Unique identifier for the application |
String |
| AuthenticationProcessingDetails |
Details about the authentication processor |
String |
| AuthenticationRequirement |
Type of authentication required for the sign-in. Possible values: multiFactorAuthentication (MFA was required) and singleFactorAuthentication (no MFA was required). |
String |
| Browser |
Details about the version of the browser used to sign in |
String |
| City |
City where the client IP address is geolocated |
String |
| ClientAppUsed |
Indicates the client app used |
String |
| ConditionalAccessPolicies |
Details of the conditional access policies applied to the sign-in event |
String |
| ConditionalAccessStatus |
Status of the conditional access policies applied to the sign-in. Possible values are 0 (policies applied), 1 (attempt to apply policies failed), or 2 (policies not applied). |
Int32 |
| CorrelationId |
Unique identifier of the sign-in event |
String |
| Country |
Country/Region where the account user is located |
String |
| DeviceName |
Fully qualified domain name (FQDN) of the device |
String |
| DeviceTrustType |
Indicates the trust type of the device that signed in. For managed device scenarios only. Possible values are Workplace, AzureAd, and ServerAd. |
String |
| EndpointCall |
Information about the Microsoft Entra ID endpoint that the request was sent to and the type of request sent during sign in |
String |
| EntraIdDeviceId |
Unique identifier for the device in Microsoft Entra ID |
String |
| ErrorCode |
Contains the error code if a sign-in error occurs. To find a description of a specific error code, visit https://aka.ms/AADsigninsErrorCodes |
Int32 |
| GatewayJA4 |
The JA4 fingerprint is a hash derived from the TLS Client Hello request. This JA4 fingerprint serves as a unique identifier for the client’s TLS configuration. |
String |
| IPAddress |
IP addresses of the clients on which the activity was performed; can contain multiple Ips if related to Microsoft Defender for Cloud Apps alerts |
String |
| IsCompliant |
Indicates whether the device that initiated the event is compliant or not |
Int32 |
| IsExternalUser |
Indicates whether a user inside the network does not belong to the organization’s domain |
Int32 |
| IsGuestUser |
Indicates whether the user that signed in is a guest in the tenant |
Boolean |
| IsManaged |
Indicates if the device is managed by the organization (True) or not (False) |
Int32 |
| LastPasswordChangeTimestamp |
Date and time when the user that signed in last changed their password |
DateTime |
| Latitude |
The north to south coordinates of the sign-in location |
String |
| LogonType |
Type of logon session, specifically interactive, remote interactive (RDP), network, batch, and service |
String |
| Longitude |
The east to west coordinates of the sign-in location |
String |
| NetworkLocationDetails |
Network location details of the authentication processor of the sign-in event |
String |
| OSPlatform |
Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
String |
| ReportId |
Unique identifier for the event |
String |
| RequestId |
Unique identifier of the request |
String |
| ResourceDisplayName |
Display name of the resource accessed. The display name can contain any character. |
String |
| ResourceId |
Unique identifier of the resource accessed |
String |
| ResourceTenantId |
Unique identifier of the tenant of the resource accessed |
String |
| RiskEventTypes |
Array of risk event types applicable to the event |
String |
| RiskLevelAggregated |
Aggregated risk level during sign-in. Possible values: 0 (aggregated risk level not set), 1 (none), 10 (low), 50 (medium), or 100 (high). |
Int32 |
| RiskLevelDuringSignIn |
User risk level at sign-in |
Int32 |
| RiskState |
Indicates risky user state. Possible values: 0 (none), 1 (confirmed safe), 2 (remediated), 3 (dismissed), 4 (at risk), or 5 (confirmed compromised). |
Int32 |
| SessionId |
Unique number assigned to a user by a website’s server for the duration of the visit or session |
String |
| SourceSystem |
|
String |
| State |
State where the sign-in occurred, if available |
String |
| TenantId |
|
String |
| TimeGenerated |
|
DateTime |
| Timestamp |
Date and time when the record was generated |
DateTime |
| TokenIssuerType |
Indicates if the token issuer is Microsoft Entra ID (0) or Active Directory Federation Services (1) |
String |
| Type |
|
String |
| UserAgent |
User agent information from the web browser or other client application |
String |