| AccountObjectId |
Unique identifier for the account in Microsoft Entra ID |
String |
| ApiVersion |
The API version of the event |
String |
| ApplicationId |
Unique identifier for the application |
String |
| ClientRequestId |
Identifier for the client request sent; if none is available, the operation identifier is used instead |
String |
| EntityType |
Type of object, such as a file, a process, a device, or a user |
String |
| IdentityProvider |
Identity provider that authenticated the subject of the token |
String |
| IpAddress |
IP address that the attacker attempted to access |
String |
| Location |
City, country, or other geographic location associated with the event |
String |
| OperationId |
Identifier for a batch of requests; the same identifier is used for all requests in a batch but if requests are non-batched, the identifier is unique per request |
String |
| ReportId |
Unique identifier for the event |
String |
| RequestDuration |
Duration of the request in milliseconds |
String |
| RequestId |
Unique identifier of the request |
String |
| RequestMethod |
HTTP method of the request |
String |
| RequestUri |
Uniform resource identifier (URI) of the request |
String |
| ResponseStatusCode |
HTTP response status code for the request |
String |
| Scopes |
Scopes in token claims |
String |
| ServicePrincipalId |
Unique identifier of the service principal that performed the action |
String |
| SourceSystem |
|
String |
| TargetWorkload |
The target workload (for example, Microsoft.Exchange, Microsoft.SharePoint) the API call was made to. |
String |
| TenantId |
|
String |
| TimeGenerated |
|
DateTime |
| Timestamp |
Date and time when the record was generated |
DateTime |
| Type |
|
String |
| UniqueTokenIdentifier |
Unique identifier embedded in every access token and ID token that were issued |
String |