|
Field Name
|
Type
|
General Field
|
Description
|
Example
|
Products
|
|
actionName
|
-
|
-
|
The user or service action
|
|
|
|
clientApp
|
-
|
-
|
The app that the client accessed
|
|
|
|
clientBrowser
|
-
|
-
|
The client browser
|
|
|
|
clientDisplayName
|
-
|
|
The client display name
|
|
|
|
clientId
|
-
|
-
|
The unique client device ID
|
|
|
|
clientOS
|
-
|
-
|
The client OS
|
|
|
|
correlationId
|
-
|
-
|
The correlation ID
|
|
|
|
eventAdditionalDetails
|
-
|
-
|
The raw data string that contains additional information
|
|
|
|
eventCategory
|
-
|
-
|
The resource category targeted by the event
|
|
|
|
eventId
|
-
|
-
|
The identity provider event ID
|
|
|
|
eventName
|
-
|
-
|
The identity provider event name
|
|
|
|
eventTime
|
-
|
-
|
The time the identity provider detected the event
|
|
|
|
filterRiskLevel
|
-
|
-
|
The top-level risk level of the event
|
|
|
|
idpId
|
-
|
-
|
The internal product code of the identity provider
|
|
|
|
idpName
|
-
|
-
|
The identity provider
|
|
|
|
initiatedByAppDisplayName
|
-
|
-
|
The application display name
|
|
|
|
initiatedByAppId
|
-
|
-
|
The resource category targeted by the event
|
|
|
|
initiatedByServicePrincipalId
|
-
|
-
|
The unique ID of the service principal
|
|
|
|
initiatedByServicePrincipalName
|
-
|
-
|
The unique ID of the service principal
|
|
|
|
initiatedByUserDisplayName
|
-
|
|
The user display name
|
|
|
|
initiatedByUserHomeTenantId
|
-
|
-
|
The tenant ID of the user
|
|
|
|
initiatedByUserHomeTenantName
|
-
|
-
|
The tenant ID of the user
|
|
|
|
initiatedByUserId
|
-
|
|
The unique ID of the user who initiated the event
|
|
|
|
initiatedByUserIpAddress
|
-
|
|
The client IP of the user
|
|
|
|
initiatedByUserPrincipalName
|
-
|
|
The User Principal Name of the user
|
|
|
|
ipAddress
|
-
|
|
The client IP
|
|
|
|
locationCity
|
-
|
-
|
The city where the event happened
|
|
|
|
locationCountry
|
-
|
-
|
The country where the event happened
|
|
|
|
locationLatitude
|
-
|
-
|
The latitude of the event location
|
|
|
|
locationLongitude
|
-
|
-
|
The longitude of the event location
|
|
|
|
locationState
|
-
|
-
|
The state where the event happened
|
|
|
|
logBatchId
|
-
|
-
|
The batch data retrieval process ID
|
|
|
|
logReceivedTime
|
-
|
-
|
The time when the XDR log was received
|
|
|
|
loggedByService
|
-
|
-
|
The service that initiated the event
|
|
|
|
operationType
|
-
|
-
|
The operation performed in the event
|
|
|
|
orgId
|
-
|
-
|
The organization ID
|
|
|
|
pname
|
-
|
-
|
The internal product ID
|
|
|
|
policyTreePath
|
-
|
-
|
The policy tree path (endpoint only)
|
|
|
|
principalName
|
-
|
|
The User Principal Name
|
|
|
|
productCode
|
-
|
-
|
The internal product code of the identity provider (aad=Microsoft Entra ID, opa=Microsoft
Active Directory)
|
|
|
|
requestMethod
|
-
|
-
|
The sign-in authentication method
|
|
|
|
result
|
-
|
-
|
The event result
|
|
|
|
resultReason
|
-
|
-
|
The cause of event failure or timeout
|
|
|
|
status
|
-
|
-
|
The sign-in status result
|
|
|
|
statusDetail
|
-
|
-
|
The additional information about sign-in status
|
|
|
|
statusReason
|
-
|
-
|
The sign-in status
|
|
|
|
tags
|
-
|
|
The attack technique ID detected by Trend Vision One based on the alert filter
|
|
|
|
targetResourceDisplayName
|
-
|
-
|
The target resource display name
|
|
|
|
targetResourceId
|
-
|
-
|
The target resource ID
|
|
|
|
targetResources
|
-
|
-
|
The targeted resource of the event
|
|
|
|
tenantId
|
-
|
-
|
The Microsoft Entra ID Tenant ID of the organization
|
|
|
|
userAgent
|
-
|
-
|
The user agent
|
|
|
|
userDisplayName
|
-
|
|
The user display name
|
|
|
|
userId
|
-
|
|
The user ID
|
|
|
|
uuid
|
-
|
-
|
The unique key of the log entry
|
|
|
Views: