| AccountDisplayName |
Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user. |
String |
| AccountDomain |
Domain of the account |
String |
| AccountName |
User name of the account |
String |
| AccountObjectId |
Unique identifier for the account in Microsoft Entra ID |
String |
| AccountSid |
Security Identifier (SID) of the account |
String |
| AccountUpn |
User principal name (UPN) of the account |
String |
| ActionType |
Type of activity that triggered the event |
String |
| AdditionalFields |
Additional information about the entity or event |
Object |
| Application |
Application that performed the recorded action |
String |
| DestinationDeviceName |
Name of the device running the server application that processed the recorded action |
String |
| DestinationIPAddress |
IP address of the device running the server application that processed the recorded action |
String |
| DestinationPort |
Destination port of the activity |
Int32 |
| DeviceName |
Fully qualified domain name (FQDN) of the device |
String |
| DeviceType |
Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer |
String |
| FailureReason |
Information explaining why the recorded action failed |
String |
| IPAddress |
IP addresses of the clients on which the activity was performed; can contain multiple Ips if related to Microsoft Defender for Cloud Apps alerts |
String |
| ISP |
Internet service provider associated with the IP address |
String |
| LastSeenForUser |
Number of days since each statistical feature for the user was last seen |
Object |
| Location |
City, country, or other geographic location associated with the event |
String |
| LogonType |
Type of logon session, specifically interactive, remote interactive (RDP), network, batch, and service |
String |
| OSPlatform |
Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
String |
| Port |
TCP port used during communication |
Int32 |
| Protocol |
Protocol used during the communication |
String |
| ReportId |
Unique identifier for the event |
String |
| SourceSystem |
|
String |
| TargetAccountDisplayName |
Display name of the account that the recorded action was applied to |
String |
| TargetDeviceName |
Fully qualified domain name (FQDN) of the device that the recorded action was applied to |
String |
| TenantId |
|
String |
| TimeGenerated |
|
DateTime |
| Timestamp |
Date and time when the record was generated |
DateTime |
| Type |
|
String |
| UncommonForUser |
List of features observed to be statistically uncommon for the user that performed the activity |
Object |