AADCustomSecurityAttributeAuditLogs
Non-interactive Azure Active Directory sign-in logs from user.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Audit, Security |
| Solutions | LogManagement |
| Basic log | No |
| Ingestion-time transformation | No |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AADOperationType | string | Type of the operation. Possible values are Add Update Delete and Other. |
| AADTenantId | string | ID of the AAD tenant. |
| ActivityDateTime | datetime | Date and time the activity was performed in UTC. |
| ActivityDisplayName | string | Activity name or the operation name. |
| AdditionalDetails | dynamic | Indicates additional details on the activity. Can have any string as a key or value. |
| _BilledSize | real | The record size in bytes |
| CallerIpAddress | string | IP address of caller. |
| CorrelationId | string | ID to provide audit trail. |
| DurationMs | long | The duration of the operation in milliseconds. |
| Id | string | Unique ID representing the audit activity. |
| Identity | string | The identity from the token that was presented when you made the request. It can be a user account, system account, or service principal. |
| InitiatedBy | dynamic | User or app initiated the activity. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| Level | string | The severity level of the event. |
| Location | string | The region of the resource emitting the event. |
| LoggedByService | string | Service that initiated the activity. |
| OperationName | string | Name of the operation. |
| OperationVersion | string | The REST API version that's requested by the client. |
| Result | string | Result of the activity. Possible values are: success failure timeout unknownFutureValue. |
| ResultDescription | string | Provides the error description for the audit operation. |
| ResultReason | string | Describes cause of failure or timeout results. |
| ResultSignature | string | Contains the error code, if any, for the audit operation. |
| ResultType | string | The result of the audit operation can be Success or Failure. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TargetResources | dynamic | Indicates information on which resource was changed due to the activity. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The date and time of the event in UTC. |
| Type | string | The name of the table |
| UserAgent | string | User agent of initiator. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for