AADServicePrincipalRiskEvents
Logs generated by identity protection for Azure AD service principal risk events.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Audit, Security |
| Solutions | LogManagement |
| Basic log | No |
| Ingestion-time transformation | No |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| Activity | string | Indicates the activity type the detected risk is linked to. |
| ActivityDateTime | datetime | Date and time when the risky activity occurred in UTC. |
| AdditionalInfo | dynamic | Additional information associated with the risk detection in JSON format. |
| AppId | string | The unique identifier for the associated application. |
| _BilledSize | real | The record size in bytes |
| CorrelationId | string | Correlation ID of the sign-in activity associated with the risk detection. Nullable. |
| DetectedDateTime | datetime | Date and time when the risk was detected in UTC. |
| DetectionTimingType | string | Timing of the detected risk , whether real-time or offline. |
| Id | string | Unique identifier of the risk detection. Inherited from entity. |
| IpAddress | string | Provides the IP address of the client from where the risk occurred. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| KeyIds | dynamic | The unique identifier (GUID) for the key credential associated with the risk detection. |
| LastUpdatedDateTime | datetime | Date and time when the risk detection was last updated in UTC. |
| Location | dynamic | Location of the sign-in. |
| OperationName | string | Name of the operation. |
| RequestId | string | Request identifier of the sign-in activity associated with the risk detection. Nullable. |
| RiskDetail | string | Details of the detected risk. Note: Details for this property are only available for Azure AD Premium P2 customers. |
| RiskEventType | string | The type of risk event detected. |
| RiskLevel | string | Level of the detected risk. Note: details for this property are only available for Azure AD Premium P2 customers. |
| RiskState | string | The state of a detected risky service principal or sign-in activity. |
| ServicePrincipalDisplayName | string | The display name for the service principal. |
| ServicePrincipalId | string | The unique identifier for the service principal. |
| Source | string | Source of the risk detection. For example, identityProtection. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The date and time of the event in UTC. |
| TokenIssuerType | string | Indicates the type of token issuer for the detected sign-in risk. |
| Type | string | The name of the table |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for