AADServicePrincipalRiskEvents

Service Principal Risk Events:

This section provides the schema for the Service Principal Risk Events generated by Identity Protection

Schema

Column Type Description

Column	Type	Description
Activity	string	Indicates the activity type the detected risk is linked to.
ActivityDateTime	datetime	Date and time when the risky activity occurred in UTC.
AdditionalInfo	dynamic	Additional information associated with the risk detection in JSON format.
AppId	string	The unique identifier for the associated application.
_BilledSize	real	The record size in bytes
CorrelationId	string	Correlation ID of the sign-in activity associated with the risk detection. Nullable.
DetectedDateTime	datetime	Date and time when the risk was detected in UTC.
DetectionTimingType	string	Timing of the detected risk , whether real-time or offline.
Id	string	Unique identifier of the risk detection. Inherited from entity.
IpAddress	string	Provides the IP address of the client from where the risk occurred.
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is `false` ingestion isn't billed to your Azure account
KeyIds	dynamic	The unique identifier (GUID) for the key credential associated with the risk detection.
LastUpdatedDateTime	datetime	Date and time when the risk detection was last updated in UTC.
Location	dynamic	Location of the sign-in.
OperationName	string	Name of the operation.
RequestId	string	Request identifier of the sign-in activity associated with the risk detection. Nullable.
RiskDetail	string	Details of the detected risk. Note: Details for this property are only available for Azure AD Premium P2 customers.
RiskEventType	string	The type of risk event detected.
RiskLevel	string	Level of the detected risk. Note: details for this property are only available for Azure AD Premium P2 customers.
RiskState	string	The state of a detected risky service principal or sign-in activity.
ServicePrincipalDisplayName	string	The display name for the service principal.
ServicePrincipalId	string	The unique identifier for the service principal.
Source	string	Source of the risk detection. For example, identityProtection.
SourceSystem	string	The type of agent the event was collected by. For example, `OpsManager` for Windows agent, either direct connect or Operations Manager, `Linux` for all Linux agents, or `Azure` for Azure Diagnostics
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	The date and time of the event in UTC.
TokenIssuerType	string	Indicates the type of token issuer for the detected sign-in risk.
Type	string	The name of the table

Activity

string

Indicates the activity type the detected risk is linked to.

ActivityDateTime

datetime

Date and time when the risky activity occurred in UTC.

AdditionalInfo

dynamic

Additional information associated with the risk detection in JSON format.

AppId

string

The unique identifier for the associated application.

_BilledSize

real

The record size in bytes

CorrelationId

string

Correlation ID of the sign-in activity associated with the risk detection. Nullable.

DetectedDateTime

datetime

Date and time when the risk was detected in UTC.

DetectionTimingType

string

Timing of the detected risk , whether real-time or offline.

string

Unique identifier of the risk detection. Inherited from entity.

IpAddress

string

Provides the IP address of the client from where the risk occurred.

_IsBillable

string

Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account

KeyIds

dynamic

The unique identifier (GUID) for the key credential associated with the risk detection.

LastUpdatedDateTime

datetime

Date and time when the risk detection was last updated in UTC.

Location

dynamic

Location of the sign-in.

OperationName

string

Name of the operation.

RequestId

string

Request identifier of the sign-in activity associated with the risk detection. Nullable.

RiskDetail

string

Details of the detected risk. Note: Details for this property are only available for Azure AD Premium P2 customers.

RiskEventType

string

The type of risk event detected.

RiskLevel

string

Level of the detected risk. Note: details for this property are only available for Azure AD Premium P2 customers.

RiskState

string

The state of a detected risky service principal or sign-in activity.

ServicePrincipalDisplayName

string

The display name for the service principal.

ServicePrincipalId

string

The unique identifier for the service principal.

Source

string

Source of the risk detection. For example, identityProtection.

SourceSystem

string

The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics

TenantId

string

The Log Analytics workspace ID

TimeGenerated

datetime

The date and time of the event in UTC.

TokenIssuerType

string

Indicates the type of token issuer for the detected sign-in risk.

Type

string

The name of the table

Last updated 3 months ago