Layer: Identity
This documentation provides detailed information about all fields available for Microsoft Entra ID.
| Field Name | Type | Searchable | General Field | Description | Example | Products |
|---|---|---|---|---|---|---|
| actionName | string | true | - | The user or service action |
|
Microsoft Entra ID |
| application | string | true | - | The displayed application name | app01 | Microsoft Entra ID |
| applicationId | string | true | - | The Microsoft Entra ID application ID | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| authenticationProtocol | string | true | - | The authentication protocol or grant type |
|
Microsoft Entra ID |
| autonomousSystemNumber | int | true | - | The network Autonomous System Number | 1023 | Microsoft Entra ID |
| clientApp | string | true | - | The app that the client accessed |
|
Microsoft Entra ID |
| clientBrowser | string | true | - | The client browser | Chrome 119.0.0 | Microsoft Entra ID |
| clientCredentialType | string | true | - | The user client or service principal credential type |
|
Microsoft Entra ID |
| clientDisplayName | string | true | EndpointName | The client display name | DESKTOP-TKOS222 | Microsoft Entra ID |
| clientId | string | true | - | The unique client device ID | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| clientOS | string | true | - | The client OS | Windows | Microsoft Entra ID |
| conditionalAccessStatus | string | true | - | The conditional access policy status |
|
Microsoft Entra ID |
| correlationId | string | true | - | The correlation id | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| crossTenantAccessType | string | true | - | The cross-tenant access type |
|
Microsoft Entra ID |
| eventAdditionalDetails | dynamic | true | - | The raw data string that contains additional information | [{"key": "<example>","value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"}] | Microsoft Entra ID |
| eventCategory | string | true | - | The resource category targeted by the event |
|
Microsoft Entra ID |
| eventId | string | true | - | The identity provider event ID |
|
Microsoft Entra ID |
| eventName | string | true | - | The identity provider event name |
|
Microsoft Entra ID |
| eventTime | real | true | - | The time the identity provider detected the event | 1657781088000 | Microsoft Entra ID |
| idpId | string | true | - | The internal product code of the identity provider |
|
Microsoft Entra ID |
| idpIssuerName | string | true | - | The identity provider that issued the token | sts.microsoft.com | Microsoft Entra ID |
| idpName | string | true | - | The identity provider |
|
Microsoft Entra ID |
| incomingTokentype | string | true | - | The authentication token types |
|
Microsoft Entra ID |
| initiatedByAppDisplayName | string | true | - | The application display name | Microsoft Intune | Microsoft Entra ID |
| initiatedByAppId | string | true | - | The resource category targeted by the event | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| initiatedByServicePrincipalId | string | true | - | The unique ID of the service principal | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| initiatedByServicePrincipalName | string | true | - | The unique ID of the service principal |
|
Microsoft Entra ID |
| initiatedByUserDisplayName | string | true | UserAccount | The user display name | Sample User | Microsoft Entra ID |
| initiatedByUserHomeTenantId | string | true | - | The tenant ID of the user | Microsoft Entra ID | |
| initiatedByUserHomeTenantName | string | true | - | The tenant ID of the user | Microsoft Entra ID | |
| initiatedByUserId | string | true | UserAccount | The unique ID of the user who initiated the event | Microsoft Entra ID | |
| initiatedByUserIpAddress | string | true |
|
The client IP of the user | 10.10.10.10 | Microsoft Entra ID |
| initiatedByUserPrincipalName | string | true | UserAccount | The User Principal Name of the user | sample_email@trendmicro.com | Microsoft Entra ID |
| ipAddress | string | true |
|
The client IP | 10.10.10.10 | Microsoft Entra ID |
| locationCity | string | true | - | The city where the event happened | Singapore | Microsoft Entra ID |
| locationCountry | string | true | - | The country where the event happened |
|
Microsoft Entra ID |
| locationLatitude | string | true | - | The latitude of the event location | 121.568 | Microsoft Entra ID |
| locationLongitude | string | true | - | The longitude of the event location | 121.568 | Microsoft Entra ID |
| locationState | string | true | - | The state where the event happened | Central Singapore | Microsoft Entra ID |
| logBatchId | string | true | - | The batch data retrieval process ID | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| loggedByService | string | true | - | The service that initiated the event | Core Directory | Microsoft Entra ID |
| operationType | string | true | - | The operation performed in the event |
|
Microsoft Entra ID |
| orgId | string | true | - | The organization ID | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| pname | string | true | - | The internal product ID |
|
Microsoft Entra ID |
| principalName | string | true | UserAccount | The User Principal Name | sample_email@trendmicro.com | Microsoft Entra ID |
| productCode | string | true | - | The internal product code of the identity provider (aad=Microsoft Entra ID, opa=Microsoft Active Directory) |
|
|
| requestMethod | string | true | - | The sign-in authentication method | [{"authenticationStepDateTime": "2023-11-28T03:44:05Z","authenticationMethod": "Previously satisfied","authenticationMethodDetail": null,"succeeded" : true,"authenticationStepResultDetail": "MFA requirement satisfied by claim in the Token","authenticationStepRequirement": ""}] | Microsoft Entra ID |
| result | string | true | - | The event result |
|
Microsoft Entra ID |
| resultReason | string | true | - | The cause of event failure or timeout |
|
Microsoft Entra ID |
| riskEventTypes | dynamic | true | - | The associated sign-in risk event types | ['unlikelyTravel', 'anonymizedIPAddress'] | Microsoft Entra ID |
| servicePrincipalId | string | true | - | The service principal ID | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| servicePrincipalName | string | true | - | The service principal name | Service_01 | Microsoft Entra ID |
| signInCountries | dynamic | true | - | The countries from which a user signed in |
|
|
| signInEventTypes | dynamic | true | - | The sign-in event type | ['interactiveUser', 'nonInteractiveUser'] | Microsoft Entra ID |
| signInIdentifierType | string | true | - | The sign-in ID type |
|
Microsoft Entra ID |
| status | string | true | - | The sign-in status result |
|
Microsoft Entra ID |
| statusDetail | string | true | - | The additional information about sign-in status | MFA requirement satisfied by claim in the token | Microsoft Entra ID |
| statusReason | string | true | - | The sign-in status |
|
Microsoft Entra ID |
| targetResourceDisplayName | string | true | - | The target resource display name | Microsoft Graph | Microsoft Entra ID |
| targetResourceId | string | true | - | The target resource ID | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| targetResources | dynamic | true | - | The targeted resource of the event | Microsoft Entra ID | |
| tenantId | string | true | - | The Microsoft Entra ID Tenant ID of the organization | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| userAgent | string | true | - | The user agent |
|
Microsoft Entra ID |
| userDisplayName | string | true | UserAccount | The user display name | Test User(RD-TW) | Microsoft Entra ID |
| userId | string | true | UserAccount | The user ID | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| userSessionId | string | true | - | The session ID | 11111111-1111-1111-1111-111111111111 | Microsoft Entra ID |
| userType | string | true | - | The tenant user type |
|
Microsoft Entra ID |
Generated by XDR Common Schema Public Doc Generator V2