Identity and access activity data sources

actionName

-

The user or service action

application

-

The displayed application name

applicationId

-

The Microsoft Entra ID application ID

authenticationProtocol

-

The authentication protocol or grant type

autonomousSystemNumber

-

The network Autonomous System Number

clientApp

-

The app that the client accessed

clientBrowser

-

The client browser

clientCredentialType

-

The user client or service principal credential type

clientDisplayName

The client display name

clientId

-

The unique client device ID

clientOS

-

The client OS

conditionalAccessStatus

-

The conditional access policy status

correlationId

-

The correlation ID

crossTenantAccessType

-

The cross-tenant access type

eventAdditionalDetails

-

The raw data string that contains additional information

eventCategory

-

The resource category targeted by the event

eventId

-

The identity provider event ID

eventName

-

The identity provider event name

eventTime

-

The time the identity provider detected the event

filterRiskLevel

-

The top-level risk level of the event

groupId

-

The group ID for the management scope filter

idpId

-

The internal product code of the identity provider

idpIssuerName

-

The identity provider that issued the token

idpName

-

The identity provider

incomingTokentype

-

The authentication token types

initiatedByAppDisplayName

-

The application display name

initiatedByAppId

-

The resource category targeted by the event

initiatedByServicePrincipalId

-

The unique ID of the service principal

initiatedByServicePrincipalName

-

The unique ID of the service principal

initiatedByUserDisplayName

The user display name

initiatedByUserHomeTenantId

-

The tenant ID of the user

initiatedByUserHomeTenantName

-

The tenant ID of the user

initiatedByUserId

The unique ID of the user who initiated the event

initiatedByUserIpAddress

The client IP of the user

initiatedByUserPrincipalName

The User Principal Name of the user

ipAddress

The client IP

locationCity

-

The city where the event happened

locationCountry

-

The country where the event happened

locationLatitude

-

The latitude of the event location

locationLongitude

-

The longitude of the event location

locationState

-

The state where the event happened

logBatchId

-

The batch data retrieval process ID

logReceivedTime

-

The time when the XDR log was received

loggedByService

-

The service that initiated the event

operationType

-

The operation performed in the event

orgId

-

The organization ID

pname

-

The internal product ID

policyTreePath

-

The policy tree path (endpoint only)

principalName

The User Principal Name

productCode

-

The internal product code of the identity provider (aad=Microsoft Entra ID, opa=Microsoft Active Directory)

requestMethod

-

The sign-in authentication method

result

-

The event result

resultReason

-

The cause of event failure or timeout

riskEventTypes

-

The associated sign-in risk event types

servicePrincipalId

-

The service principal ID

servicePrincipalName

-

The service principal name

signInEventTypes

-

The sign-in event type

signInIdentifierType

-

The sign-in ID type

status

-

The sign-in status result

statusDetail

-

The additional information about sign-in status

statusReason

-

The sign-in status

tags

The attack technique ID detected by Trend Vision One based on the alert filter

targetResourceDisplayName

-

The target resource display name

targetResourceId

-

The target resource ID

targetResources

-

The targeted resource of the event

tenantId

-

The Microsoft Entra ID Tenant ID of the organization

userAgent

-

The user agent

userDisplayName

The user display name

userId

The user ID

userSessionId

-

The session ID

userType

-

The tenant user type

uuid

-

The unique key of the log entry