Views:
Field Name
Type
General Field
Description
Example
Products
actionName
-
-
The user or service action
  • Create User
  • Add member to group
  • Update application
  • Microsoft Entra ID
clientApp
-
-
The app that the client accessed
  • browser
  • Mobile Apps and Desktop clients
  • Microsoft Entra ID
clientBrowser
-
-
The client browser
  • Chrome 119.0.0
  • Microsoft Entra ID
clientDisplayName
-
  • EndpointName
The client display name
  • DESKTOP-TKOS222
  • Microsoft Entra ID
clientId
-
-
The unique client device ID
  • 9b1c6295-faa8-40f3-95ce-8065c0702e8f
  • Microsoft Entra ID
clientOS
-
-
The client OS
  • Windows
  • Microsoft Entra ID
correlationId
-
-
The correlation ID
  • 7f545dec-5f3b-443f-9f2e-282499deaaef
  • Microsoft Entra ID
eventAdditionalDetails
-
-
The raw data string that contains additional information
  • [{"key": "User-Agent","value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"}]
  • Microsoft Entra ID
eventCategory
-
-
The resource category targeted by the event
  • UserManagement
  • ApplicationManagement
  • Microsoft Entra ID
eventId
-
-
The identity provider event ID
  • 1 - EVENT_SOURCE_AAD_SIGN_INS
  • 2 - EVENT_SOURCE_AAD_DIR_AUDIT
  • Microsoft Entra ID
eventName
-
-
The identity provider event name
  • 4624
  • aad_signin
  • Microsoft Entra ID
eventTime
-
-
The time the identity provider detected the event
  • 1657781088000
  • Microsoft Entra ID
filterRiskLevel
-
-
The top-level risk level of the event
  • info
  • low
  • medium
  • Security Analytics Engine
idpId
-
-
The internal product code of the identity provider
  • aad
  • opa
  • Microsoft Entra ID
idpName
-
-
The identity provider
  • Microsoft Entra ID
  • Microsoft Active Directory
  • google
  • Microsoft Entra ID
initiatedByAppDisplayName
-
-
The application display name
  • Microsoft Intune
  • Microsoft Entra ID
initiatedByAppId
-
-
The resource category targeted by the event
  • 00000003-0000-0000-c000-000000000000
  • Microsoft Entra ID
initiatedByServicePrincipalId
-
-
The unique ID of the service principal
  • 00000003-0000-0000-c000-000000000000
  • Microsoft Entra ID
initiatedByServicePrincipalName
-
-
The unique ID of the service principal
  • Microsoft Intune
  • Microsoft Entra ID
initiatedByUserDisplayName
-
  • UserAccount
The user display name
  • Clark Shao
  • Microsoft Entra ID
initiatedByUserHomeTenantId
-
-
The tenant ID of the user
  • Microsoft Entra ID
initiatedByUserHomeTenantName
-
-
The tenant ID of the user
  • Microsoft Entra ID
initiatedByUserId
-
  • UserAccount
The unique ID of the user who initiated the event
  • Microsoft Entra ID
initiatedByUserIpAddress
-
  • IPv4
  • IPv6
The client IP of the user
  • 123.123.123.123
  • Microsoft Entra ID
initiatedByUserPrincipalName
-
  • UserAccount
The User Principal Name of the user
  • test@trendmicro.com
  • Microsoft Entra ID
ipAddress
-
  • IPv4
  • IPv6
The client IP
  • 10.10.10.10
  • Microsoft Entra ID
locationCity
-
-
The city where the event happened
  • Singapore
  • Microsoft Entra ID
locationCountry
-
-
The country where the event happened
  • US
  • TW
  • Microsoft Entra ID
locationLatitude
-
-
The latitude of the event location
  • 121.568
  • Microsoft Entra ID
locationLongitude
-
-
The longitude of the event location
  • 121.568
  • Microsoft Entra ID
locationState
-
-
The state where the event happened
  • Central Singapore
  • Microsoft Entra ID
logBatchId
-
-
The batch data retrieval process ID
  • 0c4d9afc-e967-4058-a0dd-92e00c413fa1
  • Microsoft Entra ID
logReceivedTime
-
-
The time when the XDR log was received
  • 1656324260000
  • Security Analytics Engine
loggedByService
-
-
The service that initiated the event
  • Core Directory
  • Microsoft Entra ID
operationType
-
-
The operation performed in the event
  • Add
  • Assign
  • Update
  • Microsoft Entra ID
orgId
-
-
The organization ID
  • 123b703a-2f9f-436d-a46b-be516f70df32
  • Microsoft Entra ID
pname
-
-
The internal product ID
  • 2200
  • 751
  • 533
  • Microsoft Entra ID
policyTreePath
-
-
The policy tree path (endpoint only)
  • policyname1/policyname2/policyname3
  • Security Analytics Engine
principalName
-
  • UserAccount
The User Principal Name
  • chin.shun@multibank.com.pa
  • leonelc@edsitrend.com
  • alcides.cuevas@multibank.com.pa
  • Microsoft Entra ID
productCode
-
-
The internal product code of the identity provider (aad=Microsoft Entra ID, opa=Microsoft Active Directory)
  • aad
  • opa
  • Security Analytics Engine
  • Microsoft Entra ID
requestMethod
-
-
The sign-in authentication method
  • [{"authenticationStepDateTime": "2023-11-28T03:44:05Z","authenticationMethod": "Previously satisfied","authenticationMethodDetail": null,"succeeded" : true,"authenticationStepResultDetail": "MFA requirement satisfied by claim in the token","authenticationStepRequirement": ""}]
  • Microsoft Entra ID
result
-
-
The event result
  • success
  • failure
  • timeout
  • Microsoft Entra ID
resultReason
-
-
The cause of event failure or timeout
  • success
  • failure
  • timeout
  • Microsoft Entra ID
status
-
-
The sign-in status result
  • 0
  • 50126
  • 50155
  • Microsoft Entra ID
statusDetail
-
-
The additional information about sign-in status
  • MFA requirement satisfied by claim in the token
  • Microsoft Entra ID
statusReason
-
-
The sign-in status
  • Error validating credentials due to invalid username or password.
  • Others.
  • Microsoft Entra ID
tags
-
  • Technique
  • Tactic
The attack technique ID detected by Trend Vision One based on the alert filter
  • MITREV9.T1057
  • MITREV9.T1059.003
  • XSAE.F2924
  • Security Analytics Engine
targetResourceDisplayName
-
-
The target resource display name
  • Microsoft Graph
  • Microsoft Entra ID
targetResourceId
-
-
The target resource ID
  • 00000003-0000-0000-c000-000000000000
  • Microsoft Entra ID
targetResources
-
-
The targeted resource of the event
  • Microsoft Entra ID
tenantId
-
-
The Microsoft Entra ID Tenant ID of the organization
  • b7eb1def-29e1-44bf-bdaa-cd104bf7860a
  • Microsoft Entra ID
userAgent
-
-
The user agent
  • Microsoft.OData.Client/7.12.5
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
  • Microsoft Entra ID
userDisplayName
-
  • UserAccount
The user display name
  • Test User(RD-TW)
  • Microsoft Entra ID
userId
-
  • UserAccount
The user ID
  • 9b1c6295-faa8-40f3-95ce-8065c0702e8f
  • Microsoft Entra ID
uuid
-
-
The unique key of the log entry
  • 0000116b-ac61-48d2-89e1-3d1ce2d13cdd
  • 000017f4-ac10-43b4-8aef-97158e0f8533
  • 0000230c-15d8-428c-b707-ddb77cb9ed33
  • Security Analytics Engine