Views:
Field Name
Type
General Field
Description
Example
Products
actionName
-
-
The user or service action
  • Create User
  • Add member to group
  • Update application
  • undefined
clientApp
-
-
The app that the client accessed
  • browser
  • Mobile Apps and Desktop clients
  • undefined
clientBrowser
-
-
The client browser
  • Chrome 119.0.0
  • undefined
clientDisplayName
-
  • EndpointName
The client display name
  • DESKTOP-TKOS222
  • undefined
clientId
-
-
The unique client device ID
  • 9b1c6295-faa8-40f3-95ce-8065c0702e8f
  • undefined
clientOS
-
-
The client OS
  • Windows
  • undefined
correlationId
-
-
The correlation ID
  • 7f545dec-5f3b-443f-9f2e-282499deaaef
  • undefined
eventAdditionalDetails
-
-
The raw data string that contains additional information
  • [{"key": "User-Agent","value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)"}]
  • undefined
eventCategory
-
-
The resource category targeted by the event
  • UserManagement
  • ApplicationManagement
  • undefined
eventId
-
-
The identity provider event ID
  • 1 - EVENT_SOURCE_AAD_SIGN_INS
  • 2 - EVENT_SOURCE_AAD_DIR_AUDIT
  • undefined
eventName
-
-
The identity provider event name
  • 4624
  • aad_signin
  • undefined
eventTime
-
-
The time the identity provider detected the event
  • 1657781088000
  • undefined
filterRiskLevel
-
-
The top-level risk level of the event
  • info
  • low
  • medium
  • Security Analytics Engine
idpId
-
-
The internal product code of the identity provider
  • aad
  • opa
  • undefined
idpName
-
-
The identity provider
  • Microsoft Entra ID
  • Microsoft Active Directory
  • google
  • undefined
initiatedByAppDisplayName
-
-
The application display name
  • Microsoft Intune
  • undefined
initiatedByAppId
-
-
The resource category targeted by the event
  • 00000003-0000-0000-c000-000000000000
  • undefined
initiatedByServicePrincipalId
-
-
The unique ID of the service principal
  • 00000003-0000-0000-c000-000000000000
  • undefined
initiatedByServicePrincipalName
-
-
The unique ID of the service principal
  • Microsoft Intune
  • undefined
initiatedByUserDisplayName
-
  • UserAccount
The user display name
  • Clark Shao
  • undefined
initiatedByUserHomeTenantId
-
-
The tenant ID of the user
  • undefined
initiatedByUserHomeTenantName
-
-
The tenant ID of the user
  • undefined
initiatedByUserId
-
  • UserAccount
The unique ID of the user who initiated the event
  • undefined
initiatedByUserIpAddress
-
  • IPv4
  • IPv6
The client IP of the user
  • 123.123.123.123
  • undefined
initiatedByUserPrincipalName
-
  • UserAccount
The User Principal Name of the user
  • test@trendmicro.com
  • undefined
ipAddress
-
  • IPv4
  • IPv6
The client IP
  • 10.10.10.10
  • undefined
locationCity
-
-
The city where the event happened
  • Singapore
  • undefined
locationCountry
-
-
The country where the event happened
  • US
  • TW
  • undefined
locationLatitude
-
-
The latitude of the event location
  • 121.568
  • undefined
locationLongitude
-
-
The longitude of the event location
  • 121.568
  • undefined
locationState
-
-
The state where the event happened
  • Central Singapore
  • undefined
logBatchId
-
-
The batch data retrieval process ID
  • 0c4d9afc-e967-4058-a0dd-92e00c413fa1
  • undefined
loggedByService
-
-
The service that initiated the event
  • Core Directory
  • undefined
operationType
-
-
The operation performed in the event
  • Add
  • Assign
  • Update
  • undefined
orgId
-
-
The organization ID
  • 123b703a-2f9f-436d-a46b-be516f70df32
  • undefined
pname
-
-
The internal product ID
  • 2200
  • 751
  • 533
  • undefined
policyTreePath
-
-
The policy tree path (endpoint only)
  • policyname1/policyname2/policyname3
  • Security Analytics Engine
principalName
-
  • UserAccount
The User Principal Name
  • chin.shun@multibank.com.pa
  • leonelc@edsitrend.com
  • alcides.cuevas@multibank.com.pa
  • undefined
productCode
-
-
The internal product code of the identity provider (aad=Microsoft Entra ID, opa=Microsoft Active Directory)
  • aad
  • opa
  • Security Analytics Engine
  • undefined
requestMethod
-
-
The sign-in authentication method
  • [{"authenticationStepDateTime": "2023-11-28T03:44:05Z","authenticationMethod": "Previously satisfied","authenticationMethodDetail": null,"succeeded" : true,"authenticationStepResultDetail": "MFA requirement satisfied by claim in the token","authenticationStepRequirement": ""}]
  • undefined
result
-
-
The event result
  • success
  • failure
  • timeout
  • undefined
resultReason
-
-
The cause of event failure or timeout
  • success
  • failure
  • timeout
  • undefined
status
-
-
The sign-in status result
  • 0
  • 50126
  • 50155
  • undefined
statusDetail
-
-
The additional information about sign-in status
  • MFA requirement satisfied by claim in the token
  • undefined
statusReason
-
-
The sign-in status
  • Error validating credentials due to invalid username or password.
  • Others.
  • undefined
tags
-
  • Technique
  • Tactic
The attack technique ID detected by Trend Vision One based on the alert filter
  • MITREV9.T1057
  • MITREV9.T1059.003
  • XSAE.F2924
  • Security Analytics Engine
targetResourceDisplayName
-
-
The target resource display name
  • Microsoft Graph
  • undefined
targetResourceId
-
-
The target resource ID
  • 00000003-0000-0000-c000-000000000000
  • undefined
targetResources
-
-
The targeted resource of the event
  • -
  • undefined
tenantId
-
-
The Microsoft Entra ID Tenant ID of the organization
  • b7eb1def-29e1-44bf-bdaa-cd104bf7860a
  • undefined
userAgent
-
-
The user agent
  • Microsoft.OData.Client/7.12.5
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
  • undefined
userDisplayName
-
  • UserAccount
The user display name
  • Test User(RD-TW)
  • undefined
userId
-
  • UserAccount
The user ID
  • 9b1c6295-faa8-40f3-95ce-8065c0702e8f
  • undefined
uuid
-
-
The unique key of the log entry
  • 0000116b-ac61-48d2-89e1-3d1ce2d13cdd
  • 000017f4-ac10-43b4-8aef-97158e0f8533
  • 0000230c-15d8-428c-b707-ddb77cb9ed33
  • Security Analytics Engine