Page Comparison

cloud.azure.ad.noninteractive_user_signin

logs

Rw ui tabs macro

Rw tab

title	1-5

cloud.azure
cloud.azure.activity.events
cloud.azure.ad.alerts
cloud.azure.ad.audit
cloud.azure.ad.identityprotection
cloud.azure.ad.microsoft_graph_activity_logs

Anchor
tag1
tag1
cloud.azure

Field	Type	Source field name
eventdate	`timestamp`
hostname	`str`
region	`str`
product	`str`	vproduct
type	`str`	vtype
timestamp	`str`
id	`str`
createdDateTime	`str`
userDisplayName	`str`
userPrincipalName	`str`
ipAddress	`str`
clientAppUsed	`str`
appDisplayName	`str`
status_failureReason	`str`
status_errorCode	`str`
rawMessage	`str`

✓


hostchain	`str`	✓
tag	`str`	✓

Anchor
tag2
tag2
cloud.azure.activity.events

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

region

str

host

str

category

str

timestamp

timestamp

Code Block
parsedate(timestamp_str, "YYYY-MM-DD[T]HH:mm:ss.SSSSSSSS")

timestamp_str

resourceId

str

accid

str

operationName

str

resultType

str

resultSignature

str

durationMs

int4

callerIpAddress

ip4

correlationId

str

identity_authorization_scope

str

identity_authorization_action

str

identity_authorization_evidence

str

identity_authorization_evidence_role

str

identity_authorization_evidence_roleAssignmentScope

str

identity_authorization_evidence_roleAssignmentId

str

identity_authorization_evidence_roleDefinitionId

str

identity_authorization_evidence_principalId

str

identity_authorization_evidence_principalType

str

identity_claims

str

identity_claims_onprem_sid

str

identity_claims_name

str

level

str

location

str

properties

str

properties_json

json

properties_requestbody

str

properties_statusCode

str

properties_serviceRequestId

str

properties_eventCategory

str

properties_eventName

str

properties_operationId

str

properties__hostname

str

properties__userAgent

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag3
tag3
cloud.azure.ad.alerts

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
id	`str`
azureTenantId	`str`
azureSubscriptionId	`str`
riskScore	`str`
tags	`str`
activityGroupName	`str`
assignedTo	`str`
category	`str`
closedDateTime	`timestamp`
comments	`str`
confidence	`int4`
createdDateTime	`str`
description	`str`
detectionIds	`str`
eventDateTime	`str`
feedback	`str`
incidentIds	`str`
lastModifiedDateTime	`str`
recommendedActions	`str`
severity	`str`
sourceMaterials	`str`
status	`str`
title	`str`
vendorInformation__provider	`str`
vendorInformation__providerVersion	`str`
vendorInformation__subProvider	`str`
vendorInformation__vendor	`str`
cloudAppStates_json	`json`
fileStates_json	`json`
hostStates_json	`json`
historyStates_json	`json`
malwareStates_json	`json`
networkConnections_json	`json`
processes_json	`json`
registryKeyStates_json	`json`
securityResources_json	`json`
triggers_json	`json`
userStates_json	`json`
vulnerabilityStates_json	`json`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag4
tag4
cloud.azure.ad.audit

Field	Type	Extra fields
eventdate	`timestamp`
region	`str`
timestamp	`timestamp`
resourceId	`str`
operationName	`str`
operationVersion	`str`
category	`str`
tenantId	`str`
resultSignature	`str`
resultDescription	`str`
durationMs	`int4`
callerIpAddress	`str`
correlationId	`str`
identity	`str`
level	`str`
Level	`int4`
properties_id	`str`
properties_category	`str`
properties_correlationId	`str`
properties_result	`str`
properties_resultReason	`str`
properties_activityDisplayName	`str`
properties_activityDateTime	`str`
properties_loggedByService	`str`
properties_operationType	`str`
properties_initiatedBy_user_id	`str`
properties_initiatedBy_user_displayName	`str`
properties_initiatedBy_user_userPrincipalName	`str`
properties_initiatedBy_user_ipAddress	`str`
properties_initiatedBy_app_appId	`str`
properties_initiatedBy_app_displayName	`str`
properties_initiatedBy_app_servicePrincipalId	`str`
properties_initiatedBy_app_servicePrincipalName	`str`
properties_targetResources	`json`
properties_additionalDetails	`json`
at_devo_collector_version	`int4`
at_entry_offset	`str`
at_enqueued_time	`timestamp`
rawJson	`json`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag5
tag5
cloud.azure.ad.identityprotection

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
region	`str`
id	`str`
requestId	`str`
correlationId	`str`
riskEventType	`str`
riskState	`str`
riskLevel	`str`
riskDetail	`str`
source	`str`
detectionTimingType	`str`
activity	`str`
tokenIssuerType	`str`
ipAddress	`ip4`
activityDateTime	`str`
detectedDateTime	`str`
lastUpdatedDateTime	`str`
userId	`str`
userDisplayName	`str`
userPrincipalName	`str`
additionalInfo	`str`
location__city	`str`
location__state	`str`
location__countryOrRegion	`str`
location__geoCoordinates__latitude	`float8`
location__geoCoordinates__longitude	`float8`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

rw-tab

Anchor

title

tag6

6-10

tag6
cloud.azure.ad.

noninteractive

microsoft_graph_

user

activity_

signin

cloud.azure.ad.provisioning

cloud.azure.ad.risky_service_principals

cloud.azure.ad.risky_users

cloud.azure.ad.service_principal_risk_events

Anchor

tag6 tag6

Field

Type

Source field name

Extra fields

eventdate

timestamp

hostname

str

region

str

rawMessage

str

rawSource

timestamp

timestamp

resourceId

str

signInEventTypes

str

operationName

str

operationVersion

str

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
time	`str`
resource_id	`str`
operation_name	`str`
operation_version	`str`
category	`str`

tenantId

str

resultType


tenant_id	`str`

resultSignature


result_signature	`str`

resultDescription

str

durationMs


duration_ms	`int4`

callerIpAddress

str

correlationId

identity

caller_ip_str

str

Level

int4

location

str

properties

json

properties_id

str

properties_createdDateTime

str

properties_userDisplayName

str

properties_userPrincipalName

str

properties_userId

str

properties_appId

str

properties_appDisplayName

caller_ip_ip4

ip4

Code Block
ip4(caller_ip_str)

caller_ip_str

caller_ip_ip6

ip6

Code Block
ip6(caller_ip_str)

caller_ip_str

correlation_id

str

level2

int4

destination_location

str

properties__

ipAddress

time_generated	`str`
properties_

status

_

errorCode

location

str

int4


properties_

status

_request_

failureReason

id	`str`
properties__operation_

clientAppUsed

id	`str`
properties_

userAgent

_client_request_id	`str`
properties__

deviceDetail

api_

operatingSystem

version	`str`
properties__

deviceDetail

request_

browser

method	`str`
properties__

deviceDetail_deviceIdstr

response_status_code	`int4`
properties_

deviceDetail

_tenant_

displayName

id	`str`
properties_

deviceDetail_isCompliantbool

_ip_address_str	`str`
properties_

deviceDetail_isManaged

bool

properties_deviceDetail_trustType

str

properties_location_city

str

properties_location_state

str

properties_location_countryOrRegion

str

properties_location_geoCoordinates_latitude

float8

properties_location_geoCoordinates_longitude

float8

properties_mfaDetail_authMethod

str

_ip_address_ip4

ip4

Code Block
ip4(properties__ip_address_str)

properties__ip_address_str

properties__ip_address_ip6

ip6

Code Block
ip6(properties__ip_address_str)

properties__ip_address_str

properties__user_agent

str

properties__request_uri

str

properties_

mfaDetail

_

authDetailstr

duration_ms	`int4`
properties_

correlationIdstr

_response_size_bytes	`int4`
properties_

conditionalAccessStatus

_sign_in_activity_id	`str`
properties__

originalRequestId

roles	`str`
properties_

isInteractive

bool

properties_tokenIssuerName

str

_token_issued_at	`timestamp`
properties__app_

tokenIssuerType

id

str

properties_processingTimeInMilliseconds

int4


properties__user_

riskDetail

id	`str`
properties_

riskLevelAggregated

_service_principal_id	`str`
properties_

riskLevelDuringSignIn

_scopes	`str`
properties__identity_

riskState

provider	`str`
properties_

resourceDisplayName

_client_auth_method	`str`
properties__

resourceId

wids	`str`
properties_

resourceTenantIdstr

_at_content

str

properties_homeTenantId

at_devo_collector_version

int4

properties_alternateSignInName

str

properties

at_entry_

signInIdentifier

offset

str

properties_signInIdentifierType

int4

properties_servicePrincipalId

str

properties_userType

str

properties_flaggedForReview

bool

isTenantRestricted

bool

autonomousSystemNumber

int4

crossTenantAccessType


at_enqueued_time	`timestamp`
timestamp	`timestamp`
hostchain	`str`

servicePrincipalCredentialKeyId

str

✓

servicePrincipalCredentialThumbprint

tag

str

uniqueTokenIdentifier

str

incomingTokenType

✓

str

rawMessage

authenticationProtocol

str

resourceServicePrincipalId

str

authenticationContextClassReferences

✓

str

Versions Compared

Old Version 3

New Version Current

Key

logs

Anchor
tag1
tag1
cloud.azure

Anchor
tag2
tag2
cloud.azure.activity.events

Anchor
tag3
tag3
cloud.azure.ad.alerts

Anchor
tag4
tag4
cloud.azure.ad.audit

Anchor
tag5
tag5
cloud.azure.ad.identityprotection

Anchor

tag6

tag6
cloud.azure.ad.

microsoft_graph_

activity_

Anchor
tag6
tag6
cloud.azure.ad.noninteractive_user_signin

Anchor

tag7

tag7
cloud.azure.ad.

provisioning

Anchor

tag8

tag8
cloud.azure.ad.

risky_service_principals

Anchor
tag9
tag9
cloud.azure.ad.risky_users

Anchor
tag10
tag10
cloud.azure.ad.service_principal_risk_events

Anchor
tag11
tag11
cloud.azure.ad.service_principal_signin

Anchor
tag13
tag13
cloud.azure.ad.user_risk_events

Anchor
tag14
tag14
cloud.azure.aks

Anchor
tag15
tag15
cloud.azure.aks.cluster_autoscaler

Anchor
tag16
tag16
cloud.azure.aks.containerlog

Anchor
tag17
tag17
cloud.azure.aks.guard

Anchor
tag18
tag18
cloud.azure.aks.kube_apiserver

Anchor
tag19
tag19
cloud.azure.aks.kube_audit_admin

Anchor
tag20
tag20
cloud.azure.aks.kube_controller_manager

properties_targetSystem_details_dynamicProperties_ApplicationId	`str`
properties_targetSystem_details_dynamicProperties_ServicePrincipalId	`str`
properties_targetSystem_details_dynamicProperties_ServicePrincipalDisplayName	`str`
properties_targetSystem_Id	`str`
properties_targetSystem_Name	`str`
properties_initiatedBy_Type	`str`
properties_initiatedBy_Id	`str`
properties_initiatedBy_Name	`str`
properties_sourceIdentity_identityType	`str`
properties_sourceIdentity_details_dynamicProperties	`str`
properties_sourceIdentity_Id	`str`
properties_sourceIdentity_Name	`str`
properties_targetIdentity_identityType	`str`
properties_targetIdentity_details_dynamicProperties	`str`
properties_targetIdentity_Id	`str`
properties_targetIdentity_Name	`str`
properties_statusInfo_ErrorCode	`str`
properties_statusInfo_Reason	`str`
properties_statusInfo_AdditionalDetails	`str`
properties_statusInfo_ErrorCategory	`str`
properties_statusInfo_RecommendedAction	`str`
properties_statusInfo_Status	`int4`
properties_provisioningSteps	`json`
properties_modifiedProperties	`str`
properties_durationInMilliseconds	`int4`
provisioningAction	`str`
at_devo_collector_version	`int4`
at_entry_offset	`str`
at_enqueued_time	`timestamp`

Field	Type	Extra fields
Extra fields	`timestamp`
hostname	`str`
region	`str`
category	`str`
correlationId	`str`
durationMs	`int4`
properties__id	`str`
identity	`str`
properties__isDeleted	`bool`
properties__isGuest	`bool`
properties__isProcessing	`bool`
level	`int4`
location	`str`
operationName	`str`
operationVersion	`str`
resourceId	`str`
resultSignature	`str`
properties__riskDetail	`str`
properties__riskLastUpdatedDateTime_str	`str`
properties__riskLevel	`str`
properties__riskState	`str`
tenantId	`str`
timeGenerated_str	`str`
properties__userDisplayName	`str`
properties__userPrincipalName	`str`
properties__sourceSystem	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Page Comparison

Versions Compared

Old Version 3

New Version Current

Key

Anchortag1tag1cloud.azure

Anchortag2tag2cloud.azure.activity.events

Anchortag3tag3cloud.azure.ad.alerts

Anchortag4tag4cloud.azure.ad.audit

Anchortag5tag5cloud.azure.ad.identityprotection

Anchor

tag6

tag6cloud.azure.ad.

microsoft_graph_

activity_

logs

Anchortag6tag6cloud.azure.ad.noninteractive_user_signin

Anchor

tag7

tag7cloud.azure.ad.

provisioning

Anchor

tag8

tag8cloud.azure.ad.

risky_service_principals

Anchortag9tag9cloud.azure.ad.risky_users

Anchortag10tag10cloud.azure.ad.service_principal_risk_events

Anchortag11tag11cloud.azure.ad.service_principal_signin

Anchortag12tag12cloud.azure.ad.signin

Anchortag13tag13cloud.azure.ad.user_risk_events

Anchortag14tag14cloud.azure.aks

Anchortag15tag15cloud.azure.aks.cluster_autoscaler

Anchortag16tag16cloud.azure.aks.containerlog

Anchortag17tag17cloud.azure.aks.guard

Anchortag18tag18cloud.azure.aks.kube_apiserver

Anchortag19tag19cloud.azure.aks.kube_audit_admin

Anchortag20tag20cloud.azure.aks.kube_controller_manager

Anchor
tag1
tag1
cloud.azure

Anchor
tag2
tag2
cloud.azure.activity.events

Anchor
tag3
tag3
cloud.azure.ad.alerts

Anchor
tag4
tag4
cloud.azure.ad.audit

Anchor
tag5
tag5
cloud.azure.ad.identityprotection

tag6
cloud.azure.ad.

Anchor
tag6
tag6
cloud.azure.ad.noninteractive_user_signin

tag7
cloud.azure.ad.

tag8
cloud.azure.ad.

Anchor
tag9
tag9
cloud.azure.ad.risky_users

Anchor
tag10
tag10
cloud.azure.ad.service_principal_risk_events

Anchor
tag11
tag11
cloud.azure.ad.service_principal_signin

Anchor
tag12
tag12
cloud.azure.ad.signin

Anchor
tag13
tag13
cloud.azure.ad.user_risk_events

Anchor
tag14
tag14
cloud.azure.aks

Anchor
tag15
tag15
cloud.azure.aks.cluster_autoscaler

Anchor
tag16
tag16
cloud.azure.aks.containerlog

Anchor
tag17
tag17
cloud.azure.aks.guard

Anchor
tag18
tag18
cloud.azure.aks.kube_apiserver

Anchor
tag19
tag19
cloud.azure.aks.kube_audit_admin

Anchor
tag20
tag20
cloud.azure.aks.kube_controller_manager