CloudAppEvents

Information about activities in various cloud apps and services covered by Microsoft Cloud App Security.

Table attributes

Attribute Value
Resource types -
Categories Security
Solutions SecurityInsights
Basic log No
Ingestion-time transformation Yes
Sample Queries Yes

Columns

Column Type Description
AccountDisplayName string Name displayed in the address book entry for the account user. This is usually a combination of the given name, middle initial, and surname of the user.
AccountId string An identifier for the account as found by Microsoft Cloud App Security. Could be Azure Active Directory ID, user principal name, or other identifiers
AccountObjectId string Unique identifier for the account in Azure AD
AccountType string Type of user account, indicating its general role and access levels, such as Regular, System, Admin, Application
ActionType string Type of activity that triggered the event
ActivityObjects dynamic List of objects, such as files or folders, that were involved in the recorded activity
ActivityType string Type of activity that triggered the event
AdditionalFields dynamic Additional information about the entity or event
AppInstanceId int Unique identifier for the instance of an application
Application string Application that performed the recorded action
ApplicationId int Unique identifier for the application
_BilledSize real The record size in bytes
City string City where the client IP address is geolocated
CountryCode string Two-letter code indicating the country where the client IP address is geolocated
DeviceType string Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer
IPAddress string IP address assigned to the device during communication
IPCategory string Additional information about the IP address
IPTags dynamic Customer-defined information applied to specific IP addresses and IP address ranges
IsAdminOperation bool Indicates whether the activity was performed by an administrator
IsAnonymousProxy bool Indicates whether the IP address belongs to a known anonymous proxy
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
IsExternalUser bool Indicates whether a user inside the network doesn't belong to the organization's domain
IsImpersonated bool Indicates whether the activity was performed by one user for another (impersonated) user
ISP string Internet service provider associated with the IP address
ObjectId string Unique identifier of the object that the recorded action was applied to
ObjectName string Name of the object that the recorded action was applied to
ObjectType string The type of object, such as a file or a folder, that the recorded action was applied to
OSPlatform string Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7
RawEventData dynamic Raw event information from the source application or service in JSON format
ReportId string Unique identifier for the event
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
TenantId string The Log Analytics workspace ID
TimeGenerated datetime Date and time (UTC) when the record was generated
Type string The name of the table
UserAgent string User agent information from the web browser or other client application
UserAgentTags dynamic More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot