AADRiskyServicePrincipals
Risky ServicePrincipals Overview:
The following provides the schema for the RiskyServicePrincipal logs that are generated by Identity Protection.
Schema:
Column | Type | Description |
---|---|---|
AccountEnabled | bool | true if the service principal account is enabled; otherwise, false. |
AppId | string | The globally unique identifier for the associated application (its appId property), if any. |
_BilledSize | real | The record size in bytes |
CorrelationId | string | The ID for correlated log analytics events. Can be used to identify correlated events between multiple tables. |
DisplayName | string | The display name for the service principal. |
Id | string | The unique identifier assigned to the service principal at risk. Inherited from entity. |
_IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is |
IsProcessing | bool | Indicates whether Azure AD is currently processing the service principal's risky state. |
OperationName | string | Name of the operation. |
RiskDetail | string | Details of the detected risk. |
RiskLastUpdatedDateTime | datetime | The date and time that the risk state was last updated in UTC. |
RiskLevel | string | Level of the detected risky workload identity. The possible values are: low, medium, high, hidden, none, unknownFutureValue. |
RiskState | string | State of the service principal's risk. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. |
ServicePrincipalType | string | Identifies whether the service principal represents an Application, a Managed Identity, or a legacy application (social IdP). |
SourceSystem | string | The type of agent the event was collected by. For example, |
TenantId | string | The Log Analytics workspace ID |
TimeGenerated | datetime | The date and time of the event in UTC. |
Type | string | The name of the table |
Last updated