Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for AADServicePrincipalSignInLogs table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Entra |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| AADTenantId | string | ID of the AAD tenant. |
| Agent | string | Details of agentic sign-in. |
| AppId | string | Unique GUID representing the app ID in the Azure Active Directory |
| AppOwnerTenantId | string | The tenant identifier of the owenr of the application in Azure Active Directory |
| AuthenticationContextClassReferences | string | The authentication contexts of the sign-in |
| AuthenticationProcessingDetails | string | Provides the details associated with authentication processor |
| AutonomousSystemNumber | string | Autonomous System Number for the network. |
| Category | string | Category of the sign-in event |
| ClientCredentialType | string | The type of client credential used. Examples include client assertion, client secret, etc. |
| ConditionalAccessAudiences | string | Details of the conditional access audiences being applied for the sign-in. |
| ConditionalAccessPolicies | string | Details of the conditional access policies being applied for the sign-in |
| ConditionalAccessStatus | string | Status of all the conditionalAccess policies related to the sign-in |
| CorrelationId | string | ID to provide sign-in trail |
| CreatedDateTime | datetime | Datetime of the sign-in activity. |
| DurationMs | long | The duration of the operation in milliseconds |
| FederatedCredentialId | string | Th identifier of an application's federated identity credential if a federated identity credential was used to sign in. |
| Id | string | Unique ID representing the sign-in activity |
| Identity | string | The identity from the token that was presented when you made the request. It can be a user account, system account, or service principal |
| IPAddress | string | IP address of the client used to sign in |
| Level | string | The severity level of the event |
| Location | string | The region of the resource emitting the event |
| LocationDetails | string | Details of the sign-in location |
| NetworkLocationDetails | string | Provides the details associated with Authentication processor. |
| OperationName | string | For sign-ins, this value is always Sign-in activity |
| OperationVersion | string | The REST API version that's requested by the client |
| ResourceDisplayName | string | Name of the resource that the service principal signed into |
| ResourceGroup | string | Resource group for the logs |
| ResourceIdentity | string | ID of the resource that the service principal signed into |
| ResourceOwnerTenantId | string | The tenant identifier of the owner of the resource referenced in the sign in |
| ResourceServicePrincipalId | string | Service Principal Id of the resource |
| ResultDescription | string | Provides the error description for the sign-in operation |
| ResultSignature | string | Contains the error code, if any, for the sign-in operation |
| ResultType | string | The result of the sign-in operation can be Success or Failure |
| ServicePrincipalCredentialKeyId | string | Key id of the service principal that initiated the sign-in |
| ServicePrincipalCredentialThumbprint | string | Thumbprint of the service principal that initiated the sign-in |
| ServicePrincipalId | string | ID of the service principal who initiated the sign-in |
| ServicePrincipalName | string | Service Principal Name of the service principal who initiated the sign-in |
| SessionId | string | Id of the session that was generated during the signIn. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The date and time of the event in UTC |
| Type | string | The name of the table |
| UniqueTokenIdentifier | string | Unique token identifier for the request |
| UserAgent | string | User Agent for the sign-in |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Entra ID |
In solution Lumen Defender Threat Feed:
| Analytic Rule | Selection Criteria |
|---|---|
| Lumen TI IPAddress in IdentityLogonEvents |
In solution Microsoft Entra ID:
| Analytic Rule | Selection Criteria |
|---|---|
| Suspicious Service Principal creation activity |
Standalone Content:
| Analytic Rule | Selection Criteria |
|---|---|
| Service Principal Authentication Attempt from New Country |
GitHub Only:
| Hunting Query | Selection Criteria |
|---|---|
| Dormant Service Principal Update Creds and Logs In |
In solution AzureSecurityBenchmark:
| Workbook | Selection Criteria |
|---|---|
| AzureSecurityBenchmark |
In solution CybersecurityMaturityModelCertification(CMMC)2.0:
| Workbook | Selection Criteria |
|---|---|
| CybersecurityMaturityModelCertification_CMMCV2 |
In solution MaturityModelForEventLogManagementM2131:
| Workbook | Selection Criteria |
|---|---|
| MaturityModelForEventLogManagement_M2131 |
In solution Microsoft Entra ID: OperationName in "Add conditional access policy,Add member to group,Add member to restricted management administrative unit,Delete conditional access policy,Remove member from group,Remove member from restricted management administrative unit,Update conditional access policy,Update group"
| Workbook |
|---|
| ConditionalAccessSISM |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| AADServicePrincipalSignInLogs | |
| AzureLogCoverage | |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| SentinelWorkspaceReconTools | |
| SolarWindsPostCompromiseHunting |
| Parser | Schema | Product | Selection Criteria |
|---|---|---|---|
| ASimAuthenticationAADServicePrincipalSignInLogs | Authentication | Microsoft Entra ID |
References by type: 0 connectors, 1 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
OperationName in "Add conditional access policy,Add member to group,Add member to restricted management administrative unit,Delete conditional access policy,Remove member from group,Remove member from restricted management administrative unit,Update conditional access policy,Update group" |
- | 1 | - | - | 1 |
| Total | 0 | 1 | 0 | 0 | 1 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Add conditional access policy |
- | 1 | - | - | 1 |
Add member to group |
- | 1 | - | - | 1 |
Add member to restricted management administrative unit |
- | 1 | - | - | 1 |
Delete conditional access policy |
- | 1 | - | - | 1 |
Remove member from group |
- | 1 | - | - | 1 |
Remove member from restricted management administrative unit |
- | 1 | - | - | 1 |
Update conditional access policy |
- | 1 | - | - | 1 |
Update group |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊