Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for AADRiskyServicePrincipals table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Entra |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| AccountEnabled | bool | true if the service principal account is enabled; otherwise, false. |
| AppId | string | The globally unique identifier for the associated application (its appId property), if any. |
| CorrelationId | string | The ID for correlated log analytics events. Can be used to identify correlated events between multiple tables. |
| DisplayName | string | The display name for the service principal. |
| Id | string | The unique identifier assigned to the service principal at risk. Inherited from entity. |
| IsProcessing | bool | Indicates whether Azure AD is currently processing the service principal's risky state. |
| OperationName | string | Name of the operation. |
| RiskDetail | string | Details of the detected risk. |
| RiskLastUpdatedDateTime | datetime | The date and time that the risk state was last updated in UTC. |
| RiskLevel | string | Level of the detected risky workload identity. The possible values are: low, medium, high, hidden, none, unknownFutureValue. |
| RiskState | string | State of the service principal's risk. The possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. |
| ServicePrincipalType | string | Identifies whether the service principal represents an Application, a Managed Identity, or a legacy application (social IdP). |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The date and time of the event in UTC. |
| Type | string | The name of the table |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Entra ID |
In solution Microsoft Entra ID:
| Workbook | Selection Criteria |
|---|---|
| ConditionalAccessSISM |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| AzureLogCoverage |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊