Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for AADRiskyUsers table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Entra |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| CorrelationId | string | The ID for correlated log analytics events. Can be used to identify correlated events between multiple tables. |
| Id | string | Unique ID of the user at risk. |
| IsDeleted | bool | Indicates whether the user is deleted. |
| IsProcessing | bool | Indicates whether a user's risky state is being processed by the backend. |
| OperationName | string | Name of the operation. |
| RiskDetail | string | Details of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue. |
| RiskLastUpdatedDateTime | datetime | The date and time that the risky user was last updated in UTC. |
| RiskLevel | string | Level of the detected risky user. Possible values are: low, medium, high, hidden, none, unknownFutureValue. |
| RiskState | string | State of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The date and time of the event in UTC. |
| Type | string | The name of the table |
| UserDisplayName | string | Risky user display name. |
| UserPrincipalName | string | Risky user principal name. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| Microsoft Entra ID |
GitHub Only:
| Workbook | Selection Criteria |
|---|---|
| AzureLogCoverage | |
| MicrosoftSentinelDeploymentandMigrationTracker | |
| SentinelWorkspaceReconTools |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊