適用於:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender


AADSignInEventsBeta表格目前在 Beta 中,並在短期內提供,以供您透過 Azure Active Directory (AAD) 登入事件進行搜尋。The AADSignInEventsBeta table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) sign-in events. 我們最後會將所有登入架構資訊移至 IdentityLogonEvents 表格。We will eventually move all sign-in schema information to the IdentityLogonEvents table.

可透過 Azure Security Center 的整合 Microsoft Defender for Endpoint 方案存取 Microsoft 365 Defender 的客戶,但沒有 Microsoft Defender for Office、Microsoft Defender 身分識別或 Microsoft Cloud App Security 的授權,將無法查看此架構。Customers who can access Microsoft 365 Defender through the Azure Security Center’s integrated Microsoft Defender for Endpoint solution, but do not have licenses for Microsoft Defender for Office, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.

[!附注] AADSignInEventsBeta 高級搜尋架構中的表格包含 Azure Active Directory 互動和非互動式登入的相關資訊。深入瞭解 Azure Active Directory 登入活動報告-預覽中的登入。The AADSignInEventsBeta table in the advanced hunting schema contains information about Azure Active Directory interactive and non-interactive sign-ins. Learn more about sign-ins in Azure Active Directory sign-in activity reports - preview.

使用這個參考來建立從表格取回之資訊的查詢。Use this reference to construct queries that return information from the table. 如需進階搜捕結構描述中其他表格的資訊,請參閱 進階搜捕參考 (部分內容為機器翻譯)。For information on other tables in the advanced hunting schema, see the advanced hunting reference.

資料行名稱Column name 資料類型Data type 描述Description
Timestamp datetimedatetime 記錄的產生日期和時間Date and time when the record was generated
Application stringstring 執行錄製動作的應用程式Application that performed the recorded action
ApplicationId stringstring 應用程式的唯一識別碼Unique identifier for the application
LogonType stringstring 登入會話的類型,尤其是互動式、遠端互動 (RDP) 、網路、批次及服務Type of logon session, specifically interactive, remote interactive (RDP), network, batch, and service
ErrorCode intint 如果發生登入錯誤,則會包含錯誤代碼。Contains the error code if a sign-in error occurs. 若要尋找特定錯誤碼的描述,請造訪 https://aka.ms/AADsigninsErrorCodesTo find a description of a specific error code, visit https://aka.ms/AADsigninsErrorCodes.
CorrelationId stringstring 登入事件的唯一識別碼Unique identifier of the sign-in event
SessionId stringstring 網站伺服器在就診或會話期間指派給使用者的唯一號碼Unique number assigned to a user by a website's server for the duration of the visit or session
AccountDisplayName stringstring 顯示在通訊錄中之帳戶使用者的名稱。Name of the account user displayed in the address book. 通常是指定的名稱或名字、中間名首字母的組合,以及姓氏或姓的組合。Typically a combination of a given or first name, a middle initial, and a last name or surname.
AccountObjectId stringstring Azure AD 中帳戶的唯一識別碼Unique identifier for the account in Azure AD
AccountUpn stringstring 帳戶的使用者主要名稱 (UPN) User principal name (UPN) of the account
IsExternalUser intint 會指出登入的使用者是否為外部使用者。Indicates if the user that signed in is external. 可能的值:-1 (未設定) ,0 (非外部) ,1 (外部) 。Possible values: -1 (not set) , 0 (not external), 1 (external).
IsGuestUser 布林值boolean 指出登入的使用者是否為承租人中的來賓Indicates whether the user that signed in is a guest in the tenant
AlternateSignInName stringstring 內部部署使用者主要名稱 (使用者登入 Azure AD 的 UPN) On-premises user principal name (UPN) of the user signing in to Azure AD
LastPasswordChangeTimestamp datetimedatetime 上次簽署使用者密碼的日期和時間Date and time when the user that signed in last changed their password
ResourceDisplayName stringstring 存取資源的顯示名稱Display name of the resource accessed
ResourceId stringstring 存取資源的唯一識別碼Unique identifier of the resource accessed
ResourceTenantId stringstring 存取資源租使用者的唯一識別碼Unique identifier of the tenant of the resource accessed
DeviceName stringstring 電腦的完整網域名稱 (FQDN)Fully qualified domain name (FQDN) of the machine
AadDeviceId stringstring Azure AD 中裝置的唯一識別碼Unique identifier for the device in Azure AD
OSPlatform stringstring 電腦上執行的作業系統平台。Platform of the operating system running on the machine. 這表示特定作業系統,包括相同家族內的變化,例如 Windows 10 和 Windows 7。This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.
DeviceTrustType 字串string 指出已登入之裝置的信任類型。Indicates the trust type of the device that signed in. 僅適用于受管理的裝置案例。For managed device scenarios only. 可能的值為 Workplace、AzureAd 及 ServerAd。Possible values are Workplace, AzureAd, and ServerAd.
IsManaged intint 會指出發起登入的裝置是否為受管理的裝置 (1) 或不是受管理裝置 (0) Indicates whether the device that initiated the sign-in is a managed device (1) or not a managed device (0)
IsCompliant intint 會指出發起登入的裝置是否符合 (1) 或不相容 (0) Indicates whether the device that initiated the sign-in is compliant (1) or non-compliant (0)
AuthenticationProcessingDetails stringstring 驗證處理器的詳細資料Details about the authentication processor
AuthenticationRequirement stringstring 登入所需的驗證類型。Type of authentication required for the sign-in. 可能的值: multiFactorAuthentication (MFA 是必要) 和 singleFactorAuthentication (不需要 MFA) 。Possible values: multiFactorAuthentication (MFA was required) and singleFactorAuthentication (no MFA was required).
TokenIssuerType intint 會指出權杖簽發者是 Azure Active Directory (0) 或 Active Directory Federation Services (1) Indicates if the token issuer is Azure Active Directory (0) or Active Directory Federation Services (1)
RiskLevelAggregated intint 登入過程中的風險層級匯總。Aggregated risk level during sign-in. 可能的值: 0 (匯總風險層級未設定) ,1 (none) ,10 (低) ,50 (中) ,或 100 (高) 。Possible values: 0 (aggregated risk level not set), 1 (none), 10 (low), 50 (medium), or 100 (high).
RiskDetails intint 有關已登入之使用者的危險狀態的詳細資料Details about the risky state of the user that signed in
RiskState intint 表示有危險的使用者狀態。Indicates risky user state. 可能的值: 0 (無) 、1 (已確認的安全) 、2 (修正) 、3 () 、4 (風險) 或 5 (已確認已遭破壞) 。Possible values: 0 (none), 1 (confirmed safe), 2 (remediated), 3 (dismissed), 4 (at risk), or 5 (confirmed compromised).
UserAgent stringstring 來自網頁瀏覽器或其他用戶端應用程式的使用者代理程式資訊User agent information from the web browser or other client application
ClientAppUsed stringstring 表示所用的用戶端應用程式Indicates the client app used
Browser stringstring 用於登入之瀏覽器版本的詳細資料Details about the version of the browser used to sign in
ConditionalAccessPolicies stringstring 套用至登入事件之條件式存取原則的詳細資料Details of the conditional access policies applied to the sign-in event
ConditionalAccessStatus intint 套用至登入的條件式存取原則狀態。Status of the conditional access policies applied to the sign-in. 可能的值為 0 (套用的原則) 、1 (嘗試套用原則失敗) 或 2 (未套用) 原則。Possible values are 0 (policies applied), 1 (attempt to apply policies failed), or 2 (policies not applied).
IPAddress stringstring 指派給端點的 IP 位址,並在相關的網路通訊期間使用IP address assigned to the endpoint and used during related network communications
Country stringstring 兩個字母的代碼,指出用戶端 IP 位址為 geolocated 的國家/地區Two-letter code indicating the country where the client IP address is geolocated
State stringstring 發生登入的狀態(若有的話)State where the sign-in occurred, if available
City stringstring 帳戶使用者所在的城市City where the account user is located
Latitude stringstring 登入位置的北到南部座標The north to south coordinates of the sign-in location
Longitude stringstring 登入位置的東對西座標The east to west coordinates of the sign-in location
NetworkLocationDetails stringstring 登錄事件驗證處理器的網路位置詳細資料Network location details of the authentication processor of the sign-in event
RequestId stringstring 要求的唯一識別碼Unique identifier of the request
ReportId stringstring 事件的唯一識別碼Unique identifier for the event