Reference Library for Microsoft Entra ID Falco Threat Detection Rules

Sysdig Secure enables you to create and customize Threat Detection Rules to secure your environment. This topic provides all the fields and events that apply to Falco rules for Microsoft Entra ID.

Fields

Field Class: JSON

NameTypeDescription
json.valueCHARBUFExtracts a value from a JSON-encoded input. Syntax is json.value[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901)
json.objCHARBUFThe full json message as a text string.
json.rawtimeCHARBUFThe time of the event, identical to evt.rawtime.
jevt.valueCHARBUFAlias for json.value, provided for backwards compatibility.
jevt.objCHARBUFAlias for json.obj, provided for backwards compatibility.
jevt.rawtimeCHARBUFAlias for json.rawtime, provided for backwards compatibility.

Field Class: Microsoft Entra ID

NameTypeDescription
entra.tenantIdCHARBUFEntra Tenant ID
entra.timeCHARBUFEntra event time
entra.geo.cityCHARBUFEntra geo city
entra.geo.country_or_regionCHARBUFEntra geo country or region
entra.geo.latCHARBUFEntra geo latitude
entra.geo.lonCHARBUFEntra geo longitude
entra.geo.stateCHARBUFEntra geo state
entra.operationCHARBUFEntra operation
entra.operationTypeCHARBUFEntra operation type
entra.srcipCHARBUFEntra source IP
entra.resourceIdCHARBUFEntra resource ID
entra.correlationIdCHARBUFEntra correlation ID
entra.logCategoryCHARBUFEntra log category
entra.eventCategoryCHARBUFEntra event category
entra.userAgentCHARBUFEntra user agent
entra.appIdCHARBUFEntra app ID
entra.userCHARBUFEntra user
entra.userDisplayNameCHARBUFEntra user display name
entra.userRolesCHARBUFEntra user roles
entra.appCHARBUFEntra app
entra.serviceCHARBUFEntra service
entra.resultCHARBUFEntra result
entra.resultReasonCHARBUFEntra result reason
entra.errorCodeCHARBUFEntra error code
entra.severityCHARBUFEntra severity
entra.clientAppCHARBUFEntra client app
entra.device.deviceIdCHARBUFEntra device ID
entra.device.displayNameCHARBUFEntra device display name
entra.device.browserCHARBUFEntra device browser
entra.device.operatingSystemCHARBUFEntra device operating system
entra.condAccessCHARBUFEntra conditional access
entra.isInteractiveCHARBUFEntra is interactive
entra.idProviderCHARBUFEntra ID provider
entra.idProviderTypeCHARBUFEntra ID provider type
entra.authProcDetailsCHARBUFEntra authentication processing details
entra.networkDetailsCHARBUFEntra network details
entra.riskCHARBUFEntra risk
entra.aggrRiskCHARBUFEntra aggregated risk
entra.signinRiskCHARBUFEntra sign-in risk
entra.riskEventsCHARBUFEntra risk events
entra.signinResourceCHARBUFEntra sign-in resource
entra.homeTenantIdCHARBUFEntra home tenant ID
entra.authDetailsCHARBUFEntra authentication details
entra.authReqPoliciesCHARBUFEntra authentication requirement policies
entra.sessionPoliciesCHARBUFEntra session policies
entra.authReqCHARBUFEntra authentication requirement
entra.servicePrincipalIdCHARBUFEntra service principal ID
entra.userTypeCHARBUFEntra user type
entra.flaggedFailureCHARBUFEntra flagged failure
entra.asnCHARBUFEntra autonomous system number
entra.crossTenantTypeCHARBUFEntra cross tenant type
entra.authStrengthsCHARBUFEntra authentication strengths
entra.tokenTypeCHARBUFEntra token type
entra.authProtocolCHARBUFEntra authentication protocol
entra.appServicePrincipalIdCHARBUFEntra app service principal ID
entra.resServicePrincipalIdCHARBUFEntra resource service principal ID
entra.tokenProtectionCHARBUFEntra token protection
entra.transferMethodCHARBUFEntra transfer method
entra.targetResourceOfType.displayNameCHARBUFEntra target resource display name filtered by type
entra.targetResourceOfType.userPrincipalNameCHARBUFEntra target resource user principal name filtered by type
entra.targetResourceOfType.idCHARBUFEntra target resource ID filtered by type
entra.targetResourceOfType.propertyWithDisplayName.oldValueCHARBUFEntra target resource property old value filtered by type and property display name
entra.targetResourceOfType.propertyWithDisplayName.newValueCHARBUFEntra target resource property new value filtered by type and property display name
entra.targetResourceOfType.propertyWithDisplayName.displayNameCHARBUFEntra target resource property display name filtered by type and property display name
entra.targetUsersLIST(CHARBUF)Entra target users
entra.targetNamesLIST(CHARBUF)Entra target names
entra.targetTypesLIST(CHARBUF)Entra target types
entra.targetIdsLIST(CHARBUF)Entra target IDs
entra.condAccessPoliciesLIST(CHARBUF)Entra conditional access policies
entra.additionalDetailCHARBUFExtracts from additionalDetail json a value in input. Syntax is entra.additionalDetail[], where is a json pointer (see https://datatracker.ietf.org/doc/html/rfc6901)
entra.targetResources.propertyOldValueCHARBUFExtracts from properties.targetResources[arg1].modifiedProperties[arg2].oldValue[]
entra.targetResources.propertyNewValueCHARBUFExtracts from properties.targetResources[arg1].modifiedProperties[arg2].newValue[]