We recently started to ingest Microsoft's Azure sign-in events and one thing I've noticed are some values from the clientAppUsed field throws off the Geographically Improbable Access Detected alert.
I stopped the acceleration on the Authentication data model so I could go in and see if I could add the field clientAppUsed, but it's not coming up a field to be added (using the 'Add Auto-Extracted Field' option).
If I run a search on index=azuread the clientAppUsed field is parsed automatically, but it seems to not present itself within the Authentication data model.
How can I add the clientAppUsed field in the Authentication data model so I can then work to filter some values out to fix the false positives in the Geographically Improbable Access Detected alert?
Thx