Collect Microsoft 365 logs

This document describes how you can collect Microsoft 365 logs by setting up a Google Security Operations feed and how log fields map to Google Security Operations Unified Data Model (UDM) fields. This document also lists the supported audited activities and supported Microsoft 365 version.

For an overview about data ingestion to Google Security Operations, see Data ingestion to Google Security Operations.

Overview

The following deployment architecture diagram shows how Microsoft 365 and Google Security Operations feed is configured to send logs to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.

Deployment architecture

The architecture diagram shows the following components:

  • Microsoft 365. The Microsoft 365 service from which you collect logs.

  • Google Security Operations feed. The Google Security Operations feed that fetches logs from Microsoft 365 and writes logs to Google Security Operations.

  • Google Security Operations. Google Security Operations retains and analyzes the logs from Microsoft 365.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the OFFICE_365 ingestion label.

Before you begin

  • Use Microsoft 365 version 2204 Build 16.0.15128.20248 or later and verify that you have a Microsoft 365 Enterprise E5 subscription with Microsoft Security and Compliance Center feature.

  • Grant the required privileges and permissions to the user to generate and export different events for all the supported Microsoft products. A user whose credentials are used to authenticate against the API must have the ActivityFeed.Read permission. To ingest DLP data, the ActivityFeed.ReadDlp permission is required. For information about permissions, see Permissions to access management APIs

  • Configure Microsoft 365 to search and export logs. Microsoft Azure Active Directory (Azure AD) is the directory service for Microsoft 365. It takes up to 24 hours to generate the logs. For more information, see Search the audit log

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

  • Review the activities and products that the Google Security Operations parser supports. The following table list the activities and products that the Google Security Operations parser supports:

    Activities Products
    File and page activities SharePoint Online and OneDrive for Business
    Folder activities SharePoint Online and OneDrive for Business
    SharePoint list activities SharePoint Online
    Sharing and access request activities SharePoint Online and OneDrive for Business
    Synchronization activities SharePoint Online and OneDrive for Business
    Site permissions activities SharePoint Online
    Site administration activities SharePoint Online
    Exchange mailbox activities Microsoft 365 Group mailboxes
    User administration activities Microsoft 365 admin center
    Azure AD group administration activities Microsoft 365 admin center
    Application administration activities When an administrator adds or changes an application that is registered in Azure AD
    Role administration activities Microsoft 365 admin center
    Directory administration activities Microsoft 365 admin center
    Power BI activities Power BI
    Microsoft Teams activities Microsoft Teams
    Microsoft Teams Shifts activities Shifts app in Microsoft Teams
    Microsoft Teams Healthcare activities Patients application in Microsoft Teams
    Microsoft Teams Shifts activities Shifts app in Microsoft Teams
    Yammer activities Yammer
    Microsoft Power Automate activities Power Automate (formerly called Microsoft Flow)
    Microsoft PowerApps activities Power Apps
    Microsoft Stream activities Microsoft Stream
    Quarantine activities Quarantine email messages in Office 365
    Microsoft Forms activities Microsoft Teams
    Sensitivity label activities Labeling activities for SharePoint Online and Teams
    Retention policy and retention label activities NA
    Briefing email activities Briefing email
    MyAnalytics activities MyAnalytics
    Information barriers activities NA
    Disposition review activities NA
    Communication compliance activities NA
    Undefined Activity NA

Configure a feed in Google Security Operations to ingest Microsoft 365 logs

  1. Go to Google Security Operations settings, and click Feeds.
  2. Click Add New.
  3. Select Third party API for Source Type.
  4. Select Office 365 for Log Type.
  5. Click Next.
  6. Based on the Microsoft 365 configuration, specify the OAuth client ID, OAuth client secret, and Tenant ID details.
  7. Select the Content type for which you are creating this feed. You must create a separate feed for each content type that you require.
  8. Click Next and then Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation.

Field mapping reference

This section explains how the Google Security Operations parser maps Microsoft 365 log fields to Google Security Operations Unified Data Model (UDM) fields for the supported operations and workloads.

Common fields

The following table lists the common log fields and their corresponding UDM fields.

Common log field UDM field
ID metadata.product_log_id
RecordType

security_result.detection_fields.key/value

security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc

security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc

CreationTime metadata.event_timestamp
Operation metadata.product_event_type
OrganizationId principal.resource.product_object_id
UserType principal.user.attribute.roles.name
UserId

principal.user.email_addresses or principal.user.userid

target.user.email_addresses or target.user.userid

If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, TeamsUserSignedOut, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user

If UserId value contains email address then it is mapped to email_address, else it is mapped to userid.

ClientIP principal.ip and principal.port
Workload target.application
AppAccessContext

network.session.id security_result.detection_fields.key/value

AADSessionId is mapped to network.session.id

CorrelationId is mapped to security_result.detection_fields.key/value

For reference information about UDM mappings for supported operations, refer to the following sections:

FileAccessed

The following table lists the log fields and corresponding UDM mappings for the operation "Fileaccessed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileAccessedExtended

The following table lists the log fields and corresponding UDM mappings for the operation "FileAccessedExtended" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "FileDeleted" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileCopied

The following table lists the log fields and corresponding UDM mappings for the operation "FileCopied" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_COPY

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData src.file.full_path

target.file.full_path

Extract

SourceFileUrl is mapped to src_file_full_path

TargetFileUrl is mapped to target_file_full_path

ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileModified

The following table lists the log fields and corresponding UDM mappings for the operation "FileModified" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MODIFICATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

FileDownloaded

The following table lists the log fields and corresponding UDM mappings for the operation "FileDownloaded" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
UserSessionId network.http.session_id
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ZipFileName principal.resource.parent

FileModifiedExtended

The following table lists the log fields and corresponding UDM mappings for the operation "FileModifiedExtended" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MODIFICATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
FileSizeBytes target.file.size
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

FileMoved

The following table lists the log fields and corresponding UDM mappings for the operation "FileMoved" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FilePreviewed

The following table lists the log fields and corresponding UDM mappings for the operation "FilePreviewed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileRenamed

The following table lists the log fields and corresponding UDM mappings for the operation "FileRenamed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

FileUploaded

The following table lists the log fields and corresponding UDM mappings for the operation "FileUploaded" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ImplicitShare target.resource.attribute.labels.key/value

FileVersionsAllDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllDeleted" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

FileCheckedIn

The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckedIn" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName workload map with intermediary.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileCheckedOut

The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckedOut" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site Uniquely Identify resource in site like File or Folder
ItemType This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent Information about the user's browser. This information is provided by the browser.
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ComplianceSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "ComplianceSettingChanged" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value

LockRecord

The following table lists the log fields and corresponding UDM mappings for the operation "LockRecord" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

UnlockRecord

The following table lists the log fields and corresponding UDM mappings for the operation "UnlockRecord" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileDeletedFirstStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FileDeletedFirstStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileDeletedSecondStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FileDeletedSecondStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

RecordDelete

The following table lists the log fields and corresponding UDM mappings for the operation "RecordDelete" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

The following table lists the log fields and corresponding UDM mappings for the operation "DocumentSensitivityMismatchDetected" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

The following table lists the log fields and corresponding UDM mappings for the operation "DocumentSensitivityMismatchDetected" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileCheckOutDiscarded

The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckOutDiscarded" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionsAllMinorsRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllMinorsRecycled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionsAllRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllRecycled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionRecycled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileRestored

The following table lists the log fields and corresponding UDM mappings for the operation "FileRestored" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileMalwareDetected

The following table lists the log fields and corresponding UDM mappings for the operation "FileMalwareDetected" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
VirusInfo security_result.threat_name
VirusVendor target.labels.key/value (deprecated)
VirusVendor additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

SearchQueryPerformed

The following table lists the log fields and corresponding UDM mappings for the operation "SearchQueryPerformed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SearchQueryText additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
EventData target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

PageViewed

The following table lists the log fields and corresponding UDM mappings for the operation "PageViewed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

PagePrefetched

The following table lists the log fields and corresponding UDM mappings for the operation "PagePrefetched" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ClientViewSignaled

The following table lists the log fields and corresponding UDM mappings for the operation "ClientViewSignaled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

PageViewedExtended

The following table lists the log fields and corresponding UDM mappings for the operation "PageViewedExtended" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

FolderCreated

The following table lists the log fields and corresponding UDM mappings for the operation "FolderCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeleted" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderMoved

The following table lists the log fields and corresponding UDM mappings for the operation "FolderMoved" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

SourceRelativeUrl field not getting in log

DestinationRelativeUrl DestinationRelativeUrl field not getting in log

target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}

DestinationFileName DestinationFileName field not getting in log

target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}

DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData src.file.full_path

target.file.full_path

Extract

SourceFileUrl is mapped to src_file_full_path

TargetFileUrl is mapped to target_file_full_path

grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl}

ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderRenamed

The following table lists the log fields and corresponding UDM mappings for the operation "FolderRenamed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderModified

The following table lists the log fields and corresponding UDM mappings for the operation "FolderModified" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderCopied

The following table lists the log fields and corresponding UDM mappings for the operation "FolderCopied" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_COPY

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path
SourceRelativeUrl src.file.full_path
DestinationRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderRestored

The following table lists the log fields and corresponding UDM mappings for the operation "FolderRestored" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderDeletedFirstStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeletedFirstStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderDeletedSecondStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeletedSecondStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncDownloadedFull

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncDownloadedFull" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
FileSyncBytesCommitted src.file.size
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncDownloadedPartial

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncDownloadedPartial" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl src.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
FileSyncBytesCommitted src.file.size
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncUploadedFull

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncUploadedFull" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
FileSyncBytesCommitted target.file.size
ImplicitShare target.resource.attribute.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncUploadedPartial

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncUploadedPartial" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
FileSyncBytesCommitted target.file.size
ImplicitShare target.resource.attribute.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ManagedSyncClientAllowed

The following table lists the log fields and corresponding UDM mappings for the operation "ManagedSyncClientAllowed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

UnmanagedSyncClientBlocked

The following table lists the log fields and corresponding UDM mappings for the operation "UnmanagedSyncClientBlocked" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

AddedToGroup

The following table lists the log fields and corresponding UDM mappings for the operation "AddedToGroup" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData target.group.group_display_name
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

GroupAdded

The following table lists the log fields and corresponding UDM mappings for the operation "GroupAdded" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

GroupRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "GroupRemoved" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

WebRequestAccessModified

The following table lists the log fields and corresponding UDM mappings for the operation "WebRequestAccessModified" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ModifiedProperties If the Name log field value is equal to RequestAccessEmail, then the NewValue log field is mapped to the target.user.email_addresses or target.user.userid UDM field.

Else, the NewValue log field is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

ItemType target.resource.attribute.labels.key/value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

WebMembersCanShareModified

The following table lists the log fields and corresponding UDM mappings for the operation "WebMembersCanShareModified" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
version metadata.product_version
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

PermissionLevelModified

The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelModified" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ModifiedProperties target.resource.attribute.permissions.name

BasePermissions is mapped to target.resource.attribute.permissions.name

version metadata.product_version
WebID about.labels.key/value (deprecated)
WebID additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

SiteCollectionAdminAdded

The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionAdminAdded" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
ModifiedProperties If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

SiteCollectionAdminRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionAdminRemoved" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
ModifiedProperties If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
AssertingApplicationId about.labels.key/value (deprecated)
AssertingApplicationId additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

PermissionLevelRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelRemoved" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.permissions.name
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

RemovedFromGroup

The following table lists the log fields and corresponding UDM mappings for the operation "RemovedFromGroup" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.group.group_display_name
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

GroupUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "GroupUpdated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.referral_url
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

ProjectCheckedOut

The following table lists the log fields and corresponding UDM mappings for the operation "ProjectCheckedOut" and workload "Project":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value (deprecated)
OnBehalfOfResId additional.fields.key and additional.fields.value.string_value

ProjectAccessed

The following table lists the log fields and corresponding UDM mappings for the operation "ProjectAccessed" and workload "Project":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value (deprecated)
OnBehalfOfResId additional.fields.key and additional.fields.value.string_value

SharingInheritanceBroken

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInheritanceBroken" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application

The following table lists the log fields and corresponding UDM mappings for the operation "AddedToSecureLink" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ApplicationDisplayName target.application

CompanyLinkCreated

The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application

CompanyLinkUsed

The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkUsed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

SecureLinkCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value

SharingInvitationCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Sharing level is mapped to target.resource.attribute.labels.key/value

ExpirationDate is mapped totarget.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value

SecureLinkDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkDeleted" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application

The following table lists the log fields and corresponding UDM mappings for the operation "RemovedFromSecureLink" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id

SharingInvitationRevoked

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationRevoked" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value

SecureLinkUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkUpdated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value

SecureLinkUsed

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkUsed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

SharingRevoked

The following table lists the log fields and corresponding UDM mappings for the operation "SharingRevoked" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

SharingSet

The following table lists the log fields and corresponding UDM mappings for the operation "SharingSet" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

PermissionLevelAdded

The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelAdded" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.permissions.name

BasePermissions is mapped to target.resource.attribute.permissions.name

SharingInvitationAccepted

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationAccepted" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.name

Added to Group is mapped to target.resource.name

SharingInvitationBlocked

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationBlocked" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData security_result.summary

Reason is mapped to security_result.summary

AccessRequestCreated

The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData target.resource.attribute.labels.key/value

Sharing level is mapped to target.resource.attribute.labels.key/value

ExpirationDate is mapped totarget.resource.attribute.labels.key/value

AnonymousLinkCreated

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value

AccessRequestUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestUpdated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields

CompanyLinkRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkRemoved" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

AccessRequestApproved

The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestApproved" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.name

Extract using grok

grok {

match is mapped to {

EventData <Added to group>{target_resource_name}.*

}

}

TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id

AnonymousLinkRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkRemoved" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value
SourceFileExtension target.file.mime_type
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
MachineId target.asset.product_object_id

AnonymousLinkUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkUpdated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
ApplicationDisplayName target.application
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

SharingInvitationUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationUpdated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
ApplicationDisplayName target.application
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
event_type is mapped to USER_RESOURCE_ACCESS
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

AnonymousLinkUsed

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkUsed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ResultStatus is Success

Action is set to ALLOW

security_result.summary is set to Group creation successful

ResultStatus is Failure

Action is set to BLOCK

security_result.summary is set to Group creation failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add group

The following table lists the log fields and corresponding UDM mappings for the operation "Add group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group membership updated successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set toGroup membership update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.group.product.object_id

target.group.group_display_name

Group.ObjectId is mapped to target.group.product.object_id

Group.DisplayName is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add member to group

The following table lists the log fields and corresponding UDM mappings for the operation "Add member to group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add user

The following table lists the log fields and corresponding UDM mappings for the operation Add user and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

If Name is Is HardDeleted then NewValue and OldValue is mapped to security_result.detection_fields.key/value

If Name is GivenName then NewValue and OldValue is mapped to target.user.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Change user license.

The following table lists the log fields and corresponding UDM mappings for the operation "Change user license." and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Change user password

The following table lists the log fields and corresponding UDM mappings for the operation "Change user password" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group deletion successful

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Group deletion failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Delete group

The following table lists the log fields and corresponding UDM mappings for the operation "Delete group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group membership updated successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Group membership update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.group.product.object_id

target.group.group_display_name

Group.ObjectId is mapped to target.group.product.object_id

Group.DisplayName is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Remove member from group

The following table lists the log fields and corresponding UDM mappings for the operation "Remove member from group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION

if status is Success then

action ALLOW

security_result.summary User deleted successfully

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Delete user

The following table lists the log fields and corresponding UDM mappings for the operation Delete user and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success

Action is set to ALLOW

security_result.summary is User updated successfully

ResultStatus is Failure

Action is set to BLOCK

security_result.summary is User update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

If Name is HardDeleted then NewValue and OldValue is mapped to security_result.detection_fields.key/value

If Name is GivenName then NewValue and OldValue is mapped to target.user.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Update user

The following table lists the log fields and corresponding UDM mappings for the operation Update user and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

if ObjectId not contain (empty) or Not Available then ObjectId is set to target.group.product_object_id

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.detection_fields.key/value

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.detection_fields.key/value

If Name is Action Client Name then NewValue is mapped to target.resource.name

If Name is HardDeleted then NewValue and OldValue is mapped to security_result.detection_fields.key/value

If Name is GivenName then NewValue and OldValue is mapped to target.user.attribute.labels.key/value

If the Name log field value is equal to TargetId.UserType, then the NewValue and Oldvalue log fields are mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

If Name is StrongAuthenticationPhoneAppDetail then from NewValue, DeviceName is mapped to target.asset.hostname, PhoneAppVersion is mapped to target.asset.software.version, DeviceId is mapped to target.asset.asset_id, Id is mapped to target.asset.product_object_id, DeviceToken is mapped to target.asset.attribute.labels.key/value, DeviceTag is mapped to target.asset.attribute.labels.key/value, OathTokenTimeDrift is mapped to security_result.detection_fields.key/value, TimeInterval is mapped to security_result.detection_fields.key/value, AuthenticationType is mapped to security_result.detection_fields.key/value, NotificationType is mapped to target.asset.attribute.labels.key/value, LastAuthenticatedTimestamp is mapped to security_result.detection_fields.key/value, AuthenticatorFlavor is mapped to security_result.detection_fields.key/value, HashFunction is mapped to security_result.detection_fields.key/value, TenantDeviceId is mapped to target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value, SecuredPartitionId is mapped to security_result.detection_fields.key/value, SecuredKeyId is mapped to security_result.detection_fields.key/value.

If Name is StrongAuthenticationPhoneAppDetail then from OldValue, DeviceName is mapped to about.asset.hostname, PhoneAppVersion is mapped to about.asset.software.version, DeviceId is mapped to about.asset.asset_id, Id is mapped to about.asset.product_object_id, DeviceToken is mapped to about.asset.attribute.labels.key/value, DeviceTag is mapped to about.asset.attribute.labels.key/value, OathTokenTimeDrift is mapped to security_result.detection_fields.key/value, TimeInterval is mapped to security_result.detection_fields.key/value, AuthenticationType is mapped to security_result.detection_fields.key/value, NotificationType is mapped to about.asset.attribute.labels.key/value, LastAuthenticatedTimestamp is mapped to security_result.detection_fields.key/value, AuthenticatorFlavor is mapped to security_result.detection_fields.key/value, HashFunction is mapped to security_result.detection_fields.key/value, TenantDeviceId is mapped to about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value, SecuredPartitionId is mapped to security_result.detection_fields.key, SecuredKeyId is mapped to security_result.detection_fields.key.

If Name is StrongAuthenticationUserDetails and NewValue contains a JSON object then from NewValue, Email is mapped to target.user.email_addresses, PhoneNumber is mapped to target.user.phone_numbers, AlternativePhoneNumber is mapped to target.user.phone_numbers, VoiceOnlyPhoneNumber is mapped to target.user.phone_numbers.

If Name is StrongAuthenticationUserDetails and NewValue does not contain a JSON object then security_result.detection_fields.key is set to StrongAuthenticationUserDetails_NewValue and NewValue is mapped to security_result.detection_fields.value.

If Name is StrongAuthenticationUserDetails and OldValue contains a JSON object then from OldValue, Email is mapped to target.user.email_addresses, PhoneNumber is mapped to target.user.phone_numbers, AlternativePhoneNumber is mapped to target.user.phone_numbers, VoiceOnlyPhoneNumber is mapped to target.user.phone_numbers.

If Name is StrongAuthenticationUserDetails and OldValue does not contain a JSON object then security_result.detection_fields.key is set to StrongAuthenticationUserDetails_OldValue and OldValue is mapped to security_result.detection_fields.value.

If Name is StrongAuthenticationMethod and NewValue contains a JSON object then the StrongAuthenticationMethod_NewValue_{NewValue.key} log field is mapped to security_result.detection_fields.key and NewValue.value is mapped to security_result.detection_fields.value.

If Name is StrongAuthenticationMethod and NewValue does not contain a JSON object then security_result.detection_fields.key is set to StrongAuthenticationMethod_NewValue and NewValue is mapped to security_result.detection_fields.value.

If Name is StrongAuthenticationMethod and OldValue contains a JSON object then the StrongAuthenticationMethod_OldValue_{OldValue.key} log field is mapped to security_result.detection_fields.key and OldValue.value is mapped to security_result.detection_fields.value.

If Name is StrongAuthenticationMethod and OldValue does not contain a JSON object then security_result.detection_fields.key is set to StrongAuthenticationMethod_OldValue and OldValue is mapped to security_result.detection_fields.value.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Update group

The following table lists the log fields and corresponding UDM mappings for the operation "Update group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

If ResultStatus is Succeeded or ResultStatus is Success

security_result.action is ALLOW

security_result.summary is User login successful

else if ResultStatus is Failed or LogonError !is

security_result.action is BLOCK

security_result.summary is User login failed

security_result.description is {LogonError}

UserId is mapped to target.user.userid or target.user.email_addresses

metadata.description is User Login - {Workload}

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

extensions.auth.type

extensions.auth.mechanism

ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
DeviceProperties network.session_id

principal.platform

principal.hostname

If Name is OS {

If Value is match to Windows then principal.platform is WINDOWS

If Value is match to Mac then principal_plateform is MAC

if Value is match to Linux then principal_plateform is LINUX

}

If Name is SessionId then Value is mapped to network.session_id

If Name is OS then Value is mapped to principal.platform

If Name is DisplayName then Value is mapped to principal.hostname

ErrorCode security_result.description

security_result.description is set to ErrorCode - {ErrorCode}

LogonError security_result.description

UserLoggedIn

The following table lists the log fields and corresponding UDM mappings for the operation "UserLoggedIn" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

security_result.Action is set to BLOCK

security_result.summary is User login failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

extensions.auth.type

extensions.auth.mechanism

If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE

If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE

If Name is UserAgent then Value is mapped to network.http.user_agent

If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type

If Name is requestType then Based on Value it will map with extensions.auth.type

ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
Actor security_result.detection_fields.key/value
ResultStatusDetail security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
DeviceProperties network.session_id

principal.platform

principal.hostname

If Name is OS {

If Value is matched to Windows then principal.platform is WINDOWS

If Value is matched to Mac then principal_plateform is MAC

if Value is matched to Linux then principal_plateform is LINUX

Value is mapped to principal.platform_version

}

If Name is SessionId then Value is mapped to network.session_id

If Name is OS then Value is mapped to principal.platform

If Name is DisplayName then Value is mapped to principal.hostname

ErrorCode security_result.description

security_result.description is set to ErrorCode - {ErrorCode}

LogonError security_result.description

If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD

UserLoginFailed

The following table lists the log fields and corresponding UDM mappings for the operation "UserLoginFailed" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
ResultStatusDetail security_result.detection_fields.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Update StsRefreshTokenValidFrom Timestamp

The following table lists the log fields and corresponding UDM mappings for the operation "Update StsRefreshTokenValidFrom Timestamp" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to targetObjectId, then the Value log field value is mapped to the target.resource.product_object_id UDM field. Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summary

If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Update device

The following table lists the log fields and corresponding UDM mappings for the operation "Update device" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Set federation settings on domain

The following table lists the log fields and corresponding UDM mappings for the operation "Set federation settings on domain" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Verify domain

The following table lists the log fields and corresponding UDM mappings for the operation "Verify domain" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Set Company Information

The following table lists the log fields and corresponding UDM mappings for the operation "Set Company Information" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Reset user password

The following table lists the log fields and corresponding UDM mappings for the operation "Reset user password" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

security_result.description

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, if Name log field value is equal to AccountEnabled then AccountEnabled - NewValue is mapped to security_result.description UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Disable account

The following table lists the log fields and corresponding UDM mappings for the operation "Disable account" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Delete application password for user

The following table lists the log fields and corresponding UDM mappings for the operation "Delete application password for user" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Delete device

The following table lists the log fields and corresponding UDM mappings for the operation "Delete device" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to targetObjectId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add registered users to device

The following table lists the log fields and corresponding UDM mappings for the operation "Add registered users to device" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Device.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add registered owner to device

The following table lists the log fields and corresponding UDM mappings for the operation "Add registered owner to device" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.name

If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Device.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add owner to group

The following table lists the log fields and corresponding UDM mappings for the operation "Add owner to group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.group.product_object_id

target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id

If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add OAuth2PermissionGrant

The following table lists the log fields and corresponding UDM mappings for the operation "Add OAuth2PermissionGrant" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.name

security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add device

The following table lists the log fields and corresponding UDM mappings for the operation "Add device" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add app role assignment grant to user

The following table lists the log fields and corresponding UDM mappings for the operation "Add app role assignment grant to user" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSION

Workload is mapped to intermediary.application

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.user.userid or target.user.email_addresses

If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

The following table lists the log fields and corresponding UDM mappings for the operation "Consent to application" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Update service principal

The following table lists the log fields and corresponding UDM mappings for the operation "Update service principal" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add service principal

The following table lists the log fields and corresponding UDM mappings for the operation "Add service principal" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Remove service principal

The following table lists the log fields and corresponding UDM mappings for the operation "Remove service principal" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Add member to role

The following table lists the log fields and corresponding UDM mappings for the operation Add member to role and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Added a user to an admin role successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Added a user to an admin role failed

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.attribute.roles.name

target.resource.attribute.labels.key/value

if Name is Role.ObjectId then NewValue is target.resource.product_object_id

If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name

if Name is Role.TemplateId then NewValue and OldValue is target.user.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Remove member from role

The following table lists the log fields and corresponding UDM mappings for the operation "Remove member from role" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is Removed a user to an admin role successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is Removed a user to an admin role failed

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add label

The following table lists the log fields and corresponding UDM mappings for the operation "Add label" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is set to target.resource.product_object_id

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Create company

The following table lists the log fields and corresponding UDM mappings for the operation "Create company" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

ObjectId is set to target.resource.product_object_id

AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.labels.key/value (deprecated)
TeamGuid additional.fields.key and additional.fields.value.string_value
TeamName target.group.group_display_name
Version metadata.product_version

TeamsSessionStarted

The following table lists the log fields and corresponding UDM mappings for the operation "TeamsSessionStarted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleGroupAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleGroupAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleGroupEdited

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleGroupEdited" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_DELETION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleGroupDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleGroupDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

Required fields for SETTING_CREATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

ShiftAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ShiftAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

ShiftEdited

The following table lists the log fields and corresponding UDM mappings for the operation "ShiftEdited" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

ShiftDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "ShiftDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

TimeOffAdded

The following table lists the log fields and corresponding UDM mappings for the operation "TimeOffAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

TimeOffEdited

The following table lists the log fields and corresponding UDM mappings for the operation "TimeOffEdited" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETIONtarget.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

TimeOffDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "TimeOffDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
OpenShift target.resource.attribute.labels.key/value

OpenShiftAdded

The following table lists the log fields and corresponding UDM mappings for the operation "OpenShiftAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
OpenShift target.resource.attribute.labels.key/value

OpenShiftEdited

The following table lists the log fields and corresponding UDM mappings for the operation "OpenShiftEdited" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
OpenShift target.resource.attribute.labels.key/value

OpenShiftDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "OpenShiftDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleShared

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleShared" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ClockedIn

The following table lists the log fields and corresponding UDM mappings for the operation "ClockedIn" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

BreakStarted

The following table lists the log fields and corresponding UDM mappings for the operation "BreakStarted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

BreakEnded

The following table lists the log fields and corresponding UDM mappings for the operation "BreakEnded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
ShiftRequest target.resource.attribute.labels.key/value

RequestAdded

The following table lists the log fields and corresponding UDM mappings for the operation "RequestAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
ShiftRequest target.resource.attribute.label.key/value

RequestRespondedTo

The following table lists the log fields and corresponding UDM mappings for the operation "RequestRespondedTo" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
ShiftRequest target.resource.attribute.label.key/value

RequestCancelled

The following table lists the log fields and corresponding UDM mappings for the operation "RequestCancelled" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleSettingChanged" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers and target.group.product_object_id
TeamName target.group.group_display_name
Version metadata.product_version

TeamSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "TeamSettingChanged" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers and target.group.product_object_id
TeamName target.group.group_display_name
Version metadata.product_version

AppInstalled

The following table lists the log fields and corresponding UDM mappings for the operation "AppInstalled" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
AddOnName target.resource.name
Version metadata.product_version
AppDistributionMode about.labels.key/value (deprecated)
AppDistributionMode additional.fields.key and additional.fields.value.string_value
AzureADAppId about.labels.key/value (deprecated)
AzureADAppId additional.fields.key and additional.fields.value.string_value
OperationScope about.labels.key/value (deprecated)
OperationScope additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.product_object_id

MemberRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "MemberRemoved" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
ChatName target.group.group_display_name
ChatThreadId target.user.group_identifiers

target.group.product_object_id

TabRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "TabRemoved" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

AddOnName target.resource.name
ChannelName target.resource.attribute.labels.key/value
TeamName target.group.group_display_name

AppUninstalled

The following table lists the log fields and corresponding UDM mappings for the operation "AppUninstalled" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
AddOnName target.resource.name
Version metadata.product_version
AppDistributionMode about.labels.key/value (deprecated)
AppDistributionMode additional.fields.key and additional.fields.value.string_value
AzureADAppId about.labels.key/value (deprecated)
AzureADAppId additional.fields.key and additional.fields.value.string_value
OperationScope about.labels.key/value (deprecated)
OperationScope additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.product_object_id

MemberAdded

The following table lists the log fields and corresponding UDM mappings for the operation "MemberAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
Version metadata.product_version
CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
ChatName target.group.group_display_name
ChatThreadId target.user.group_identifiers

target.group.product_object_id

TabAdded

The following table lists the log fields and corresponding UDM mappings for the operation "TabAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

AddOnName target.resource.name
AddOnUrl target.url
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
TeamName target.group.group_display_name

ClockedOut

The following table lists the log fields and corresponding UDM mappings for the operation "ClockedOut" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ScheduleId target.resource.product_object_id

TeamCreated

The following table lists the log fields and corresponding UDM mappings for the operation "TeamCreated" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.resource.product_object_id
TeamName target.resource.name
Version metadata.product_version

BotAddedToTeam

The following table lists the log fields and corresponding UDM mappings for the operation "BotAddedToTeam" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
AddOnGuid target.resource.product_object_id
AddOnName target.resource.name
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ChannelAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ChannelAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.resource.product_object_id
ChannelName target.resource.name
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ConnectorAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ConnectorAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ChannelSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "ChannelSettingChanged" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.resource.product_object_id
ChannelName target.resource.name
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

TeamsTenantSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "TeamsTenantSettingChanged" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

MemberRoleChanged

The following table lists the log fields and corresponding UDM mappings for the operation "MemberRoleChanged" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

DisplayName is mapped to about.user.user_display_name

Role is mapped to about.user.attribute.roles.name

UPN is mapped to about.user.email_addresses

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

DeletedAllOrganizationApps

The following table lists the log fields and corresponding UDM mappings for the operation "DeletedAllOrganizationApps" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ChannelDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "ChannelDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.resource.product_object_id
ChannelName target.resource.name
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

TeamDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "TeamDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.resource.product_object_id
TeamName target.resource.name

BotRemovedFromTeam

The following table lists the log fields and corresponding UDM mappings for the operation "BotRemovedFromTeam" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ConnectorRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "ConnectorRemoved" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ConnectorUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "ConnectorUpdated" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

TabUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "TabUpdated" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.resource.name
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.resource.attribute.labels.key/value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
AddOnUrl target.url

Update

The following table lists the log fields and corresponding UDM mappings for the operation "Update" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType If the LogonType log field value is equal to 2, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.

Else, if the LogonType log field value is equal to 3 or 8, then the extensions.auth.mechanism UDM field is set to NETWORK.

Else, if the LogonType log field value is equal to 4, then the extensions.auth.mechanism UDM field is set to BATCH.

Else, if the LogonType log field value is equal to 5, then the extensions.auth.mechanism UDM field is set to SERVICE.

Else, if the LogonType log field value is equal to 7, then the extensions.auth.mechanism UDM field is set to UNLOCK.

Else, if the LogonType log field value is equal to 9, then the extensions.auth.mechanism UDM field is set to NEW_CREDENTIALS.

Else, if the LogonType log field value is equal to 9, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

Else, if the LogonType log field value is equal to 9, then the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE.

Else, the extensions.auth.mechanism UDM field is set to MECHANISM_UNSPECIFIED.

InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
Item network.email.subject

target.resource.product_object_id

target.resource.name

target.file.size

network.email.mail_id

target.file.full_path

Id is mapped to target.resource.product_object_id

Subject is mapped to network.email.subject

SizeInBytes is mapped to target.file.size

Item.ParentFolder.Path is mapped to target.resource.name

InternetMessageId is mapped to network.email.mail_id

Attachments is mapped to target.file.full_path

ModifiedProperties securiy_result.summary
SessionId network.session_id
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

FolderBind

The following table lists the log fields and corresponding UDM mappings for the operation "FolderBind" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
Item target.resource.product_object_id

target_resource_name

network.email.mail_id

Item.id is mapped to target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.mail_id

Item.ParentFolder.Path is mapped to target.resource.name

SessionId network.session_id
Version metadata.product_version

SendOnBehalf

The following table lists the log fields and corresponding UDM mappings for the operation "SendOnBehalf" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
Item network.email.subject

network.email.mail_id

target.file.full_path

target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.email_id

Item.Subject is mapped to network.email.subject

Item.Attachments is mapped to target.file.full_path

Item.Id is mapped to target.resource.product_object_id

SessionId network.session_id
SendOnBehalfOfUserSmtp target.user.userid or target.user.email_addresses
Version metadata.product_version

SendAs

The following table lists the log fields and corresponding UDM mappings for the operation "SendAs" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
SendAsUserMailboxGuid about.labels.key/value (deprecated)
SendAsUserMailboxGuid additional.fields.key and additional.fields.value.string_value
Item network.email.subject

network.email.mail_id

target.file.full_path

target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.mail_id

Item.Subject is mapped to network.email.subject

Item.Attachments is mapped to target.file.full_path

Item.Id is mapped to target.resource.product_object_id

SessionId network.session_id
SendAsUserSmtp target.user.userid or target.user.email_addresses
Version metadata.product_version

Send

The following table lists the log fields and corresponding UDM mappings for the operation "Send" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item network.email.subject

network.email.mail_id

target.file.full_path

target.resource.product_object_id

SessionId network.session_id
Version metadata.product_version

New-InboxRule

The following table lists the log fields and corresponding UDM mappings for the operation "New-InboxRule" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

ObjectId is set to target.group.product_object_id

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
SessionId network.session_id
Version metadata.product_version
Parameters security_result.rule_labels.key/value
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value

Set-InboxRule

The following table lists the log fields and corresponding UDM mappings for the operation "Set-InboxRule" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

ObjectId is set to target.group.product_object_id

target.resource.resource_type is set to SETTING

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
Parameters security_result.rule_labels.key/value
SessionId network.session_id
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

MoveToDeletedItems

The following table lists the log fields and corresponding UDM mappings for the operation "MoveToDeletedItems" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
DestFolder target.resource.product_object_id

target.resource.name

SessionId network.session_id
Version metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

Subject is mapped to network.email.subject

ParentFolder.Path is mapped to about.file.full_path

AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id

Folder src.resource.product_object_id

src.resource.name

ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value

Move

The following table lists the log fields and corresponding UDM mappings for the operation "Move" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
DestFolder target.resource.product_object_id

target.resource.name

SessionId network.session_id
Version metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

Folder src.resource.product_object_id

src.resource.name

MailItemsAccessed

The following table lists the log fields and corresponding UDM mappings for the operation "MailItemsAccessed" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
OperationProperties security_result.detection_fields.key/value.
SessionId network.session_id
Version metadata.product_version
OperationCount about.labels.key/value (deprecated)
OperationCount additional.fields.key and additional.fields.value.string_value
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
Folders about.resource.name

about.resource.product_object_id

network.email.mail_id

Folders.Path is mapped to about.resource.name

Folders.Id is mapped to about.resource.product_object_id

Folders.0.FolderItems.0.InternetMessageId network_email_id

MailboxLogin

The following table lists the log fields and corresponding UDM mappings for the operation "MailboxLogin" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

auth.Type is MACHINE

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
SessionId network.session_id
Version metadata.product_version

SoftDelete

The following table lists the log fields and corresponding UDM mappings for the operation "SoftDelete" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

AffectedItems.Attachments is mapped to about.file.full_path

AffectedItems.Subject is mapped to network.email.subject

AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id

Folder target.resource.name

target.resource.product_object_id

Folder.Path is mapped to target.resource.name

Folder.Id is mapped to target.resource.product_object_id

SessionId network.session_id
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

HardDelete

The following table lists the log fields and corresponding UDM mappings for the operation "HardDelete" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

Version metadata.product_version
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
Folder target.resource.name

target.resource.product_object_id

Create

The following table lists the log fields and corresponding UDM mappings for the operation "Create" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.resource.name

target.resource.product_object_id

target.file.full_path

network.email.subject

network.email.mail_id

Item.id is mapped to target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.mail_id

Item.ParentFolder.Path is mapped to target.resource.name

Item.Subject is mapped to network.email.subject

Attachment may present or not in log so write grok for this.

Item.Attachments is mapped to target.file.full_path

SessionId network.session_id
Version metadata.product_version

RemoveFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "RemoveFolderPermissions" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ResultStatus is Succeeded

Action is set to ALLOW

else

Action is set to BLOCK

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.file.full_path

target.resource.attribute.permissions.name

target.user.email_addresses or target.user.userid

Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid

Item.ParentFolder.Path is mapped to target.file.full_path

User rights is mapped to target.resource.attribute.permissions.name

SessionId network.session_id
Version metadata.product_version

ModifyFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "ModifyFolderPermissions" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ResultStatus is Succeeded

Action is set to ALLOW

else

Action is set to BLOCK

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.file.full_path

target.user.email_addresses or target.user.userid

target.resource.attribute.permissions.name

SessionId network.session_id
Version metadata.product_version

AddFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "AddFolderPermissions" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ResultStatus is Succeeded

Action is set to ALLOW

else

Action is set to BLOCK

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.file.full_path

target.user.email_addresses or target.user.userid

target.resource.attribute.permissions.name

Path is mapped to target.file.full_path

Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid

User Rights is mapped to target.resource.attribute.permissions.name

SessionId network.session_id
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value

Remove-MailboxPermission

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-MailboxPermission" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

OriginatingServer principal.hostname
OrganizationName target.administrative_domain
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version

Add-MailboxPermission

The following table lists the log fields and corresponding UDM mappings for the operation "Add-MailboxPermission" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
SessionId network.session_id
Version metadata.product_version
AppId target.resource.attribute.labels.key/value
Parameters security_result.detection_fields.key/value
ObjectId target.resource.attribute.labels.key/value

UpdateInboxRules

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateInboxRules" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
SessionId network.session_id
Version metadata.product_version
Item target.resource.product_object_id

target.resource.name

Item.ParentFolder.name is mapped to target.resource.name

Item.ParentFolder.id is mapped to target.resource.product_object_id

OperationProperties security_result.rule_id

security_result.rule_name

security_result.detection_fields.key/value

if Name is RuleId then Value is mapped to security_result.rule_id

if Name is RuleName then Value is mapped to security_result.rule_name

else

security_result.detection_fields.key/value

ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value

UpdateCalendarDelegation

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateCalendarDelegation" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is SERVICE_ACCOUNT

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version

ApplyRecordLabel

The following table lists the log fields and corresponding UDM mappings for the operation "ApplyRecordLabel" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version

UpdateFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateFolderPermissions" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

target.resource.resource_type is set to STORAGE_OBJECT

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version

Set-User

The following table lists the log fields and corresponding UDM mappings for the operation "Set-User" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION

ObjectId is set to target.user.userid or target.user.email_addresses

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
Version metadata.product_version

ViewReport

The following table lists the log fields and corresponding UDM mappings for the operation "ViewReport" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.name
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is mapped to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
ConsumptionMethod target.labels.key/value (deprecated)
ConsumptionMethod additional.fields.key and additional.fields.value.string_value
DatasetId target.resource.attribute.label.key/value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkspaceId target.resource.attribute.labels.key/value

GenerateEmbedToken

The following table lists the log fields and corresponding UDM mappings for the operation "GenerateEmbedToken" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is set to target.file.full_path

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
ConsumptionMethod target.labels.key/value (deprecated)
ConsumptionMethod additional.fields.key and additional.fields.value.string_value
DatasetId target.resource.attribute.label.key/value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ReportId target.resource.attribute.labels.key/value
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkspaceId target.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
EmbedTokenId target.resource.product_object_id
RLSIdentities about.user.email_addresses

about.user.attribute.roles.name

RLSIdentities.UserName is mapped to about.user.email_addresses

RLSIdentities.Roles is mapped to about.user.attribute.roles.name

CreateDataset

The following table lists the log fields and corresponding UDM mappings for the operation "CreateDataset" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.name
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value

GenerateCustomVisualAADAccessToken

The following table lists the log fields and corresponding UDM mappings for the operation "GenerateCustomVisualAADAccessToken" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
CustomVisualAccessTokenResourceId target.resource.product_object_id
CustomVisualAccessTokenSiteUri target.url

DeleteOrganizationalGalleryItem

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteOrganizationalGalleryItem" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
OrganizationalGalleryItemId target.resource.product_object_id
OrganizationalGalleryItemDisplayName target.resource.name
OrganizationalGalleryItemPublishTime target.resource.attribute.labels.key/value

DeleteAlmPipeline

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteAlmPipeline" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineId target.labels.key/value (deprecated)
DeploymentPipelineId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineObjectId target.resource.product_object_id

AddDatasourceToGateway

The following table lists the log fields and corresponding UDM mappings for the operation "AddDatasourceToGateway" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
GatewayId target.resource.attribute.labels.key/value
GatewayType target.labels.key/value (deprecated)
GatewayType additional.fields.key and additional.fields.value.string_value
DatasourceId target.resource.product_object_id
DatasourceType target.resource.attribute.labels.key/value

AssignWorkspaceToPipeline

The following table lists the log fields and corresponding UDM mappings for the operation "AssignWorkspaceToPipeline" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName principal.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
WorkspaceId principal.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineId target.labels.key/value (deprecated)
DeploymentPipelineId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineObjectId target.resource.product_object_id
DeploymentPipelineStageOrder target.labels.key/value (deprecated)
DeploymentPipelineStageOrder additional.fields.key and additional.fields.value.string_value

CancelDataflowRefresh

The following table lists the log fields and corresponding UDM mappings for the operation "CancelDataflowRefresh" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
WorkspaceId target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowType target.resource.attribute.labels.key/value

ChangeCapacityState

The following table lists the log fields and corresponding UDM mappings for the operation "ChangeCapacityState" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CapacityName target.resource.name
CapacityUsers about.labels.key/value (deprecated)
CapacityUsers additional.fields.key and additional.fields.value.string_value
CapacityState target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

ChangeGatewayAdministrators

The following table lists the log fields and corresponding UDM mappings for the operation "ChangeGatewayAdministrators" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
GatewayId target.resource.product_object_id
UserInformation about.user.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

InsertOrganizationalGalleryItem

The following table lists the log fields and corresponding UDM mappings for the operation "InsertOrganizationalGalleryItem" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
OrganizationalGalleryItemId target.resource.product_object_id
OrganizationalGalleryItemDisplayName target.resource.name
OrganizationalGalleryItemPublishTime target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

CreateAlmPipeline

The following table lists the log fields and corresponding UDM mappings for the operation "CreateAlmPipeline" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
DeploymentPipelineId target.labels.key/value (deprecated)
DeploymentPipelineId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineObjectId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

CreateApp

The following table lists the log fields and corresponding UDM mappings for the operation "CreateApp" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.name
WorkspaceId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

CreateDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "CreateDashboard" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

If IsSuccess is true then security_result.summary is Dashboard created successfully

else

security_result.summary is Dashboard not created

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DashboardId target.resource.product_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value

CreateDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "CreateDataflow" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_CREATION

If IsSuccess is true then security_result.summary is Dataflow created successfully

else

security_result.summary is Dataflow not created

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DataflowType target.resource.attribute.labels.key/value
DataflowId target.resource.product_id
WorkspaceId target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value

CreateEmailSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "CreateEmailSubscription" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

If IsSuccess is true then security_result.summary is EmailSubscription created successfully

else

security_result.summary is EmailSubscription not created

ObjectId is set to target.file.full_path

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
SubscriptionSchedule target.labels.key/value (deprecated)
SubscriptionSchedule additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
SubscribeeInformation network.email.to
DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value

CreateFolder

The following table lists the log fields and corresponding UDM mappings for the operation "CreateFolder" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
FolderDisplayName target.resource.name
FolderObjectId target.resource.attribute.labels.key/value

CreateGateway

The following table lists the log fields and corresponding UDM mappings for the operation "CreateGateway" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
GatewayId target.resource.product_object_id
GatewayType target.labels.key/value (deprecated)
GatewayType additional.fields.key and additional.fields.value.string_value

CreateTemplateApp

The following table lists the log fields and corresponding UDM mappings for the operation "CreateTemplateApp" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
TemplateAppObjectId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value

DeleteComment

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteComment" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
AuditedArtifactInformation target.resource.name

target.resource.product_object_id

target.resource.attribute.labels.key/value

Name is mapped to target.resource.name

ArtifactObjectId is set to target.resource.product_object_id

AnnotatedItemType is mapped to target.resource.attribute.labels.key/value

WorkspaceId target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent

DeleteDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteDashboard" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
DashboardName target.resource.name
Datasets about.resource.product_object_id

about.resource.name

DatasetId is mapped to about.resource.product_object_id

DatasetName is mapped to about.resource.name

DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value

DeleteDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteDataflow" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value

DeleteDataset

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteDataset" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value

DeleteEmailSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteEmailSubscription" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_DELETION

ObjectId is set to target.file.full_path

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value

DeleteFolder

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteFolder" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

if isSuccess is TRUE then security_result.action is set to ALLOW

else

security_result.action is set to BLOCK

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.