Collect Microsoft 365 logs
This document describes how you can collect Microsoft 365 logs by setting up a Chronicle feed and how log fields map to Chronicle Unified Data Model (UDM) fields. This document also lists the supported audited activities and supported Microsoft 365 version.
For an overview about data ingestion to Chronicle, see Data ingestion to Chronicle.
Overview
The following deployment architecture diagram shows how Microsoft 365 and Chronicle feed is configured to send logs to Chronicle. Each customer deployment might differ from this representation and might be more complex.
The architecture diagram shows the following components:
Microsoft 365. The Microsoft 365 service from which you collect logs.
Chronicle feed. The Chronicle feed that fetches logs from Microsoft 365 and writes logs to Chronicle.
Chronicle. Chronicle retains and analyzes the logs from Microsoft 365.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the OFFICE_365
ingestion label.
Before you begin
Use Microsoft 365 version 2204 Build 16.0.15128.20248 or later and verify that you have a Microsoft 365 Enterprise E5 subscription with Microsoft Security and Compliance Center feature.
Grant the required privileges and permissions to the user to generate and export different events for all the supported Microsoft products. For an example permission, see Permissions to access management APIs
Configure Microsoft 365 to search and export logs. Microsoft Azure Active Directory (Azure AD) is the directory service for Microsoft 365. It takes upto 24 hours to generate the logs. For more information, see Search the audit log
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Review the activities and products that the Chronicle parser supports. The following table list the activities and products that the Chronicle parser supports:
Activities Products File and page activities SharePoint Online and OneDrive for Business Folder activities SharePoint Online and OneDrive for Business SharePoint list activities SharePoint Online Sharing and access request activities SharePoint Online and OneDrive for Business Synchronization activities SharePoint Online and OneDrive for Business Site permissions activities SharePoint Online Site administration activities SharePoint Online Exchange mailbox activities Microsoft 365 Group mailboxes User administration activities Microsoft 365 admin center Azure AD group administration activities Microsoft 365 admin center Application administration activities When an administrator adds or changes an application that is registered in Azure AD Role administration activities Microsoft 365 admin center Directory administration activities Microsoft 365 admin center Power BI activities Power BI Microsoft Teams activities Microsoft Teams Microsoft Teams Shifts activities Shifts app in Microsoft Teams Microsoft Teams Healthcare activities Patients application in Microsoft Teams Microsoft Teams Shifts activities Shifts app in Microsoft Teams Yammer activities Yammer Microsoft Power Automate activities Power Automate (formerly called Microsoft Flow) Microsoft PowerApps activities Power Apps Microsoft Stream activities Microsoft Stream Quarantine activities Quarantine email messages in Office 365 Microsoft Forms activities Microsoft Teams Sensitivity label activities Labeling activities for SharePoint Online and Teams Retention policy and retention label activities NA Briefing email activities Briefing email MyAnalytics activities MyAnalytics Information barriers activities NA Disposition review activities NA Communication compliance activities NA Undefined Activity NA
Configure a feed in Chronicle to ingest Microsoft 365 logs
- Go to Chronicle settings, and click Feeds.
- Click Add New.
- Select Third party API for Source Type.
- Select Office 365 for Log Type.
- Click Next.
- Based on the Microsoft 365 configuration, specify the OAuth client ID, OAuth client secret, and Tenant ID details.
- Select the Content type for which you are creating this feed. You must create a separate feed for each content type that you require.
- Click Next and then Submit.
For more information about Chronicle feeds, see Chronicle feeds documentation.
Field mapping reference
This section explains how the Chronicle parser maps Microsoft 365 log fields to Chronicle Unified Data Model (UDM) fields for the supported operations and workloads.
Common fields
The following table lists the common log fields and their corresponding UDM fields.
Common log field | UDM field |
---|---|
ID | metadata.product_log_id |
RecordType | security_result.detection_fields.key/value security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc |
CreationTime | metadata.event_timestamp |
Operation | metadata.product_event_type |
OrganizationId | principal.resource.product_object_id |
UserType | principal.user.attribute.roles.name |
UserId | principal.user.email_addresses or principal.user.userid target.user.email_addresses or target.user.userid If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, TeamsUserSignedOut, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user If UserId value contains email address then it is mapped to email_address, else it is mapped to userid. |
ClientIP | principal.ip and principal.port |
Workload | target.application |
AppAccessContext | network.session.id security_result.detection_fields.key/value AADSessionId is mapped to network.session.id CorrelationId is mapped to security_result.detection_fields.key/value |
For reference information about UDM mappings for supported operations, refer to the following sections:
FileAccessed
The following table lists the log fields and corresponding UDM mappings for the operation "Fileaccessed" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileAccessedExtended
The following table lists the log fields and corresponding UDM mappings for the operation "FileAccessedExtended" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileDeleted
The following table lists the log fields and corresponding UDM mappings for the operation "FileDeleted" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileCopied
The following table lists the log fields and corresponding UDM mappings for the operation "FileCopied" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileModified
The following table lists the log fields and corresponding UDM mappings for the operation "FileModified" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application |
FileDownloaded
The following table lists the log fields and corresponding UDM mappings for the operation "FileDownloaded" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
UserSessionId | network.http.session_id |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ZipFileName | principal.resource.parent |
FileModifiedExtended
The following table lists the log fields and corresponding UDM mappings for the operation "FileModifiedExtended" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MODIFICATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application |
FileMoved
The following table lists the log fields and corresponding UDM mappings for the operation "FileMoved" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FilePreviewed
The following table lists the log fields and corresponding UDM mappings for the operation "FilePreviewed" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileRenamed
The following table lists the log fields and corresponding UDM mappings for the operation "FileRenamed" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ApplicationDisplayName | target.application |
FileUploaded
The following table lists the log fields and corresponding UDM mappings for the operation "FileUploaded" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_SYNC
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ImplicitShare | target.resource.attribute.labels.key/value |
FileVersionsAllDeleted
The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllDeleted" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
WebId | about.labels.key/value |
FileCheckedIn
The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckedIn" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | workload map with intermediary.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileCheckedOut
The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckedOut" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | Uniquely Identify resource in site like File or Folder |
ItemType | This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | Information about the user's browser. This information is provided by the browser. |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ComplianceSettingChanged
The following table lists the log fields and corresponding UDM mappings for the operation "ComplianceSettingChanged" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
SharingType | target.labels.key/value |
LockRecord
The following table lists the log fields and corresponding UDM mappings for the operation "LockRecord" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
UnlockRecord
The following table lists the log fields and corresponding UDM mappings for the operation "UnlockRecord" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileDeletedFirstStageRecycleBin
The following table lists the log fields and corresponding UDM mappings for the operation "FileDeletedFirstStageRecycleBin" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
WebId | about.labels.key/value |
SharingType | target.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileDeletedSecondStageRecycleBin
The following table lists the log fields and corresponding UDM mappings for the operation "FileDeletedSecondStageRecycleBin" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
RecordDelete
The following table lists the log fields and corresponding UDM mappings for the operation "RecordDelete" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
DocumentSensitivityMismatchDetected
The following table lists the log fields and corresponding UDM mappings for the operation "DocumentSensitivityMismatchDetected" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
DocumentSensitivityMismatchDetected
The following table lists the log fields and corresponding UDM mappings for the operation "DocumentSensitivityMismatchDetected" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileCheckOutDiscarded
The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckOutDiscarded" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllMinorsRecycled
The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllMinorsRecycled" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionsAllRecycled
The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllRecycled" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileVersionRecycled
The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionRecycled" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileRestored
The following table lists the log fields and corresponding UDM mappings for the operation "FileRestored" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
WebId | about.labels.key/value |
SharingType | target.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileMalwareDetected
The following table lists the log fields and corresponding UDM mappings for the operation "FileMalwareDetected" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
VirusInfo | security_result.threat_name |
VirusVendor | target.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
SearchQueryPerformed
The following table lists the log fields and corresponding UDM mappings for the operation "SearchQueryPerformed" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT
target.resource.resource_type is set to STORAGE_OBJECT |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SharingType | target.labels.key/value |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
EventData | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
PageViewed
The following table lists the log fields and corresponding UDM mappings for the operation "PageViewed" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
PagePrefetched
The following table lists the log fields and corresponding UDM mappings for the operation "PagePrefetched" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ClientViewSignaled
The following table lists the log fields and corresponding UDM mappings for the operation "ClientViewSignaled" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate. |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
PageViewedExtended
The following table lists the log fields and corresponding UDM mappings for the operation "PageViewedExtended" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
FolderCreated
The following table lists the log fields and corresponding UDM mappings for the operation "FolderCreated" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeleted
The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeleted" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderMoved
The following table lists the log fields and corresponding UDM mappings for the operation "FolderMoved" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MOVE
target.resource.resource_type is set to STORAGE_OBJECT |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl field not getting in log |
DestinationRelativeUrl | DestinationRelativeUrl field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | DestinationFileName field not getting in log
target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | src.file.full_path
target.file.full_path Extract SourceFileUrl is mapped to src_file_full_path TargetFileUrl is mapped to target_file_full_path grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl} |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderRenamed
The following table lists the log fields and corresponding UDM mappings for the operation "FolderRenamed" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_MOVE | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderModified
The following table lists the log fields and corresponding UDM mappings for the operation "FolderModified" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderCopied
The following table lists the log fields and corresponding UDM mappings for the operation "FolderCopied" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_COPY
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path |
SourceRelativeUrl | src.file.full_path |
DestinationRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
DestinationFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderRestored
The following table lists the log fields and corresponding UDM mappings for the operation "FolderRestored" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_UNCATEGORIZED
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
DestinationRelativeUrl | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileName | target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName} |
DestinationFileExtension | target.file.mime_type |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeletedFirstStageRecycleBin
The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeletedFirstStageRecycleBin" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FolderDeletedSecondStageRecycleBin
The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeletedSecondStageRecycleBin" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_DELETION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncDownloadedFull
The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncDownloadedFull" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is set to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SourceRelativeUrl | src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName} |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
FileSyncBytesCommitted | src.file.size |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncDownloadedPartial
The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncDownloadedPartial" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to src.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | src.file.mime_type |
SourceFileName | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | src.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
FileSyncBytesCommitted | src.file.size |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncUploadedFull
The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncUploadedFull" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
FileSyncBytesCommitted | target.file.size |
ImplicitShare | target.resource.attribute.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
FileSyncUploadedPartial
The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncUploadedPartial" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
FileSyncBytesCommitted | target.file.size |
ImplicitShare | target.resource.attribute.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
ManagedSyncClientAllowed
The following table lists the log fields and corresponding UDM mappings for the operation "ManagedSyncClientAllowed" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_WRITTEN | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
UnmanagedSyncClientBlocked
The following table lists the log fields and corresponding UDM mappings for the operation "UnmanagedSyncClientBlocked" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
SensitivityLabelOwnerEmail | security_result.detection_fields.key/value |
SensitivityLabelId | security_result.detection_fields.key/value |
AddedToGroup
The following table lists the log fields and corresponding UDM mappings for the operation "AddedToGroup" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
EventData | target.group.group_display_name |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
Site | target.labels.key/value |
WebId | about.labels.key/value |
SiteUrl | network.http.referral_url |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
GroupAdded
The following table lists the log fields and corresponding UDM mappings for the operation "GroupAdded" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_CREATION
ObjectId is mapped to target.url |
|
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
Site | target.labels.key/value |
ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
GroupRemoved
The following table lists the log fields and corresponding UDM mappings for the operation "GroupRemoved" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_DELETION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
WebRequestAccessModified
The following table lists the log fields and corresponding UDM mappings for the operation "WebRequestAccessModified" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
ModifiedProperties | if Name is RequestAccessEmail then NewValue is mapped to target.user.email_addresses or target.user.userid else target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
WebMembersCanShareModified
The following table lists the log fields and corresponding UDM mappings for the operation "WebMembersCanShareModified" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
ModifiedProperties | target.labels.key/value |
version | metadata.product_version |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
PermissionLevelModified
The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelModified" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
ModifiedProperties | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
version | metadata.product_version |
WebID | about.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SiteCollectionAdminAdded
The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionAdminAdded" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
WebId | about.labels.key/value |
SiteUrl | network.http.referral_url |
ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
SiteCollectionAdminRemoved
The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionAdminRemoved" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
WebId | about.labels.key/value |
SiteUrl | network.http.referral_url |
ModifiedProperties | If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses |
AssertingApplicationId | about.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
PermissionLevelRemoved
The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelRemoved" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.resource.attribute.permissions.name |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
RemovedFromGroup
The following table lists the log fields and corresponding UDM mappings for the operation "RemovedFromGroup" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.group.group_display_name |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
GroupUpdated
The following table lists the log fields and corresponding UDM mappings for the operation "GroupUpdated" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.referral_url |
ModifiedProperties | if Name is Name then NewValue is mapped to target.group.group_display_name |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
ApplicationDisplayName | target.application |
ProjectCheckedOut
The following table lists the log fields and corresponding UDM mappings for the operation "ProjectCheckedOut" and workload "Project":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE | |
ItemType | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
CorrelationId | security_result.detection_fields.key/value |
Entity | metadata.product_name |
Version | metadata.product_version |
Action | security_result.description |
OnBehalfOfResId | about.labels.key/value |
ProjectAccessed
The following table lists the log fields and corresponding UDM mappings for the operation "ProjectAccessed" and workload "Project":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT |
|
ItemType | target.resource.attribute.labels.key/value |
UserAgent | network.http.user_agent |
CorrelationId | security_result.detection_fields.key/value |
Entity | metadata.product_name |
Version | metadata.product_version |
Action | security_result.description |
OnBehalfOfResId | about.labels.key/value |
SharingInheritanceBroken
The following table lists the log fields and corresponding UDM mappings for the operation "SharingInheritanceBroken" and workload "SharePoint":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SharingType | target.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ApplicationDisplayName | target.application |
AddedToSecureLink
The following table lists the log fields and corresponding UDM mappings for the operation "AddedToSecureLink" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
CorrelationId | security_result.detection_fields.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
Site | target.labels.key/value |
SiteUrl | network.http.referral_url |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
UniqueSharingId | target.labels.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
ApplicationDisplayName | target.application |
CompanyLinkCreated
The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkCreated" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
UniqueSharingId | target.labels.key/value |
ApplicationDisplayName | target.application |
CompanyLinkUsed
The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkUsed" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SecureLinkCreated
The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkCreated" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
UniqueSharingId | target.labels.key/value |
SharingInvitationCreated
The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationCreated" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
UniqueSharingId | target.labels.key/value |
SecureLinkDeleted
The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkDeleted" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
UniqueSharingId | target.labels.key/value |
SiteUrl | network.http.referral_url |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
ApplicationDisplayName | target.application |
RemovedFromSecureLink
The following table lists the log fields and corresponding UDM mappings for the operation "RemovedFromSecureLink" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
UniqueSharingId | target.labels.key/value |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
SharingInvitationRevoked
The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationRevoked" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path |
SourceRelativeUrl | target.file.full_path |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
UniqueSharingId | target.labels.key/value |
SecureLinkUpdated
The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkUpdated" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
UniqueSharingId | target.labels.key/value |
SecureLinkUsed
The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkUsed" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
UniqueSharingId | target.labels.key/value |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SharingRevoked
The following table lists the log fields and corresponding UDM mappings for the operation "SharingRevoked" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
target.resource.resource_type is set to STORAGE_OBJECT ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
SharingSet
The following table lists the log fields and corresponding UDM mappings for the operation "SharingSet" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to FILE_SYNC
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
PermissionLevelAdded
The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelAdded" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | target.resource.attribute.permissions.name
BasePermissions is mapped to target.resource.attribute.permissions.name |
SharingInvitationAccepted
The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationAccepted" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | target.resource.name
Added to Group is mapped to target.resource.name |
SharingInvitationBlocked
The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationBlocked" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
EventData | security_result.summary
Reason is mapped to security_result.summary |
AccessRequestCreated
The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestCreated" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
EventData | target.resource.attribute.labels.key/value
Sharing level is mapped to target.resource.attribute.labels.key/value ExpirationDate is mapped totarget.resource.attribute.labels.key/value |
AnonymousLinkCreated
The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkCreated" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
UniqueSharingId | target.labels.key/value |
AccessRequestUpdated
The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestUpdated" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
ModifiedProperties | target.labels.key/value |
CompanyLinkRemoved
The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkRemoved" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
UniqueSharingId | target.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
AccessRequestApproved
The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestApproved" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
WebId | about.labels.key/value |
EventData | target.resource.name
Extract using grok grok { match is mapped to { EventData <Added to group>{target_resource_name}.* } } |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
AnonymousLinkRemoved
The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkRemoved" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
ObjectId is mapped to target.url |
|
Version | metadata.product_version |
CorrelationId | security_result.detection_fields.key/value |
EventSource | principal.application |
ItemType | target.resource.attribute.labels.key/value |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
Site | target.labels.key/value |
UserAgent | network.http.user_agent |
WebId | about.labels.key/value |
EventData | target.resource.attribute.labels.key/value |
SourceFileExtension | target.file.mime_type |
UniqueSharingId | target.labels.key/value |
SiteUrl | network.http.referral_url
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type> } } Type is mapped to target.resource.attribute.labels.key/value |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceName | principal.labels.key/value |
MachineDomainInfo | target.asset.attribute.labels.key/value |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
MachineId | target.asset.product_object_id |
AnonymousLinkUpdated
The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkUpdated" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UPDATE
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
ApplicationDisplayName | target.application |
WebId | about.labels.key/value |
UniqueSharingId | target.labels.key/value |
EventData | target.resource.attribute.labels.key/value
Extract using grok grok { match is mapped to { EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied> } } Type is mapped to target.resource.attribute.labels.key/value MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value |
SharingInvitationUpdated
The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationUpdated" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ObjectId is mapped to target.url |
|
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
ApplicationDisplayName | target.application |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
ModifiedProperties | target.labels.key/value |
event_type is mapped to USER_RESOURCE_ACCESS | |
Site | target.labels.key/value |
ItemType | target.resource.attribute.labels.key/value |
EventSource | principal.application |
SourceName | principal.labels.key/value |
UserAgent | network.http.user_agent |
MachineDomainInfo | target.asset.attribute.labels.key/value |
MachineId | target.asset.product_object_id |
TargetUserOrGroupName | target.group.group_display_name
target.user.userid or target.user.email_addresses if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses |
SiteUrl | network.http.referral_url |
SourceFileExtension | target.file.mime_type |
SourceFileName | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
SourceRelativeUrl | target.file.full_path is set to SourceRelativeUrl or SourceFileName |
ApplicationDisplayName | target.application |
ListId | security_result.detection_fields.key/value |
ListItemUniqueId | principal.asset_id |
CorrelationId | security_result.detection_fields.key/value |
Version | metadata.product_version |
WebId | about.labels.key/value |
AnonymousLinkUsed
The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkUsed" and workload "SharePoint/OneDrive":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_CREATION
ResultStatus is Success Action is set to ALLOW security_result.summary is set to Group creation successful ResultStatus is Failure Action is set to BLOCK security_result.summary is set to Group creation failed |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is set to additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is set to extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Add group
The following table lists the log fields and corresponding UDM mappings for the operation "Add group" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set toGroup membership update failed |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Add member to group
The following table lists the log fields and corresponding UDM mappings for the operation "Add member to group" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CREATION
|
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if
else map |
ModifiedProperties | security_result.summary
If
If |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
ActorIpAddress | principal.ip and principal.port
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemsId | target.resource.attribute.labels.key/value
|
SupportTicketId | about.labels.key/value
|
Target | target.user.userid or target.user.email_addresses
If else
|
TargetContextId | target.labels.key/value
|
Version | metadata.product_version
|
Add user
The following table lists the log fields and corresponding UDM mappings for the operation Add user
and workload AzureActiveDirectory
:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
|
|
Version | metadata.product_version
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties | security_result.summary
If
If
If
If |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemId | target.resource.attribute.labels.key/value
|
Target | target.user.userid or target.user.email_addresses
If else
|
TargetContextId | target.labels.key/value
|
Change user license.
The following table lists the log fields and corresponding UDM mappings for the operation "Change user license." and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Change user password
The following table lists the log fields and corresponding UDM mappings for the operation "Change user password" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_DELETION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group deletion successful ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group deletion failed |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.group.group_display_name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.group.group_display_name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Delete group
The following table lists the log fields and corresponding UDM mappings for the operation "Delete group" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
ResultStatus is Success then Action is set to ALLOW security_result.summary is set to Group membership updated successfully ResultStatus is Failure then Action is set to BLOCK security_result.summary is set to Group membership update failed |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.group.product.object_id
target.group.group_display_name Group.ObjectId is mapped to target.group.product.object_id Group.DisplayName is mapped to target.group.group_display_name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Remove member from group
The following table lists the log fields and corresponding UDM mappings for the operation "Remove member from group" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_DELETION
if status is Success then action ALLOW security_result.summary User deleted successfully |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is Action Client Name then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Delete user
The following table lists the log fields and corresponding UDM mappings for the operation Delete user
and workload AzureActiveDirectory
:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_UNCATEGORIZED
|
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties | security_result.summary
If
If
If
If |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
ActorIpAddress | principal.ip and principal.port
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemsId | target.resource.attribute.labels.key/value
|
SupportTicketId | about.labels.key/value
|
Target | target.user.userid or target.user.email_addresses
If else
|
TargetContextId | target.labels.key/value
|
Version | metadata.product_version
|
Update user
The following table lists the log fields and corresponding UDM mappings for the operation Update user
and workload AzureActiveDirectory
:
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GROUP_MODIFICATION
if |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value
|
ExtendedProperties | network.http.user_agent
If
if else
|
ModifiedProperties
|
security_result.detection_fields.key/value
If
If
If
If
If
If
If |
Actor | security_result.detection_fields.key/value
|
ActorContextId | principal.labels.key/value
|
ActorIpAddress | principal.ip and principal.port
|
InterSystemsId | target.resource.attribute.labels.key/value
|
IntraSystemsId | target.resource.attribute.labels.key/value
|
SupportTicketId | about.labels.key/value
|
Target | target.group.group_display_name
If
If else
|
TargetContextId | target.labels.key/value
|
Version | metadata.product_version
|
Update group
The following table lists the log fields and corresponding UDM mappings for the operation "Update group" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_LOGIN
If ResultStatus is Succeeded or ResultStatus is Success security_result.action is ALLOW security_result.summary is User login successful else if ResultStatus is Failed or LogonError !is security_result.action is BLOCK security_result.summary is User login failed security_result.description is {LogonError} UserId is mapped to target.user.userid or target.user.email_addresses metadata.description is User Login - {Workload} |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism |
ModifiedProperties | target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is match to Windows then principal.platform is WINDOWS If Value is match to Mac then principal_plateform is MAC if Value is match to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
LogonError | security_result.description |
UserLoggedIn
The following table lists the log fields and corresponding UDM mappings for the operation "UserLoggedIn" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_LOGIN
security_result.Action is set to BLOCK security_result.summary is User login failed |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
extensions.auth.type extensions.auth.mechanism If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE If Name is UserAgent then Value is mapped to network.http.user_agent If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type If Name is requestType then Based on Value it will map with extensions.auth.type |
ModifiedProperties | target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
DeviceProperties | network.session_id
principal.platform principal.hostname If Name is OS { If Value is matched to Windows then principal.platform is WINDOWS If Value is matched to Mac then principal_plateform is MAC if Value is matched to Linux then principal_plateform is LINUX } If Name is SessionId then Value is mapped to network.session_id If Name is OS then Value is mapped to principal.platform If Name is DisplayName then Value is mapped to principal.hostname |
ErrorCode | security_result.description
security_result.description is set to ErrorCode - {ErrorCode} |
LogonError | security_result.description
If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD |
UserLoginFailed
The following table lists the log fields and corresponding UDM mappings for the operation "UserLoginFailed" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to GENERIC_EVENT | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Update StsRefreshTokenValidFrom Timestamp
The following table lists the log fields and corresponding UDM mappings for the operation "Update StsRefreshTokenValidFrom Timestamp" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summary If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Update device
The following table lists the log fields and corresponding UDM mappings for the operation "Update device" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc). ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Set federation settings on domain
The following table lists the log fields and corresponding UDM mappings for the operation "Set federation settings on domain" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc).
ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT. |
|
Version | metadata.product_version |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemId | target.resource.attribute.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Verify domain
The following table lists the log fields and corresponding UDM mappings for the operation "Verify domain" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Set Company Information
The following table lists the log fields and corresponding UDM mappings for the operation "Set Company Information" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Reset user password
The following table lists the log fields and corresponding UDM mappings for the operation "Reset user password" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.description
security_result.summary target.labels.key/value If Name is AccountEnabled then security_result.description is set to AccountEnabled - {NewValue} If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Disable account
The following table lists the log fields and corresponding UDM mappings for the operation "Disable account" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PASSWORD | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/valueIf Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Delete application password for user
The following table lists the log fields and corresponding UDM mappings for the operation "Delete application password for user" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Delete device
The following table lists the log fields and corresponding UDM mappings for the operation "Delete device" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent If Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 1 then ID is mapped to target.resource.name If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Add registered users to device
The following table lists the log fields and corresponding UDM mappings for the operation "Add registered users to device" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.product_object_id
target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Add registered owner to device
The following table lists the log fields and corresponding UDM mappings for the operation "Add registered owner to device" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.product_object_id
target.resource.name If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is Device.DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Add owner to group
The following table lists the log fields and corresponding UDM mappings for the operation "Add owner to group" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.group.product_object_id
target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Add OAuth2PermissionGrant
The following table lists the log fields and corresponding UDM mappings for the operation "Add OAuth2PermissionGrant" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.resource.product_object_id
target.resource.name security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Add device
The following table lists the log fields and corresponding UDM mappings for the operation "Add device" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
target.resource.resource_type is DEVICE ResultStatus is Success Action is set to ALLOW ResultStatus is Failure Action is set to BLOCK |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | target.resource.product_object_id
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetObjectId then Value is mapped to target.resource.product_object_id If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.platform
target.ptatform_version security_result.description target.resource.name security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1. If Name is DeviceOSType then NewValue is mapped to target.platform If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version If Name is DevicePhysicalIds then NewValue is mapped to security_result.description If Name is DisplayName then NewVale is mapped to target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Add app role assignment grant to user
The following table lists the log fields and corresponding UDM mappings for the operation "Add app role assignment grant to user" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_CHANGE_PERMISSION
Workload is mapped to intermediary.application |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | target.application
network.http.user_agent target.resource.attribute.labels.key/value about.labels.key/value If Name is targetName then Value is mapped to target.application If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | target.user.userid or target.user.email_addresses
If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Consent to application
The following table lists the log fields and corresponding UDM mappings for the operation "Consent to application" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_ACCESS | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.labels.key/value If Name is Included Updated Properties then NewValue is mapped to security_result.summary else target.labels.key/value |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.resource.name
target.user.userid or target.user.email_addresses security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Update service principal
The following table lists the log fields and corresponding UDM mappings for the operation "Update service principal" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to SETTING_MODIFICATION
target.resource.resource_type is set to SETTING ObjectId is mapped to target.url |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Add service principal
The following table lists the log fields and corresponding UDM mappings for the operation "Add service principal" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_CREATION
ObjectId is mapped to target.url |
|
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.name If Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |
Actor | security_result.detection_fields.key/value |
ActorContextId | principal.labels.key/value |
ActorIpAddress | principal.ip and principal.port |
InterSystemsId | target.resource.attribute.labels.key/value |
IntraSystemsId | target.resource.attribute.labels.key/value |
SupportTicketId | about.labels.key/value |
Target | target.user.userid or target.user.email_addresses
security_result.detection_fields.key/value If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses else security_result.detection_fields.key/value |
TargetContextId | target.labels.key/value |
Version | metadata.product_version |
Remove service principal
The following table lists the log fields and corresponding UDM mappings for the operation "Remove service principal" and workload "AzureActiveDirectory":
Log field | UDM mapping |
---|---|
metadata.event_type is mapped to USER_RESOURCE_DELETION | |
AzureActiveDirectoryEventType | target.resource.attribute.labels.key/value |
ExtendedProperties | network.http.user_agent
target.resource.attribute.labels.key/value about.labels.key/value If Name is additionalDetails then extract User-Agent is mapped to network.http.user_agent if Name is extendedAuditEventCategory then target.resource.attribute.labels.key/value else about.labels.key/value |
ModifiedProperties | security_result.summary
target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary If Name is DisplayName then NewValue is mapped to target.resource.name |