Collect Microsoft 365 logs

Supported in:

This document describes how you can collect Microsoft 365 logs by setting up a Google Security Operations feed and how log fields map to Google Security Operations Unified Data Model (UDM) fields. This document also lists the supported audited activities and supported Microsoft 365 version.

For an overview about data ingestion to Google Security Operations, see Data ingestion to Google Security Operations.

Overview

The following deployment architecture diagram shows how Microsoft 365 and Google Security Operations feed is configured to send logs to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.

Deployment architecture

The architecture diagram shows the following components:

  • Microsoft 365. The Microsoft 365 service from which you collect logs.

  • Google Security Operations feed. The Google Security Operations feed that fetches logs from Microsoft 365 and writes logs to Google Security Operations.

  • Google Security Operations. Google Security Operations retains and analyzes the logs from Microsoft 365.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the OFFICE_365 ingestion label.

Before you begin

  • Use Microsoft 365 version 2204 Build 16.0.15128.20248 or later and verify that you have a Microsoft 365 Enterprise E5 subscription with Microsoft Security and Compliance Center feature.

  • Grant the required privileges and permissions to the user to generate and export different events for all the supported Microsoft products. A user whose credentials are used to authenticate against the API must have the ActivityFeed.Read permission. To ingest DLP data, the ActivityFeed.ReadDlp permission is required. For information about permissions, see Permissions to access management APIs

  • Configure Microsoft 365 to search and export logs. Microsoft Azure Active Directory (Azure AD) is the directory service for Microsoft 365. It takes up to 24 hours to generate the logs. For more information, see Search the audit log

  • Ensure that all systems in the deployment architecture are configured in the UTC time zone.

  • Review the activities and products that the Google Security Operations parser supports. The following table list the activities and products that the Google Security Operations parser supports:

    Activities Products
    File and page activities SharePoint Online and OneDrive for Business
    Folder activities SharePoint Online and OneDrive for Business
    SharePoint list activities SharePoint Online
    Sharing and access request activities SharePoint Online and OneDrive for Business
    Synchronization activities SharePoint Online and OneDrive for Business
    Site permissions activities SharePoint Online
    Site administration activities SharePoint Online
    Exchange mailbox activities Microsoft 365 Group mailboxes
    User administration activities Microsoft 365 admin center
    Azure AD group administration activities Microsoft 365 admin center
    Application administration activities When an administrator adds or changes an application that is registered in Azure AD
    Role administration activities Microsoft 365 admin center
    Directory administration activities Microsoft 365 admin center
    Power BI activities Power BI
    Microsoft Teams activities Microsoft Teams
    Microsoft Teams Shifts activities Shifts app in Microsoft Teams
    Microsoft Teams Healthcare activities Patients application in Microsoft Teams
    Microsoft Teams Shifts activities Shifts app in Microsoft Teams
    Yammer activities Yammer
    Microsoft Power Automate activities Power Automate (formerly called Microsoft Flow)
    Microsoft PowerApps activities Power Apps
    Microsoft Stream activities Microsoft Stream
    Quarantine activities Quarantine email messages in Office 365
    Microsoft Forms activities Microsoft Teams
    Sensitivity label activities Labeling activities for SharePoint Online and Teams
    Retention policy and retention label activities NA
    Briefing email activities Briefing email
    MyAnalytics activities MyAnalytics
    Information barriers activities NA
    Disposition review activities NA
    Communication compliance activities NA
    Undefined Activity NA

Configure a feed in Google Security Operations to ingest Microsoft 365 logs

  1. Go to Google Security Operations settings, and click Feeds.
  2. Click Add New.
  3. Select Third party API for Source Type.
  4. Select Office 365 for Log Type.
  5. Click Next.
  6. Based on the Microsoft 365 configuration, specify the OAuth client ID, OAuth client secret, and Tenant ID details.
  7. Select the Content type for which you are creating this feed. You must create a separate feed for each content type that you require.
  8. Click Next and then Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation.

Field mapping reference

This section explains how the Google Security Operations parser maps Microsoft 365 log fields to Google Security Operations Unified Data Model (UDM) fields for the supported operations and workloads.

Common fields

The following table lists the common log fields and their corresponding UDM fields.

Common log field UDM field
ID metadata.product_log_id
RecordType

security_result.detection_fields.key/value

security_result.detection_fields.key is set to {RecordeType} - RecordTypeNameFromDoc

security_result.detection_fields.value is set to RecordTypeDescriptionFromDoc

CreationTime metadata.event_timestamp
Operation metadata.product_event_type
OrganizationId principal.resource.product_object_id
UserType principal.user.attribute.roles.name
UserId

principal.user.email_addresses or principal.user.userid

target.user.email_addresses or target.user.userid

If is Operation is UserLoggedIn, UserLoginFailed, Add OAuth2PermissionGrant, TeamsUserSignedOut, or Add delegated permission grant then UserId is mapped to target.user else UserId is mapped to principal.user

If UserId value contains email address then it is mapped to email_address, else it is mapped to userid.

ClientIP principal.ip and principal.port
Workload target.application
AppAccessContext

network.session.id security_result.detection_fields.key/value

AADSessionId is mapped to network.session.id

CorrelationId is mapped to security_result.detection_fields.key/value

For reference information about UDM mappings for supported operations, refer to the following sections:

FileAccessed

The following table lists the log fields and corresponding UDM mappings for the operation "Fileaccessed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
FileSizeBytes target.file.size
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileAccessedExtended

The following table lists the log fields and corresponding UDM mappings for the operation "FileAccessedExtended" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "FileDeleted" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileCopied

The following table lists the log fields and corresponding UDM mappings for the operation "FileCopied" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_COPY

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData src.file.full_path

target.file.full_path

Extract

SourceFileUrl is mapped to src_file_full_path

TargetFileUrl is mapped to target_file_full_path

ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileModified

The following table lists the log fields and corresponding UDM mappings for the operation "FileModified" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MODIFICATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
FileSizeBytes target.file.size
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

FileDownloaded

The following table lists the log fields and corresponding UDM mappings for the operation "FileDownloaded" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
UserSessionId network.http.session_id
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ZipFileName principal.resource.parent

FileModifiedExtended

The following table lists the log fields and corresponding UDM mappings for the operation "FileModifiedExtended" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MODIFICATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
FileSizeBytes target.file.size
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

FileMoved

The following table lists the log fields and corresponding UDM mappings for the operation "FileMoved" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FilePreviewed

The following table lists the log fields and corresponding UDM mappings for the operation "FilePreviewed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileRenamed

The following table lists the log fields and corresponding UDM mappings for the operation "FileRenamed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ApplicationDisplayName target.application

FileUploaded

The following table lists the log fields and corresponding UDM mappings for the operation "FileUploaded" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
ImplicitShare target.resource.attribute.labels.key/value

FileVersionsAllDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllDeleted" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

FileCheckedIn

The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckedIn" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName workload map with intermediary.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileCheckedOut

The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckedOut" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site Uniquely Identify resource in site like File or Folder
ItemType This field contain values like File, Folder, Web, Site, Tenant, and DocumentLibrary
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent Information about the user's browser. This information is provided by the browser.
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl We can not map it with target.file.full_path because of SiteUrl field not contains value related to system path
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ComplianceSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "ComplianceSettingChanged" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value

LockRecord

The following table lists the log fields and corresponding UDM mappings for the operation "LockRecord" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

UnlockRecord

The following table lists the log fields and corresponding UDM mappings for the operation "UnlockRecord" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileDeletedFirstStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FileDeletedFirstStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileDeletedSecondStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FileDeletedSecondStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

RecordDelete

The following table lists the log fields and corresponding UDM mappings for the operation "RecordDelete" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

The following table lists the log fields and corresponding UDM mappings for the operation "DocumentSensitivityMismatchDetected" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

DocumentSensitivityMismatchDetected

The following table lists the log fields and corresponding UDM mappings for the operation "DocumentSensitivityMismatchDetected" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileCheckOutDiscarded

The following table lists the log fields and corresponding UDM mappings for the operation "FileCheckOutDiscarded" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionsAllMinorsRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllMinorsRecycled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionsAllRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionsAllRecycled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileVersionRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FileVersionRecycled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileRestored

The following table lists the log fields and corresponding UDM mappings for the operation "FileRestored" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileMalwareDetected

The following table lists the log fields and corresponding UDM mappings for the operation "FileMalwareDetected" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
VirusInfo security_result.threat_name
VirusVendor target.labels.key/value (deprecated)
VirusVendor additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

SearchQueryPerformed

The following table lists the log fields and corresponding UDM mappings for the operation "SearchQueryPerformed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SearchQueryText additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
EventData target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

PageViewed

The following table lists the log fields and corresponding UDM mappings for the operation "PageViewed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

PagePrefetched

The following table lists the log fields and corresponding UDM mappings for the operation "PagePrefetched" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ClientViewSignaled

The following table lists the log fields and corresponding UDM mappings for the operation "ClientViewSignaled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

NOTE: Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

PageViewedExtended

The following table lists the log fields and corresponding UDM mappings for the operation "PageViewedExtended" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

FolderCreated

The following table lists the log fields and corresponding UDM mappings for the operation "FolderCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeleted" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderMoved

The following table lists the log fields and corresponding UDM mappings for the operation "FolderMoved" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE

target.resource.resource_type is set to STORAGE_OBJECT

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

SourceRelativeUrl field not getting in log

DestinationRelativeUrl DestinationRelativeUrl field not getting in log

target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}

DestinationFileName DestinationFileName field not getting in log

target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}

DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData src.file.full_path

target.file.full_path

Extract

SourceFileUrl is mapped to src_file_full_path

TargetFileUrl is mapped to target_file_full_path

grok is mapped to {SourceFileUrl}{src_file_full_path}{/SourceFileUrl}{TargetFileUrl}{target_file_full_path}{/TargetFileUrl}

ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderRenamed

The following table lists the log fields and corresponding UDM mappings for the operation "FolderRenamed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderModified

The following table lists the log fields and corresponding UDM mappings for the operation "FolderModified" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderCopied

The following table lists the log fields and corresponding UDM mappings for the operation "FolderCopied" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_COPY

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path
SourceRelativeUrl src.file.full_path
DestinationRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderRestored

The following table lists the log fields and corresponding UDM mappings for the operation "FolderRestored" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderDeletedFirstStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeletedFirstStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FolderDeletedSecondStageRecycleBin

The following table lists the log fields and corresponding UDM mappings for the operation "FolderDeletedSecondStageRecycleBin" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncDownloadedFull

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncDownloadedFull" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is set to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
FileSyncBytesCommitted src.file.size
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncDownloadedPartial

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncDownloadedPartial" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to src.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl src.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
FileSyncBytesCommitted src.file.size
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncUploadedFull

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncUploadedFull" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
FileSyncBytesCommitted target.file.size
ImplicitShare target.resource.attribute.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

FileSyncUploadedPartial

The following table lists the log fields and corresponding UDM mappings for the operation "FileSyncUploadedPartial" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
FileSizeBytes target.file.size
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
FileSyncBytesCommitted target.file.size
ImplicitShare target.resource.attribute.labels.key/value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

ManagedSyncClientAllowed

The following table lists the log fields and corresponding UDM mappings for the operation "ManagedSyncClientAllowed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

UnmanagedSyncClientBlocked

The following table lists the log fields and corresponding UDM mappings for the operation "UnmanagedSyncClientBlocked" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

AddedToGroup

The following table lists the log fields and corresponding UDM mappings for the operation "AddedToGroup" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData target.group.group_display_name
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

GroupAdded

The following table lists the log fields and corresponding UDM mappings for the operation "GroupAdded" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

GroupRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "GroupRemoved" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

WebRequestAccessModified

The following table lists the log fields and corresponding UDM mappings for the operation "WebRequestAccessModified" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ModifiedProperties If the Name log field value is equal to RequestAccessEmail, then the NewValue log field is mapped to the target.user.email_addresses or target.user.userid UDM field.

Else, the NewValue log field is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

ItemType target.resource.attribute.labels.key/value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

WebMembersCanShareModified

The following table lists the log fields and corresponding UDM mappings for the operation "WebMembersCanShareModified" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
version metadata.product_version
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

PermissionLevelModified

The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelModified" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ModifiedProperties target.resource.attribute.permissions.name

BasePermissions is mapped to target.resource.attribute.permissions.name

version metadata.product_version
WebID about.labels.key/value (deprecated)
WebID additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

SiteCollectionAdminAdded

The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionAdminAdded" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
ModifiedProperties If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

SiteCollectionAdminRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionAdminRemoved" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
ModifiedProperties If Name is set SiteAdmin then NewValue is mapped to target.user.userid or target.user.email_addresses
AssertingApplicationId about.labels.key/value (deprecated)
AssertingApplicationId additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

PermissionLevelRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelRemoved" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.permissions.name
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

RemovedFromGroup

The following table lists the log fields and corresponding UDM mappings for the operation "RemovedFromGroup" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.group.group_display_name
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

GroupUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "GroupUpdated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.referral_url
ModifiedProperties if Name is Name then NewValue is mapped to target.group.group_display_name
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

ProjectCheckedOut

The following table lists the log fields and corresponding UDM mappings for the operation "ProjectCheckedOut" and workload "Project":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value (deprecated)
OnBehalfOfResId additional.fields.key and additional.fields.value.string_value

ProjectAccessed

The following table lists the log fields and corresponding UDM mappings for the operation "ProjectAccessed" and workload "Project":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value (deprecated)
OnBehalfOfResId additional.fields.key and additional.fields.value.string_value

SharingInheritanceBroken

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInheritanceBroken" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application

The following table lists the log fields and corresponding UDM mappings for the operation "AddedToSecureLink" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ApplicationDisplayName target.application

CompanyLinkCreated

The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application

CompanyLinkUsed

The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkUsed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

SecureLinkCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value

SharingInvitationCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Sharing level is mapped to target.resource.attribute.labels.key/value

ExpirationDate is mapped totarget.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value

SecureLinkDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkDeleted" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application

The following table lists the log fields and corresponding UDM mappings for the operation "RemovedFromSecureLink" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id

SharingInvitationRevoked

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationRevoked" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value

SecureLinkUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkUpdated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value

SecureLinkUsed

The following table lists the log fields and corresponding UDM mappings for the operation "SecureLinkUsed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

SharingRevoked

The following table lists the log fields and corresponding UDM mappings for the operation "SharingRevoked" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

target.resource.resource_type is set to STORAGE_OBJECT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

SharingSet

The following table lists the log fields and corresponding UDM mappings for the operation "SharingSet" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

PermissionLevelAdded

The following table lists the log fields and corresponding UDM mappings for the operation "PermissionLevelAdded" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.permissions.name

BasePermissions is mapped to target.resource.attribute.permissions.name

SharingInvitationAccepted

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationAccepted" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.name

Added to Group is mapped to target.resource.name

SharingInvitationBlocked

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationBlocked" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData security_result.summary

Reason is mapped to security_result.summary

AccessRequestCreated

The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

EventData target.resource.attribute.labels.key/value

Sharing level is mapped to target.resource.attribute.labels.key/value

ExpirationDate is mapped totarget.resource.attribute.labels.key/value

AnonymousLinkCreated

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkCreated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value

AccessRequestUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestUpdated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields

CompanyLinkRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "CompanyLinkRemoved" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETIONObjectId is mapped to target.url
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

AccessRequestApproved

The following table lists the log fields and corresponding UDM mappings for the operation "AccessRequestApproved" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.name

Extract using grok

grok {

match is mapped to {

EventData <Added to group>{target_resource_name}.*

}

}

TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id

AnonymousLinkRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkRemoved" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value
SourceFileExtension target.file.mime_type
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type>

}

}

Type is mapped to target.resource.attribute.labels.key/value

SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
MachineId target.asset.product_object_id

AnonymousLinkUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkUpdated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
ApplicationDisplayName target.application
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
UniqueSharingId target.labels.key/value (deprecated)
UniqueSharingId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

Extract using grok

grok {

match is mapped to {

EventData <Type>{type_value}</Type><MembersCanShareApplied>{members_share_value}</MembersCanShareApplied>

}

}

Type is mapped to target.resource.attribute.labels.key/value

MembersCanShareApplied is mapped to target.resource.attribute.labels.key/value

SharingInvitationUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SharingInvitationUpdated" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
ApplicationDisplayName target.application
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
event_type is mapped to USER_RESOURCE_ACCESS
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
TargetUserOrGroupName target.group.group_display_name

target.user.userid or target.user.email_addresses

if TargetUserOrGroupType values like SecurityGroup or SharepointGroup then TargetUserOrGroupName is mapped to target.group.group_display_name

if TargetUserOrGroupType values like Guest or Member then TargetUserOrGroupName is mapped to target.user.userid or target.user.email_addresses

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is set to SourceRelativeUrl or SourceFileName
SourceRelativeUrl target.file.full_path is set to SourceRelativeUrl or SourceFileName
ApplicationDisplayName target.application
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

AnonymousLinkUsed

The following table lists the log fields and corresponding UDM mappings for the operation "AnonymousLinkUsed" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ResultStatus is Success

Action is set to ALLOW

security_result.summary is set to Group creation successful

ResultStatus is Failure

Action is set to BLOCK

security_result.summary is set to Group creation failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add group

The following table lists the log fields and corresponding UDM mappings for the operation "Add group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group membership updated successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set toGroup membership update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.group.product.object_id

target.group.group_display_name

Group.ObjectId is mapped to target.group.product.object_id

Group.DisplayName is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add member to group

The following table lists the log fields and corresponding UDM mappings for the operation "Add member to group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add user

The following table lists the log fields and corresponding UDM mappings for the operation Add user and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

If Name is Is HardDeleted then NewValue and OldValue is mapped to security_result.detection_fields.key/value

If Name is GivenName then NewValue and OldValue is mapped to target.user.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Change user license.

The following table lists the log fields and corresponding UDM mappings for the operation "Change user license." and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Change user password

The following table lists the log fields and corresponding UDM mappings for the operation "Change user password" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group deletion successful

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Group deletion failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

else

target.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Delete group

The following table lists the log fields and corresponding UDM mappings for the operation "Delete group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Group membership updated successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Group membership update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.group.product.object_id

target.group.group_display_name

Group.ObjectId is mapped to target.group.product.object_id

Group.DisplayName is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Remove member from group

The following table lists the log fields and corresponding UDM mappings for the operation "Remove member from group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION

if status is Success then

action ALLOW

security_result.summary User deleted successfully

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Delete user

The following table lists the log fields and corresponding UDM mappings for the operation Delete user and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success

Action is set to ALLOW

security_result.summary is User updated successfully

ResultStatus is Failure

Action is set to BLOCK

security_result.summary is User update failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

If Name is HardDeleted then NewValue and OldValue is mapped to security_result.detection_fields.key/value

If Name is GivenName then NewValue and OldValue is mapped to target.user.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Update user

The following table lists the log fields and corresponding UDM mappings for the operation Update user and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

if ObjectId not contain (empty) or Not Available then ObjectId is set to target.group.product_object_id

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.detection_fields.key/value

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.detection_fields.key/value

If Name is Action Client Name then NewValue is mapped to target.resource.name

If Name is HardDeleted then NewValue and OldValue is mapped to security_result.detection_fields.key/value

If Name is GivenName then NewValue and OldValue is mapped to target.user.attribute.labels.key/value

If the Name log field value is equal to TargetId.UserType, then the NewValue and Oldvalue log fields are mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

If Name is StrongAuthenticationPhoneAppDetail then from NewValue, DeviceName is mapped to target.asset.hostname, PhoneAppVersion is mapped to target.asset.software.version, DeviceId is mapped to target.asset.asset_id, Id is mapped to target.asset.product_object_id, DeviceToken is mapped to target.asset.attribute.labels.key/value, DeviceTag is mapped to target.asset.attribute.labels.key/value, OathTokenTimeDrift is mapped to security_result.detection_fields.key/value, TimeInterval is mapped to security_result.detection_fields.key/value, AuthenticationType is mapped to security_result.detection_fields.key/value, NotificationType is mapped to target.asset.attribute.labels.key/value, LastAuthenticatedTimestamp is mapped to security_result.detection_fields.key/value, AuthenticatorFlavor is mapped to security_result.detection_fields.key/value, HashFunction is mapped to security_result.detection_fields.key/value, TenantDeviceId is mapped to target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value, SecuredPartitionId is mapped to security_result.detection_fields.key/value, SecuredKeyId is mapped to security_result.detection_fields.key/value.

If Name is StrongAuthenticationPhoneAppDetail then from OldValue, DeviceName is mapped to about.asset.hostname, PhoneAppVersion is mapped to about.asset.software.version, DeviceId is mapped to about.asset.asset_id, Id is mapped to about.asset.product_object_id, DeviceToken is mapped to about.asset.attribute.labels.key/value, DeviceTag is mapped to about.asset.attribute.labels.key/value, OathTokenTimeDrift is mapped to security_result.detection_fields.key/value, TimeInterval is mapped to security_result.detection_fields.key/value, AuthenticationType is mapped to security_result.detection_fields.key/value, NotificationType is mapped to about.asset.attribute.labels.key/value, LastAuthenticatedTimestamp is mapped to security_result.detection_fields.key/value, AuthenticatorFlavor is mapped to security_result.detection_fields.key/value, HashFunction is mapped to security_result.detection_fields.key/value, TenantDeviceId is mapped to about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value, SecuredPartitionId is mapped to security_result.detection_fields.key, SecuredKeyId is mapped to security_result.detection_fields.key.

If Name is StrongAuthenticationUserDetails and NewValue contains a JSON object then from NewValue, Email is mapped to target.user.email_addresses, PhoneNumber is mapped to target.user.phone_numbers, AlternativePhoneNumber is mapped to target.user.phone_numbers, VoiceOnlyPhoneNumber is mapped to target.user.phone_numbers.

If Name is StrongAuthenticationUserDetails and NewValue does not contain a JSON object then security_result.detection_fields.key is set to StrongAuthenticationUserDetails_NewValue and NewValue is mapped to security_result.detection_fields.value.

If Name is StrongAuthenticationUserDetails and OldValue contains a JSON object then from OldValue, Email is mapped to target.user.email_addresses, PhoneNumber is mapped to target.user.phone_numbers, AlternativePhoneNumber is mapped to target.user.phone_numbers, VoiceOnlyPhoneNumber is mapped to target.user.phone_numbers.

If Name is StrongAuthenticationUserDetails and OldValue does not contain a JSON object then security_result.detection_fields.key is set to StrongAuthenticationUserDetails_OldValue and OldValue is mapped to security_result.detection_fields.value.

If Name is StrongAuthenticationMethod and NewValue contains a JSON object then the StrongAuthenticationMethod_NewValue_{NewValue.key} log field is mapped to security_result.detection_fields.key and NewValue.value is mapped to security_result.detection_fields.value.

If Name is StrongAuthenticationMethod and NewValue does not contain a JSON object then security_result.detection_fields.key is set to StrongAuthenticationMethod_NewValue and NewValue is mapped to security_result.detection_fields.value.

If Name is StrongAuthenticationMethod and OldValue contains a JSON object then the StrongAuthenticationMethod_OldValue_{OldValue.key} log field is mapped to security_result.detection_fields.key and OldValue.value is mapped to security_result.detection_fields.value.

If Name is StrongAuthenticationMethod and OldValue does not contain a JSON object then security_result.detection_fields.key is set to StrongAuthenticationMethod_OldValue and OldValue is mapped to security_result.detection_fields.value.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.group.group_display_name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.group.group_display_name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Update group

The following table lists the log fields and corresponding UDM mappings for the operation "Update group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

If ResultStatus is Succeeded or ResultStatus is Success

security_result.action is ALLOW

security_result.summary is User login successful

else if ResultStatus is Failed or LogonError !is

security_result.action is BLOCK

security_result.summary is User login failed

security_result.description is {LogonError}

UserId is mapped to target.user.userid or target.user.email_addresses

metadata.description is User Login - {Workload}

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

extensions.auth.type

extensions.auth.mechanism

ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
DeviceProperties network.session_id

principal.platform

principal.hostname

If Name is OS {

If Value is match to Windows then principal.platform is WINDOWS

If Value is match to Mac then principal_plateform is MAC

if Value is match to Linux then principal_plateform is LINUX

}

If Name is SessionId then Value is mapped to network.session_id

If Name is OS then Value is mapped to principal.platform

If Name is DisplayName then Value is mapped to principal.hostname

ErrorCode security_result.description

security_result.description is set to ErrorCode - {ErrorCode}

LogonError security_result.description

UserLoggedIn

The following table lists the log fields and corresponding UDM mappings for the operation "UserLoggedIn" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

security_result.Action is set to BLOCK

security_result.summary is User login failed

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

extensions.auth.type

extensions.auth.mechanism

If Name is RequestType and Value is match to Saml.* or OAuth2.* then extensions.auth.type is mapped to MACHINE

If Name is RequestType and Value is match to Login.* then extensions.auth.type is mapped to REMOTE_INTERACTIVE

If Name is UserAgent then Value is mapped to network.http.user_agent

If Name is UserAuthenticationMethod then Based on Value it will map with extensions.auth.type

If Name is requestType then Based on Value it will map with extensions.auth.type

ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
Actor security_result.detection_fields.key/value
ResultStatusDetail security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
DeviceProperties network.session_id

principal.platform

principal.hostname

If Name is OS {

If Value is matched to Windows then principal.platform is WINDOWS

If Value is matched to Mac then principal_plateform is MAC

if Value is matched to Linux then principal_plateform is LINUX

Value is mapped to principal.platform_version

}

If Name is SessionId then Value is mapped to network.session_id

If Name is OS then Value is mapped to principal.platform

If Name is DisplayName then Value is mapped to principal.hostname

ErrorCode security_result.description

security_result.description is set to ErrorCode - {ErrorCode}

LogonError security_result.description

If LogonError is UserAccountNotFound then extensions.auth.mechanism is set to USERNAME_PASSWORD

UserLoginFailed

The following table lists the log fields and corresponding UDM mappings for the operation "UserLoginFailed" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
ResultStatusDetail security_result.detection_fields.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Update StsRefreshTokenValidFrom Timestamp

The following table lists the log fields and corresponding UDM mappings for the operation "Update StsRefreshTokenValidFrom Timestamp" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to targetObjectId, then the Value log field value is mapped to the target.resource.product_object_id UDM field. Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summary

If DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Update device

The following table lists the log fields and corresponding UDM mappings for the operation "Update device" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Set federation settings on domain

The following table lists the log fields and corresponding UDM mappings for the operation "Set federation settings on domain" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZEDRequired fields for STATUS_UNCATEGORIZED UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Verify domain

The following table lists the log fields and corresponding UDM mappings for the operation "Verify domain" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Set Company Information

The following table lists the log fields and corresponding UDM mappings for the operation "Set Company Information" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Reset user password

The following table lists the log fields and corresponding UDM mappings for the operation "Reset user password" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

security_result.description

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, if Name log field value is equal to AccountEnabled then AccountEnabled - NewValue is mapped to security_result.description UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Disable account

The following table lists the log fields and corresponding UDM mappings for the operation "Disable account" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PASSWORD
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Delete application password for user

The following table lists the log fields and corresponding UDM mappings for the operation "Delete application password for user" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Delete device

The following table lists the log fields and corresponding UDM mappings for the operation "Delete device" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to targetObjectId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name =DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 1 then ID is mapped to target.resource.name

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add registered users to device

The following table lists the log fields and corresponding UDM mappings for the operation "Add registered users to device" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.nameIf Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Device.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add registered owner to device

The following table lists the log fields and corresponding UDM mappings for the operation "Add registered owner to device" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.name

If Name is Device.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Device.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add owner to group

The following table lists the log fields and corresponding UDM mappings for the operation "Add owner to group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.group.product_object_id

target.group.group_display_nameIf Name is Group.ObjectId then NewValue is mapped to target.group.product_object_id

If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add OAuth2PermissionGrant

The following table lists the log fields and corresponding UDM mappings for the operation "Add OAuth2PermissionGrant" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.name

security_result.summaryIf Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add device

The following table lists the log fields and corresponding UDM mappings for the operation "Add device" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is DEVICE

ResultStatus is Success

Action is set to ALLOW

ResultStatus is Failure

Action is set to BLOCK

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.platform

target.ptatform_version

security_result.description

target.resource.name

security_result.summaryIf DisplayName value present in ModifiedProperties field then we will map DisplayName with target.resource.name otherwise map ID of Target field if Type is 1.

If Name is DeviceOSType then NewValue is mapped to target.platform

If Name is DeviceOSVersion then NewValue is mapped to target.ptatform_version

If Name is DevicePhysicalIds then NewValue is mapped to security_result.description

If Name is DisplayName then NewVale is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add app role assignment grant to user

The following table lists the log fields and corresponding UDM mappings for the operation "Add app role assignment grant to user" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSION

Workload is mapped to intermediary.application

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.user.userid or target.user.email_addresses

If Name is User.UPN then NewValue is mapped to target.user.userid or target.user.email_addresses

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

The following table lists the log fields and corresponding UDM mappings for the operation "Consent to application" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.resource.name

target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Update service principal

The following table lists the log fields and corresponding UDM mappings for the operation "Update service principal" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add service principal

The following table lists the log fields and corresponding UDM mappings for the operation "Add service principal" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Remove service principal

The following table lists the log fields and corresponding UDM mappings for the operation "Remove service principal" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.nameIf Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Add member to role

The following table lists the log fields and corresponding UDM mappings for the operation Add member to role and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is set to Added a user to an admin role successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is set to Added a user to an admin role failed

ObjectId is mapped to target.url

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.attribute.roles.name

target.resource.attribute.labels.key/value

if Name is Role.ObjectId then NewValue is target.resource.product_object_id

If Name is Role.DisplayName then NewValue is target.user.attribute.roles.name

if Name is Role.TemplateId then NewValue and OldValue is target.user.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Remove member from role

The following table lists the log fields and corresponding UDM mappings for the operation "Remove member from role" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is Success then

Action is set to ALLOW

security_result.summary is Removed a user to an admin role successfully

ResultStatus is Failure then

Action is set to BLOCK

security_result.summary is Removed a user to an admin role failed

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

if Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add label

The following table lists the log fields and corresponding UDM mappings for the operation "Add label" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is set to target.resource.product_object_id

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemsId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Create company

The following table lists the log fields and corresponding UDM mappings for the operation "Create company" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

ObjectId is set to target.resource.product_object_id

AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.labels.key/value (deprecated)
TeamGuid additional.fields.key and additional.fields.value.string_value
TeamName target.group.group_display_name
Version metadata.product_version

TeamsSessionStarted

The following table lists the log fields and corresponding UDM mappings for the operation "TeamsSessionStarted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleGroupAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleGroupAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleGroupEdited

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleGroupEdited" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_DELETION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleGroupDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleGroupDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

Required fields for SETTING_CREATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

ShiftAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ShiftAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

ShiftEdited

The following table lists the log fields and corresponding UDM mappings for the operation "ShiftEdited" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

ShiftDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "ShiftDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

TimeOffAdded

The following table lists the log fields and corresponding UDM mappings for the operation "TimeOffAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

TimeOffEdited

The following table lists the log fields and corresponding UDM mappings for the operation "TimeOffEdited" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETIONtarget.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
Shift target.resource.attribute.labels.value

TimeOffDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "TimeOffDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
OpenShift target.resource.attribute.labels.key/value

OpenShiftAdded

The following table lists the log fields and corresponding UDM mappings for the operation "OpenShiftAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
OpenShift target.resource.attribute.labels.key/value

OpenShiftEdited

The following table lists the log fields and corresponding UDM mappings for the operation "OpenShiftEdited" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
OpenShift target.resource.attribute.labels.key/value

OpenShiftDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "OpenShiftDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleShared

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleShared" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ClockedIn

The following table lists the log fields and corresponding UDM mappings for the operation "ClockedIn" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

BreakStarted

The following table lists the log fields and corresponding UDM mappings for the operation "BreakStarted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

BreakEnded

The following table lists the log fields and corresponding UDM mappings for the operation "BreakEnded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
ShiftRequest target.resource.attribute.labels.key/value

RequestAdded

The following table lists the log fields and corresponding UDM mappings for the operation "RequestAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
ShiftRequest target.resource.attribute.label.key/value

RequestRespondedTo

The following table lists the log fields and corresponding UDM mappings for the operation "RequestRespondedTo" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id
ShiftRequest target.resource.attribute.label.key/value

RequestCancelled

The following table lists the log fields and corresponding UDM mappings for the operation "RequestCancelled" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
ScheduleId target.resource.product_object_id

ScheduleSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "ScheduleSettingChanged" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers and target.group.product_object_id
TeamName target.group.group_display_name
Version metadata.product_version

TeamSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "TeamSettingChanged" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers and target.group.product_object_id
TeamName target.group.group_display_name
Version metadata.product_version

AppInstalled

The following table lists the log fields and corresponding UDM mappings for the operation "AppInstalled" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
AddOnName target.resource.name
Version metadata.product_version
AppDistributionMode about.labels.key/value (deprecated)
AppDistributionMode additional.fields.key and additional.fields.value.string_value
AzureADAppId about.labels.key/value (deprecated)
AzureADAppId additional.fields.key and additional.fields.value.string_value
OperationScope about.labels.key/value (deprecated)
OperationScope additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.product_object_id

MemberRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "MemberRemoved" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
ChatName target.group.group_display_name
ChatThreadId target.user.group_identifiers

target.group.product_object_id

TabRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "TabRemoved" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

AddOnName target.resource.name
ChannelName target.resource.attribute.labels.key/value
TeamName target.group.group_display_name

AppUninstalled

The following table lists the log fields and corresponding UDM mappings for the operation "AppUninstalled" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
AddOnName target.resource.name
Version metadata.product_version
AppDistributionMode about.labels.key/value (deprecated)
AppDistributionMode additional.fields.key and additional.fields.value.string_value
AzureADAppId about.labels.key/value (deprecated)
AzureADAppId additional.fields.key and additional.fields.value.string_value
OperationScope about.labels.key/value (deprecated)
OperationScope additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.product_object_id

MemberAdded

The following table lists the log fields and corresponding UDM mappings for the operation "MemberAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
Version metadata.product_version
CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
ChatName target.group.group_display_name
ChatThreadId target.user.group_identifiers

target.group.product_object_id

TabAdded

The following table lists the log fields and corresponding UDM mappings for the operation "TabAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
AddOnGuid target.resource.product_object_id
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

AddOnName target.resource.name
AddOnUrl target.url
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
TeamName target.group.group_display_name

ClockedOut

The following table lists the log fields and corresponding UDM mappings for the operation "ClockedOut" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
Version metadata.product_version
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
ScheduleId target.resource.product_object_id

TeamCreated

The following table lists the log fields and corresponding UDM mappings for the operation "TeamCreated" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.resource.product_object_id
TeamName target.resource.name
Version metadata.product_version

BotAddedToTeam

The following table lists the log fields and corresponding UDM mappings for the operation "BotAddedToTeam" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
AddOnGuid target.resource.product_object_id
AddOnName target.resource.name
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ChannelAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ChannelAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.resource.product_object_id
ChannelName target.resource.name
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ConnectorAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ConnectorAdded" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ChannelSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "ChannelSettingChanged" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.resource.product_object_id
ChannelName target.resource.name
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

TeamsTenantSettingChanged

The following table lists the log fields and corresponding UDM mappings for the operation "TeamsTenantSettingChanged" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

MemberRoleChanged

The following table lists the log fields and corresponding UDM mappings for the operation "MemberRoleChanged" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

DisplayName is mapped to about.user.user_display_name

Role is mapped to about.user.attribute.roles.name

UPN is mapped to about.user.email_addresses

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

DeletedAllOrganizationApps

The following table lists the log fields and corresponding UDM mappings for the operation "DeletedAllOrganizationApps" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ChannelDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "ChannelDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.resource.product_object_id
ChannelName target.resource.name
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

TeamDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "TeamDeleted" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.resource.product_object_id
TeamName target.resource.name

BotRemovedFromTeam

The following table lists the log fields and corresponding UDM mappings for the operation "BotRemovedFromTeam" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ConnectorRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "ConnectorRemoved" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

ConnectorUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "ConnectorUpdated" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.email_addresses
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name

TabUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "TabUpdated" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.resource.name
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.resource.attribute.labels.key/value
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
Members about.user.userid or about.user.email_addresses

about.user.user_display_name

about.user.attribute.roles.name

MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
Name target.resource.attribute.labels.key
NewValue target.resource.attribute.labels.value
SubscriptionId target.resource.attribute.labels.key/value
TabType target.labels.key/value (deprecated)
TabType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
AddOnUrl target.url

Update

The following table lists the log fields and corresponding UDM mappings for the operation "Update" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType If the LogonType log field value is equal to 2, then the extensions.auth.mechanism UDM field is set to INTERACTIVE.

Else, if the LogonType log field value is equal to 3 or 8, then the extensions.auth.mechanism UDM field is set to NETWORK.

Else, if the LogonType log field value is equal to 4, then the extensions.auth.mechanism UDM field is set to BATCH.

Else, if the LogonType log field value is equal to 5, then the extensions.auth.mechanism UDM field is set to SERVICE.

Else, if the LogonType log field value is equal to 7, then the extensions.auth.mechanism UDM field is set to UNLOCK.

Else, if the LogonType log field value is equal to 9, then the extensions.auth.mechanism UDM field is set to NEW_CREDENTIALS.

Else, if the LogonType log field value is equal to 9, then the extensions.auth.mechanism UDM field is set to REMOTE_INTERACTIVE.

Else, if the LogonType log field value is equal to 9, then the extensions.auth.mechanism UDM field is set to CACHED_INTERACTIVE.

Else, the extensions.auth.mechanism UDM field is set to MECHANISM_UNSPECIFIED.

InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
Item network.email.subject

target.resource.product_object_id

target.resource.name

target.file.size

network.email.mail_id

target.file.full_path

Id is mapped to target.resource.product_object_id

Subject is mapped to network.email.subject

SizeInBytes is mapped to target.file.size

Item.ParentFolder.Path is mapped to target.resource.name

InternetMessageId is mapped to network.email.mail_id

Attachments is mapped to target.file.full_path

ModifiedProperties securiy_result.summary
SessionId network.session_id
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

FolderBind

The following table lists the log fields and corresponding UDM mappings for the operation "FolderBind" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
Item target.resource.product_object_id

target_resource_name

network.email.mail_id

Item.id is mapped to target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.mail_id

Item.ParentFolder.Path is mapped to target.resource.name

SessionId network.session_id
Version metadata.product_version

SendOnBehalf

The following table lists the log fields and corresponding UDM mappings for the operation "SendOnBehalf" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
Item network.email.subject

network.email.mail_id

target.file.full_path

target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.email_id

Item.Subject is mapped to network.email.subject

Item.Attachments is mapped to target.file.full_path

Item.Id is mapped to target.resource.product_object_id

SessionId network.session_id
SendOnBehalfOfUserSmtp target.user.userid or target.user.email_addresses
Version metadata.product_version

SendAs

The following table lists the log fields and corresponding UDM mappings for the operation "SendAs" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
SendAsUserMailboxGuid about.labels.key/value (deprecated)
SendAsUserMailboxGuid additional.fields.key and additional.fields.value.string_value
Item network.email.subject

network.email.mail_id

target.file.full_path

target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.mail_id

Item.Subject is mapped to network.email.subject

Item.Attachments is mapped to target.file.full_path

Item.Id is mapped to target.resource.product_object_id

SessionId network.session_id
SendAsUserSmtp target.user.userid or target.user.email_addresses
Version metadata.product_version

Send

The following table lists the log fields and corresponding UDM mappings for the operation "Send" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item network.email.subject

network.email.mail_id

target.file.full_path

target.resource.product_object_id

SessionId network.session_id
Version metadata.product_version

New-InboxRule

The following table lists the log fields and corresponding UDM mappings for the operation "New-InboxRule" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

ObjectId is set to target.group.product_object_id

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
SessionId network.session_id
Version metadata.product_version
Parameters security_result.rule_labels.key/value
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value

Set-InboxRule

The following table lists the log fields and corresponding UDM mappings for the operation "Set-InboxRule" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

ObjectId is set to target.group.product_object_id

target.resource.resource_type is set to SETTING

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
Parameters security_result.rule_labels.key/value
SessionId network.session_id
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

MoveToDeletedItems

The following table lists the log fields and corresponding UDM mappings for the operation "MoveToDeletedItems" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
DestFolder target.resource.product_object_id

target.resource.name

SessionId network.session_id
Version metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

Subject is mapped to network.email.subject

ParentFolder.Path is mapped to about.file.full_path

AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id

Folder src.resource.product_object_id

src.resource.name

ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value

Move

The following table lists the log fields and corresponding UDM mappings for the operation "Move" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
DestFolder target.resource.product_object_id

target.resource.name

SessionId network.session_id
Version metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

Folder src.resource.product_object_id

src.resource.name

MailItemsAccessed

The following table lists the log fields and corresponding UDM mappings for the operation "MailItemsAccessed" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
OperationProperties security_result.detection_fields.key/value.
SessionId network.session_id
Version metadata.product_version
OperationCount about.labels.key/value (deprecated)
OperationCount additional.fields.key and additional.fields.value.string_value
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
Folders about.resource.name

about.resource.product_object_id

network.email.mail_id

Folders.Path is mapped to about.resource.name

Folders.Id is mapped to about.resource.product_object_id

Folders.0.FolderItems.0.InternetMessageId network_email_id

MailboxLogin

The following table lists the log fields and corresponding UDM mappings for the operation "MailboxLogin" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_LOGIN

auth.Type is MACHINE

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
SessionId network.session_id
Version metadata.product_version

SoftDelete

The following table lists the log fields and corresponding UDM mappings for the operation "SoftDelete" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

AffectedItems.Attachments is mapped to about.file.full_path

AffectedItems.Subject is mapped to network.email.subject

AffectedItems.0.InternetMessageIdis mapped to network.email.mail_id

Folder target.resource.name

target.resource.product_object_id

Folder.Path is mapped to target.resource.name

Folder.Id is mapped to target.resource.product_object_id

SessionId network.session_id
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

HardDelete

The following table lists the log fields and corresponding UDM mappings for the operation "HardDelete" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
AffectedItems about.file.full_path

network.email.subject

network.email.mail_id

Version metadata.product_version
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
Folder target.resource.name

target.resource.product_object_id

Create

The following table lists the log fields and corresponding UDM mappings for the operation "Create" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.resource.name

target.resource.product_object_id

target.file.full_path

network.email.subject

network.email.mail_id

Item.id is mapped to target.resource.product_object_id

Item.InternetMessageId is mapped to network.email.mail_id

Item.ParentFolder.Path is mapped to target.resource.name

Item.Subject is mapped to network.email.subject

Attachment may present or not in log so write grok for this.

Item.Attachments is mapped to target.file.full_path

SessionId network.session_id
Version metadata.product_version

RemoveFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "RemoveFolderPermissions" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ResultStatus is Succeeded

Action is set to ALLOW

else

Action is set to BLOCK

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.file.full_path

target.resource.attribute.permissions.name

target.user.email_addresses or target.user.userid

Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid

Item.ParentFolder.Path is mapped to target.file.full_path

User rights is mapped to target.resource.attribute.permissions.name

SessionId network.session_id
Version metadata.product_version

ModifyFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "ModifyFolderPermissions" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ResultStatus is Succeeded

Action is set to ALLOW

else

Action is set to BLOCK

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.file.full_path

target.user.email_addresses or target.user.userid

target.resource.attribute.permissions.name

SessionId network.session_id
Version metadata.product_version

AddFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "AddFolderPermissions" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ResultStatus is Succeeded

Action is set to ALLOW

else

Action is set to BLOCK

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
Item target.file.full_path

target.user.email_addresses or target.user.userid

target.resource.attribute.permissions.name

Path is mapped to target.file.full_path

Item.ParentFolder.MemberUpn is mapped to target.user.email_addresses or target.user.userid

User Rights is mapped to target.resource.attribute.permissions.name

SessionId network.session_id
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value

Remove-MailboxPermission

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-MailboxPermission" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

OriginatingServer principal.hostname
OrganizationName target.administrative_domain
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version

Add-MailboxPermission

The following table lists the log fields and corresponding UDM mappings for the operation "Add-MailboxPermission" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
SessionId network.session_id
Version metadata.product_version
AppId target.resource.attribute.labels.key/value
Parameters security_result.detection_fields.key/value
ObjectId target.resource.attribute.labels.key/value

UpdateInboxRules

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateInboxRules" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
SessionId network.session_id
Version metadata.product_version
Item target.resource.product_object_id

target.resource.name

Item.ParentFolder.name is mapped to target.resource.name

Item.ParentFolder.id is mapped to target.resource.product_object_id

OperationProperties security_result.rule_id

security_result.rule_name

security_result.detection_fields.key/value

if Name is RuleId then Value is mapped to security_result.rule_id

if Name is RuleName then Value is mapped to security_result.rule_name

else

security_result.detection_fields.key/value

ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value

UpdateCalendarDelegation

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateCalendarDelegation" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is SERVICE_ACCOUNT

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version

ApplyRecordLabel

The following table lists the log fields and corresponding UDM mappings for the operation "ApplyRecordLabel" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version

UpdateFolderPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateFolderPermissions" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

target.resource.resource_type is set to STORAGE_OBJECT

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version

Set-User

The following table lists the log fields and corresponding UDM mappings for the operation "Set-User" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION

ObjectId is set to target.user.userid or target.user.email_addresses

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
Version metadata.product_version

ViewReport

The following table lists the log fields and corresponding UDM mappings for the operation "ViewReport" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.name
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is mapped to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
ConsumptionMethod target.labels.key/value (deprecated)
ConsumptionMethod additional.fields.key and additional.fields.value.string_value
DatasetId target.resource.attribute.label.key/value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkspaceId target.resource.attribute.labels.key/value

GenerateEmbedToken

The following table lists the log fields and corresponding UDM mappings for the operation "GenerateEmbedToken" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

ObjectId is set to target.file.full_path

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
ConsumptionMethod target.labels.key/value (deprecated)
ConsumptionMethod additional.fields.key and additional.fields.value.string_value
DatasetId target.resource.attribute.label.key/value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ReportId target.resource.attribute.labels.key/value
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkspaceId target.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
EmbedTokenId target.resource.product_object_id
RLSIdentities about.user.email_addresses

about.user.attribute.roles.name

RLSIdentities.UserName is mapped to about.user.email_addresses

RLSIdentities.Roles is mapped to about.user.attribute.roles.name

CreateDataset

The following table lists the log fields and corresponding UDM mappings for the operation "CreateDataset" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.name
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value

GenerateCustomVisualAADAccessToken

The following table lists the log fields and corresponding UDM mappings for the operation "GenerateCustomVisualAADAccessToken" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
CustomVisualAccessTokenResourceId target.resource.product_object_id
CustomVisualAccessTokenSiteUri target.url

DeleteOrganizationalGalleryItem

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteOrganizationalGalleryItem" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
OrganizationalGalleryItemId target.resource.product_object_id
OrganizationalGalleryItemDisplayName target.resource.name
OrganizationalGalleryItemPublishTime target.resource.attribute.labels.key/value

DeleteAlmPipeline

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteAlmPipeline" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineId target.labels.key/value (deprecated)
DeploymentPipelineId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineObjectId target.resource.product_object_id

AddDatasourceToGateway

The following table lists the log fields and corresponding UDM mappings for the operation "AddDatasourceToGateway" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
GatewayId target.resource.attribute.labels.key/value
GatewayType target.labels.key/value (deprecated)
GatewayType additional.fields.key and additional.fields.value.string_value
DatasourceId target.resource.product_object_id
DatasourceType target.resource.attribute.labels.key/value

AssignWorkspaceToPipeline

The following table lists the log fields and corresponding UDM mappings for the operation "AssignWorkspaceToPipeline" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName principal.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
WorkspaceId principal.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineId target.labels.key/value (deprecated)
DeploymentPipelineId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineObjectId target.resource.product_object_id
DeploymentPipelineStageOrder target.labels.key/value (deprecated)
DeploymentPipelineStageOrder additional.fields.key and additional.fields.value.string_value

CancelDataflowRefresh

The following table lists the log fields and corresponding UDM mappings for the operation "CancelDataflowRefresh" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
WorkspaceId target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowType target.resource.attribute.labels.key/value

ChangeCapacityState

The following table lists the log fields and corresponding UDM mappings for the operation "ChangeCapacityState" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CapacityName target.resource.name
CapacityUsers about.labels.key/value (deprecated)
CapacityUsers additional.fields.key and additional.fields.value.string_value
CapacityState target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

ChangeGatewayAdministrators

The following table lists the log fields and corresponding UDM mappings for the operation "ChangeGatewayAdministrators" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
GatewayId target.resource.product_object_id
UserInformation about.user.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

InsertOrganizationalGalleryItem

The following table lists the log fields and corresponding UDM mappings for the operation "InsertOrganizationalGalleryItem" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
OrganizationalGalleryItemId target.resource.product_object_id
OrganizationalGalleryItemDisplayName target.resource.name
OrganizationalGalleryItemPublishTime target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

CreateAlmPipeline

The following table lists the log fields and corresponding UDM mappings for the operation "CreateAlmPipeline" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
DeploymentPipelineId target.labels.key/value (deprecated)
DeploymentPipelineId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineObjectId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

CreateApp

The following table lists the log fields and corresponding UDM mappings for the operation "CreateApp" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.name
WorkspaceId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

CreateDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "CreateDashboard" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

If IsSuccess is true then security_result.summary is Dashboard created successfully

else

security_result.summary is Dashboard not created

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DashboardId target.resource.product_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value

CreateDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "CreateDataflow" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_CREATION

If IsSuccess is true then security_result.summary is Dataflow created successfully

else

security_result.summary is Dataflow not created

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DataflowType target.resource.attribute.labels.key/value
DataflowId target.resource.product_id
WorkspaceId target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value

CreateEmailSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "CreateEmailSubscription" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

If IsSuccess is true then security_result.summary is EmailSubscription created successfully

else

security_result.summary is EmailSubscription not created

ObjectId is set to target.file.full_path

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
SubscriptionSchedule target.labels.key/value (deprecated)
SubscriptionSchedule additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
SubscribeeInformation network.email.to
DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value

CreateFolder

The following table lists the log fields and corresponding UDM mappings for the operation "CreateFolder" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
FolderDisplayName target.resource.name
FolderObjectId target.resource.attribute.labels.key/value

CreateGateway

The following table lists the log fields and corresponding UDM mappings for the operation "CreateGateway" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
GatewayId target.resource.product_object_id
GatewayType target.labels.key/value (deprecated)
GatewayType additional.fields.key and additional.fields.value.string_value

CreateTemplateApp

The following table lists the log fields and corresponding UDM mappings for the operation "CreateTemplateApp" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
TemplateAppObjectId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value

DeleteComment

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteComment" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
AuditedArtifactInformation target.resource.name

target.resource.product_object_id

target.resource.attribute.labels.key/value

Name is mapped to target.resource.name

ArtifactObjectId is set to target.resource.product_object_id

AnnotatedItemType is mapped to target.resource.attribute.labels.key/value

WorkspaceId target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent

DeleteDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteDashboard" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
DashboardName target.resource.name
Datasets about.resource.product_object_id

about.resource.name

DatasetId is mapped to about.resource.product_object_id

DatasetName is mapped to about.resource.name

DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value

DeleteDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteDataflow" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value

DeleteDataset

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteDataset" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value

DeleteEmailSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteEmailSubscription" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_DELETION

ObjectId is set to target.file.full_path

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value

DeleteFolder

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteFolder" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

if isSuccess is TRUE then security_result.action is set to ALLOW

else

security_result.action is set to BLOCK

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
FolderObjectId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

DeleteGateway

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteGateway" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
GatewayId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

DeleteGroup

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteGroup" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.nameRecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.name
WorkspaceId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

DeleteReport

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteReport" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DatasetId target.resource.attribute.label.key/value
WorkspaceId target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
ReportName target.resource.name
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value

DownloadReport

The following table lists the log fields and corresponding UDM mappings for the operation "DownloadReport" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DatasetId target.resource.attribute.label.key/value
WorkspaceId target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
ReportName target.resource.name
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value

EditDataset

The following table lists the log fields and corresponding UDM mappings for the operation "EditDataset" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value

EditDatasetProperties

The following table lists the log fields and corresponding UDM mappings for the operation "EditDatasetProperties" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DatasetId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value
DatasetCertificationStage target.resource.attribute.labels.key/value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value

EditReport

The following table lists the log fields and corresponding UDM mappings for the operation "EditReport" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DatasetId target.resource.attribute.label.key/value
WorkspaceId target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
WorkSpaceName target.resource.attribute.labels.key/value
ReportName target.resource.name
ReportId target.resource.attribute.labels.key/value
ReportType target.resource.attribute.labels.key/value

ExportDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "ExportDataflow" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

if isSuccess is TRUE then

security_result.summary is Dataflow Exported Successfully

else

security_result.summary is Dataflow Not Exported

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_id
DataflowName target.rsource.name
DataflowType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

ExportReport

The following table lists the log fields and corresponding UDM mappings for the operation "ExportReport" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

if isSuccess is TRUE then

security_result.summary is Report Exported Successfully

else

security_result.summary is Report Not Exported

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DatasetId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value
DataConnectivityMode target.resource.attribute.labels.key/value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value

InstallApp

The following table lists the log fields and corresponding UDM mappings for the operation "InstallApp" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

InstallTemplateApp

The following table lists the log fields and corresponding UDM mappings for the operation "InstallTemplateApp" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
TemplateAppFolderObjectId about.labels.key/value (deprecated)
TemplateAppFolderObjectId additional.fields.key and additional.fields.value.string_value
TemplateAppOwnerTenantObjectId principal.user.product_object_id
TemplateAppVersion metadata.product_version
TemplateAppObjectId target.resource.product_object_id
TemplatePackageName target.resource.name

PostComment

The following table lists the log fields and corresponding UDM mappings for the operation "PostComment" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
AuditedArtifactInformation target.resource.name

target.resource.product_object_id

target.resource.attribute.labels.key/value

RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

PrintDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "PrintDashboard" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZEDObjectId is set to target.file.full_path
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DashboardId target.resource.product_object_id
Datasets about.resource.product_object_id

about.resource.name

DatasetId is mapped to about.resource.product_object_id

DatasetName is mapped to about.resource.name

RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value

PrintReport

The following table lists the log fields and corresponding UDM mappings for the operation "PrintReport" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
ReportName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.attribute.label.key/value
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value

UnassignWorkspaceFromPipeline

The following table lists the log fields and corresponding UDM mappings for the operation "UnassignWorkspaceFromPipeline" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineId target.resource.attribute.labels.key/value
DeploymentPipelineObjectId target.resource.product_object_id

RemoveDatasourceFromGateway

The following table lists the log fields and corresponding UDM mappings for the operation "RemoveDatasourceFromGateway" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
GatewayId target.resource.attribute.label.key/value
DatasourceId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

RenameDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "RenameDashboard" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is set to target.file.full_path

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DashboardId target.resource.product_object_id
Datasets about.resource.product_object_id

about.resource.name

DatasetId is mapped to about.resource.product_object_id

DatasetName is mapped to about.resource.name

RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value

RequestDataflowRefresh

The following table lists the log fields and corresponding UDM mappings for the operation "RequestDataflowRefresh" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowRefreshScheduleType target.labels.key/value (deprecated)
DataflowRefreshScheduleType additional.fields.key and additional.fields.value.string_value
DataflowType target.resource.attribute.label.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

RefreshDataset

The following table lists the log fields and corresponding UDM mappings for the operation "RefreshDataset" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RefreshType target.labels.key/value (deprecated)
RefreshType additional.fields.key and additional.fields.value.string_value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value

SensitivityLabelApplied

The following table lists the log fields and corresponding UDM mappings for the operation "SensitivityLabelApplied" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION.

target.resource.resource_type is set to SETTING.

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission.recipients target.user.email_addresses
OrgAppPermission.permissions target.user.attribute.permissions.name
ReportName target.resource.attribute.labels.key/value
SharingInformation.RecipientEmail about.user.email_addresses
SharingInformation.RecipientName about.user.user_display_name
SharingInformation.ObjectId about.user.product_object_id
SharingInformation.ResharePermission about.user.attribute.permissions.name
SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.attribute.labels.key/value
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
SensitivityLabelId target.resource.product_object_id
ActionSourceDetail principal.labels.key/value (deprecated)
ActionSourceDetail additional.fields.key and additional.fields.value.string_value
LabelEventType target.labels.key/value (deprecated)
LabelEventType additional.fields.key and additional.fields.value.string_value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value
ActionSourceDetail principal.labels.key/value (deprecated)
ActionSourceDetail additional.fields.key and additional.fields.value.string_value
ArtifactType about.labels.key/value (deprecated)
ArtifactType additional.fields.key and additional.fields.value.string_value

SensitivityLabelRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "SensitivityLabelRemoved" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.attribute.labels.key/value
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
OldSensitivityLabelId target.resource.product_object_id
ActionSource principal.labels.key/value (deprecated)
ActionSource additional.fields.key and additional.fields.value.string_value
LabelEventType target.labels.key/value (deprecated)
LabelEventType additional.fields.key and additional.fields.value.string_value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value
ActionSourceDetail principal.labels.key/value (deprecated)
ActionSourceDetail additional.fields.key and additional.fields.value.string_value
ArtifactType about.labels.key/value (deprecated)
ArtifactType additional.fields.key and additional.fields.value.string_value

SetScheduledRefreshOnDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "SetScheduledRefreshOnDataflow" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

target.resource.resource_type is TASK

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_id
DataflowName target.resource.name
DataflowType target.resource.attribute.label.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

SetScheduledRefresh

The following table lists the log fields and corresponding UDM mappings for the operation "SetScheduledRefresh" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

target.resource.resource_type is TASK

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.rsource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_id
DataConnectivityMode target.resource.attribute.labels.key/value
Schedules target.labels.key/value (deprecated)
Schedules additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value

ShareDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "ShareDashboard" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DashboardName target.resource.name
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

DashboardId target.resource.product_object_id
Datasets about.resource.product_object_id

about.resource.name

DatasetId is mapped to about.resource.product_object_id

DatasetName is mapped to about.resource.name

WorkspaceId target.resource.attribute.labels.key/value
SharingAction about.labels.key/value (deprecated)
SharingAction additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value

ShareReport

The following table lists the log fields and corresponding UDM mappings for the operation "ShareReport" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

Datasets about.resource.product_object_id

about.resource.name

WorkspaceId target.resource.attribute.labels.key/value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ArtifactId target.resource.product_object_id
ArtifactName target.resource.name
SharingAction about.labels.key/value (deprecated)
SharingAction additional.fields.key and additional.fields.value.string_value
ShareLinkId about.labels.key/value (deprecated)
ShareLinkId additional.fields.key and additional.fields.value.string_value

OptInForProTrial

The following table lists the log fields and corresponding UDM mappings for the operation "OptInForProTrial" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

UnpublishApp

The following table lists the log fields and corresponding UDM mappings for the operation "UnpublishApp" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkspaceId target.resource.product_object_id
WorkSpaceName target.resource.name
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

UpdateOrganizationalGalleryItem

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateOrganizationalGalleryItem" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
OrganizationalGalleryItemId target.resource.product_object_id
OrganizationalGalleryItemDisplayName target.resource.name
OrganizationalGalleryItemPublishTime target.resource.attribute.labels.key/value

UpdateAlmPipelineAccess

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateAlmPipelineAccess" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DeploymentPipelineObjectId target.resource.product_object_id
DeploymentPipelineDisplayName target.resource.name
DeploymentPipelineAccesses about.user.userid

about.user.attribute.permissions.name

userid is mapped to about.user.userid

Rolepermission is mapped to about.user.attribute.permissions.name

UpdateInstalledTemplateAppParameters

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateInstalledTemplateAppParameters" and workload "and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
TemplateAppObjectId target.resource.product_object_id
TemplatePackageName target.resource.name
TemplateAppVersion metadata.product_version
TemplateAppFolderObjectId about.labels.key/value (deprecated)
TemplateAppFolderObjectId additional.fields.key and additional.fields.value.string_value

UpdatedAdminFeatureSwitch

The following table lists the log fields and corresponding UDM mappings for the operation "UpdatedAdminFeatureSwitch" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is mapped to SETTING

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

UpdateApp

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateApp" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.name
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

WorkspaceId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

UpdateDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateDataflow" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

UpdateDatasetParameters

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateDatasetParameters" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.product_object_id
DataConnectivityMode target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
LastRefreshTime about.labels.key/value (deprecated)
LastRefreshTime additional.fields.key and additional.fields.value.string_value

UpdateEmailSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateEmailSubscription" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_MODIFICATION

target.resource.type is mapped to TASK

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
SubscriptionSchedule target.labels.key/value (deprecated)
SubscriptionSchedule additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
SubscribeeInformation network.email.to
DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value

UpdateFolder

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateFolder" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
FolderObjectId target.resource.product_object_id
FolderDisplayName target.resource.name
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

UpdateFolderAccess

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateFolderAccess" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
FolderObjectId target.resource.product_object_id
FolderDisplayName target.resource.name
FolderAccessRequests about.user.userid

about.user.product_object_id

about.user.attribute.permissions.type

UserId is mapped to about.user.userid

UserObjectId is set to about.user.product_object_id

RolePermissions is mapped to about.user.attribute.permissions.type

RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

UpdateDatasourceCredentials

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateDatasourceCredentials" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
GatewayId target.resource.attribute.labels.key/value
DatasourceId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

UpdateTemplateAppSettings

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateTemplateAppSettings" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
TemplateAppObjectId target.resource.product_object_id

UpdateTemplateAppTestPackagePermissions

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateTemplateAppTestPackagePermissions" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
TemplateAppObjectId target.resource.product_object_id

ViewDashboard

The following table lists the log fields and corresponding UDM mappings for the operation "ViewDashboard" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ConsumptionMethod target.labels.key/value (deprecated)
ConsumptionMethod additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
Datasets about.resource.product_object_id

about.resource.name

DatasetId is mapped to about.resource.product_object_id

DatasetName is mapped to about.resource.name

DashboardId target.resource.product_object_id
WorkspaceId target.resource.attribute.labels.key/value
DashboardName target.resource.name
WorkSpaceName target.resource.attribute.labels.key/value

ViewDataflow

The following table lists the log fields and corresponding UDM mappings for the operation "ViewDataflow" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
CapacityId about.labels.key/value (deprecated)
CapacityId additional.fields.key and additional.fields.value.string_value
CapacityName about.labels.key/value (deprecated)
CapacityName additional.fields.key and additional.fields.value.string_value
WorkspaceId target.resource.attribute.labels.key/value
DataflowId target.resource.product_object_id
DataflowName target.resource.name
DataflowType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
SensitivityLabelId security_result.detection_fields.key/value

AddTile

The following table lists the log fields and corresponding UDM mappings for the operation "AddTile" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.name
WorkspaceId target.resource.product_object_id
TileText target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

RunEmailSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "RunEmailSubscription" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SCHEDULED_TASK_CREATION

target.resource.resource_type is TASK

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.label.key/value
DashboardName target.resource.name
WorkspaceId target.resource.attribute.label.key/value
DashboardId target.resource.product_object_id
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value

CreateReport

The following table lists the log fields and corresponding UDM mappings for the operation "CreateReport" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.label.key/value
DatasetName target.resource.attribute.labels.key/value
ReportName target.resource.name
WorkspaceId target.resource.attribute.label.key/value
DatasetId target.resource.attribute.label.key/value
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value

GetSnapshots

The following table lists the log fields and corresponding UDM mappings for the operation "GetSnapshots" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

OptInForPPUTrial

The following table lists the log fields and corresponding UDM mappings for the operation "OptInForPPUTrial" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

Set-MailUser

The following table lists the log fields and corresponding UDM mappings for the operation "Set-MailUser" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters network.application_protocol

target.user.email_addresses

target.group.email_addresses

If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id

If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses.

Protocol is mapped to network.application_protocol

EmailAddresses is mapped to target.user.email_addresses

ExternalEmailAddress is mapped to target.group.email_addresses

Version metadata.product_version

Set-MailContact

The following table lists the log fields and corresponding UDM mappings for the operation "Set-MailContact" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters network.application_protocol

target.user.email_addresses

target.group.email_addresses

If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id

If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses.

Protocol is mapped to network.application_protocol

EmailAddresses is mapped to target.user.email_addresses

ExternalEmailAddress is mapped to target.group.email_addresses

Version metadata.product_version

Set-Mailbox

The following table lists the log fields and corresponding UDM mappings for the operation "Set-Mailbox" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

Object is mapped to target.group.group_display_name

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version

Set-DistributionGroup

The following table lists the log fields and corresponding UDM mappings for the operation "Set-DistributionGroup" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is Group members definition

ResultStatus is True

Action is set to ALLOW

else

Action is set to BLOCK

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.group.product_object_id or target.group.email_addresses

security_result.description

target.group.attribute.labels.key/value

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

If Name is AcceptMessagesOnlyFromSendersOrMembers then Value is mapped to security_result.description

else

target.group.attribute.labels.key/value

SessionId network.session_id
Version metadata.product_version

Set-Contact

The following table lists the log fields and corresponding UDM mappings for the operation "Set-Contact" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters network.application_protocol

target.user.email_addresses

target.group.email_addresses

If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id

If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses.

Protocol is mapped to network.application_protocol

EmailAddresses is mapped to target.user.email_addresses

ExternalEmailAddress is mapped to target.group.email_addresses

Version metadata.product_version

Set-CASMailbox

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CASMailbox" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
ModifiedObjectResolvedName about.labels.key/value (deprecated)
ModifiedObjectResolvedName additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version

Set-CalendarProcessing

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CalendarProcessing" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.user.user_display_name

If Name is ResourceDelegates then Value is mapped to target.user.user_display_name

SessionId network.session_id
Version metadata.product_version

Set-AdminAuditLogConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Set-AdminAuditLogConfig" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

ObjectId is mapped to target.url

target.resource.resource_type is set to SETTING

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
ModifiedObjectResolvedName about.labels.key/value (deprecated)
ModifiedObjectResolvedName additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version

Remove-UnifiedGroup

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-UnifiedGroup" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
Version metadata.product_version

Remove-MigrationUser

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-MigrationUser" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION

ObjectId is set to target.user.userid or target.user.email_addresses

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version

Update-eDiscoveryCaseAdmin

The following table lists the log fields and corresponding UDM mappings for the operation "Update-eDiscoveryCaseAdmin" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Remove-DistributionGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-DistributionGroupMember" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True {

Action is set to ALLOW

}

else {

Action is set to BLOCK

}

AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

else

target.group.attribute.labels.key/value

Version metadata.product_version

ViewedSearchExported

The following table lists the log fields and corresponding UDM mappings for the operation "ViewedSearchExported" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

AddWorkingSetQueryToWorkingSet

The following table lists the log fields and corresponding UDM mappings for the operation "AddWorkingSetQueryToWorkingSet" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

AddQueryToWorkingSet

The following table lists the log fields and corresponding UDM mappings for the operation "AddQueryToWorkingSet" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

RunAlgo

The following table lists the log fields and corresponding UDM mappings for the operation "RunAlgo" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

AnnotateDocument

The following table lists the log fields and corresponding UDM mappings for the operation "AnnotateDocument" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

BurnJob

The following table lists the log fields and corresponding UDM mappings for the operation "BurnJob" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

CreateWorkingSet

The following table lists the log fields and corresponding UDM mappings for the operation "CreateWorkingSet" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

CreateWorkingsetSearch

The following table lists the log fields and corresponding UDM mappings for the operation "CreateWorkingsetSearch" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

CreateTag

The following table lists the log fields and corresponding UDM mappings for the operation "CreateTag" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

DeleteWorkingsetSearch

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteWorkingsetSearch" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

DeleteTag

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteTag" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

DownloadDocument

The following table lists the log fields and corresponding UDM mappings for the operation "DownloadDocument" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

UpdateTag

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateTag" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

ExportJob

The following table lists the log fields and corresponding UDM mappings for the operation "ExportJob" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

UpdateCaseSettings

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateCaseSettings" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

UpdateWorkingsetSearch

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateWorkingsetSearch" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

TagFiles

The following table lists the log fields and corresponding UDM mappings for the operation "TagFiles" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

ViewDocument

The following table lists the log fields and corresponding UDM mappings for the operation "ViewDocument" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
CaseId target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
StartTime target.resource.attribute.creation_time
ExtendedProperties target.resource.attribute.labels.key/value
Version metadata.product_version

SearchViewed

The following table lists the log fields and corresponding UDM mappings for the operation "SearchViewed" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

If Name is SearchIds then Value is mapped to target.resource.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

CaseMemberAdded

The following table lists the log fields and corresponding UDM mappings for the operation "CaseMemberAdded" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Extract target_user information using grok

grok {

match is mapped to {

Parameters .*-(Member|User) \{DATA:target_user}\

}

}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

SearchUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SearchUpdated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

CaseAdminUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "CaseAdminUpdated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties about.user.email_address

about.user.product_object_id

If Name is CaseAdminsSmtp then Value is mapped to about.user.email_addresses

if Name is CaseAdminsGuid then Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

CaseUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "CaseUpdated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

CaseMemberUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "CaseMemberUpdated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resrource.product_object_id

about.user.email_address

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

SearchPermissionUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SearchPermissionUpdated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExtendedProperties principal.labels.key/value (deprecated)
ExtendedProperties additional.fields.key and additional.fields.value.string_value
ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

HoldUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "HoldUpdated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

SearchRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "SearchRemoved" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

CaseAdminRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "CaseAdminRemoved" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

target.user.email_address

target.user.userid

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

target_user is mapped to target.user.email_addresses or target.user.userid

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

CaseRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "CaseRemoved" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_detail
Query security_result.description
SharepointLocations security_result.category_details

SearchPermissionRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "SearchPermissionRemoved" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties principal.labels.key/value (deprecated)
ExtendedProperties additional.fields.key and additional.fields.value.string_value
ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

HoldRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "HoldRemoved" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

HoldCreated

The following table lists the log fields and corresponding UDM mappings for the operation "HoldCreated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

SearchCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SearchCreated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_detail
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_detail
Query security_result.description
SharepointLocations security_result.category_detail

CaseAdminAdded

The following table lists the log fields and corresponding UDM mappings for the operation "CaseAdminAdded" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.prdouct_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

SearchStarted

The following table lists the log fields and corresponding UDM mappings for the operation "SearchStarted" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

SearchReport

The following table lists the log fields and corresponding UDM mappings for the operation "SearchReport" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

SearchStopped

The following table lists the log fields and corresponding UDM mappings for the operation "SearchStopped" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_detail

CaseViewed

The following table lists the log fields and corresponding UDM mappings for the operation "CaseViewed" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_detail
ExtendedProperties target.resource.product_object_id

about.user.email_addresses

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Nameis CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_detail
Query security_result.description
SharepointLocations security_result.category_detail

SearchExportDownloaded

The following table lists the log fields and corresponding UDM mappings for the operation "SearchExportDownloaded" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Version metadata.product_version

CaseMemberRemoved

The following table lists the log fields and corresponding UDM mappings for the operation "CaseMemberRemoved" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_id

If Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Extract target_user information using grok

grok {

match is mapped to {

Parameters .*-(Member|User) \{DATA:target_user}\

}

}

Version metadata.product_version

CaseAdded

The following table lists the log fields and corresponding UDM mappings for the operation "CaseAdded" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.user.email_address

about.user.product_object_idIf Name is CaseId then ID is mapped to target.resource.product_object_id

If Name is CaseMembersSmtp then each Value is mapped to about.user.email_addresses

If Name is CaseMembersGuid then each Value is mapped to about.user.product_object_id

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

SearchPermissionCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SearchPermissionCreated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties principal.labels.key/value (deprecated)
ExtendedProperties additional.fields.key and additional.fields.value.string_value
ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details
Version metadata.product_version

NetworkConfigurationUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "NetworkConfigurationUpdated" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses

principal.user.userid

ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

ProcessProfileFields

The following table lists the log fields and corresponding UDM mappings for the operation "ProcessProfileFields" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

SupervisorAdminToggled

The following table lists the log fields and corresponding UDM mappings for the operation "SupervisorAdminToggled" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

NetworkSecurityConfigurationUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "NetworkSecurityConfigurationUpdated" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

FileCreated

The following table lists the log fields and corresponding UDM mappings for the operation "FileCreated" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to FILE_CREATIONIf ResultStatus is TRUE {

security_result.action is ALLOW}

else

{security_result.action is BLOCK}

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

GroupCreation

The following table lists the log fields and corresponding UDM mappings for the operation "GroupCreation" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

MessageDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "MessageDeleted" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

GroupDeletion

The following table lists the log fields and corresponding UDM mappings for the operation "GroupDeletion" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

DataExport

The following table lists the log fields and corresponding UDM mappings for the operation "DataExport" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

FileVisited

The following table lists the log fields and corresponding UDM mappings for the operation "FileVisited" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to FILE_READ

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses

principal.user.userid

ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

StreamInvokeVideoView

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoView" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoShare

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoShare" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is SUCCEEDED then

action is set to ALLOW

else

action is set to BLOCK

ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoLike

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoLike" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoUnLike

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoUnLike" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoUpload

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoUpload" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is SUCCEEDED then

action is set to ALLOW

else

action is set to BLOCK

ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoDownload

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoDownload" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is SUCCEEDED then

action is set to ALLOW

else

action is set to BLOCK

ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoSetLink" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamCreateGroup

The following table lists the log fields and corresponding UDM mappings for the operation "StreamCreateGroup" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditGroup

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditGroup" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamDeleteGroup

The following table lists the log fields and corresponding UDM mappings for the operation "StreamDeleteGroup" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to GROUP_DELETION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditGroupMemberships

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditGroupMemberships" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamCreateChannel

The following table lists the log fields and corresponding UDM mappings for the operation "StreamCreateChannel" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditChannel

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditChannel" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle network.http.referral_url
ResourceUrl target.url
Version metadata.product_version

StreamDeleteChannel

The following table lists the log fields and corresponding UDM mappings for the operation "StreamDeleteChannel" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle network.http.referral_url
ResourceUrl target.url
Version metadata.product_version

StreamInvokeChannelSetThumbnail

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeChannelSetThumbnail" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle network.http.referral_url
ResourceUrl target.url
Version metadata.product_version

StreamEditVideoPermissions

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditVideoPermissions" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is Succeeded then

action is ALLOW

else

action is BLOCK

ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditVideo

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditVideo" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamDeleteVideo

The following table lists the log fields and corresponding UDM mappings for the operation "StreamDeleteVideo" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditUserSettings

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditUserSettings" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamEditAdminTenantSettings

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditAdminTenantSettings" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamCreateVideoComment

The following table lists the log fields and corresponding UDM mappings for the operation "StreamCreateVideoComment" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamDeleteVideoComment

The following table lists the log fields and corresponding UDM mappings for the operation "StreamDeleteVideoComment" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoTextTrackUpload

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoTextTrackUpload" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamDeleteVideoTextTrack

The following table lists the log fields and corresponding UDM mappings for the operation "StreamDeleteVideoTextTrack" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoThumbnailUpload

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoThumbnailUpload" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is Succeeded then

action is ALLOW

else

action is BLOCK

ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamCreateVideo

The following table lists the log fields and corresponding UDM mappings for the operation "StreamCreateVideo" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url_back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

DlpRuleMatch

The following table lists the log fields and corresponding UDM mappings for the operation DlpRuleMatch and workload Exchange ,SharePoint or OneDrive:

Log field UDM mapping
metadata.event_type is mapped to EMAIL_TRANSACTION

security_result.category is set to DATA_EXFILTRATION

ObjectId is set to network.email.mail_id

SharePointMetaData network.http.referral_url

network.email.from

target.file.full_path

target.url

target.file.size

SiteCollectionUrl is mapped to network.http.referral_url

From is mapped to network.email.from (if ExchangeMetadata field not getting in log)

FileName is mapped to target.file.full_path

FilePathUrl is mapped to target.url

FileSize is mapped to target.file.size

ExchangeMetaData network.email.from

network.email.to

network.email.bcc

network.email.cc

network.email.subject

additional.fields.key and additional.fields.value.string_value

The From log field value is mapped to the network.email.from UDM field.

The To log field value is mapped to the network.email.to UDM field.

BCC log field value is mapped to network.email.bcc UDM field.

TheCC log field value is mapped to the network.email.cc UDM field.

The RecipientCount log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

The Sent log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ExceptionInfo about.labels.key/value (deprecated)
ExceptionInfo additional.fields.key and additional.fields.value.string_value
PolicyDetails target.resource.product_object_id

security_result.summary

security_result.description

security_result.rule_id

security_result.rule_name

security_result.severity

security_result.confidence_details

security_result.detection_fields.key/value

PolicyId is mapped to target.resource.product_object_id

PolicyName is mapped to security_result.summary

SensitiveInformationTypeName is mapped to security_result.description

RuleId is mapped to security_result.rule_id

RuleName is mapped to security_result.rule_name

Severity is mapped to security_result.severity

SensitiveInformationDetailedClassificationAttributes.Confidence is mapped to security_result.confidence_details

SensitiveInformationDetailedClassificationAttributes.Count is mapped to security_result.detection_fields.key/value

IncidentId about.labels.key/value (deprecated)
IncidentId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
EndpointMetaData.SensitiveInfoTypeData.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.Confidence security_result.confidence_details
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.ClassifierType security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.UniqueCount security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value security_result.detection_fields.key/value

DlpRuleUndo

The following table lists the log fields and corresponding UDM mappings for the operation "DlpRuleUndo" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_TRANSACTION

security_result.category is set to DATA_EXFILTRATION

ObjectId is set to network.email.mail_id

SharePointMetaData network.http.referral_url

network.email.from

target.file.full_path

target.url

target.file.size

SiteCollectionUrl is mapped to network.http.referral_url

From is mapped to network.email.from (if ExchangeMetadata field not getting in log)

FileName is mapped to target.file.full_path

FilePathUrl is mapped to target.url

FileSize is mapped to target.file.size

ExceptionInfo about.labels.key/value (deprecated)
ExceptionInfo additional.fields.key and additional.fields.value.string_value
PolicyDetails target.resource.product_object_id

security_result.summary

security_result.description

security_result.rule_id

security_result.rule_name

security_result.severity

PolicyId is mapped to target.resource.product_object_id

PolicyName is mapped to security_result.summary

SensitiveInformationTypeName is mapped to security_result.description

RuleId is mapped to security_result.rule_id

RuleName is mapped to security_result.rule_name

Severity is mapped to security_result.severity

IncidentId about.labels.key/value (deprecated)
IncidentId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
EndpointMetaData.SensitiveInfoTypeData.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.Confidence security_result.confidence_details
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.ClassifierType security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.UniqueCount security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value security_result.detection_fields.key/value

DlpInfo

The following table lists the log fields and corresponding UDM mappings for the operation "DlpInfo" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_TRANSACTION

security_result.category is set to DATA_EXFILTRATION

ObjectId is set to network.email.mail_id

SharePointMetaData network.http.referral_url

network.email.from

target.file.full_path

target.url

target.file.size

SiteCollectionUrl is mapped to network.http.referral_url

From is mapped to network.email.from (if ExchangeMetadata field not getting in log)

FileName is mapped to target.file.full_path

FilePathUrl is mapped to target.url

FileSize is mapped to target.file.size

ExceptionInfo about.labels.key/value (deprecated)
ExceptionInfo additional.fields.key and additional.fields.value.string_value
PolicyDetails target.resource.product_object_id

security_result.summary

security_result.description

security_result.rule_id

security_result.rule_name

security_result.severity

PolicyId is mapped to target.resource.product_object_id

PolicyName is mapped to security_result.summary

SensitiveInformationTypeName is mapped to security_result.description

RuleId is mapped to security_result.rule_id

RuleName is mapped to security_result.rule_name

Severity is mapped to security_result.severity

IncidentId about.labels.key/value (deprecated)
IncidentId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
EndpointMetaData.SensitiveInfoTypeData.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.Confidence security_result.confidence_details
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Name security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.ClassifierType security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeName security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveTypeSource security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.UniqueCount security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInfoTypeId security_result.detection_fields.key/value
EndpointMetaData.SensitiveInfoTypeData.SensitiveInformationDetectionsInfo.DetectedValues.Value security_result.detection_fields.key/value

MipLabel

The following table lists the log fields and corresponding UDM mappings for the operation "MipLabel" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_UNCATEGORIZED

ObjectId is set to network.email.mail_id

ApplicationMode about.labels.key/value (deprecated)
ApplicationMode additional.fields.key and additional.fields.value.string_value
ItemName network.email.subject
LabelAppliedDateTime principal.labels.key/value (deprecated)
LabelAppliedDateTime additional.fields.key and additional.fields.value.string_value
LabelId target.resource.product_object_id
LabelName target.resource.name
Receivers network.email.to
Sender network.email.from
Version metadata.product_version

SiteCollectionCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionCreated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
CorrelationId security_result.detection_fields.key/value
EventData target.resource.name
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application
Version metadata.product_version

SiteDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "SiteDeleted" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl src.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationFileExtension target.file.mime_type
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ApplicationDisplayName target.application
MachineId target.asset.product_object_id

PreviewModeEnabledSet

The following table lists the log fields and corresponding UDM mappings for the operation "PreviewModeEnabledSet" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is mapped to SETTING

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

OfficeOnDemandSet

The following table lists the log fields and corresponding UDM mappings for the operation "OfficeOnDemandSet" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

HubSiteJoined

The following table lists the log fields and corresponding UDM mappings for the operation "HubSiteJoined" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
EventData target.resource.attribute.labels.key/value

target.resource.attribute.labels.key/value

PreviousHubSiteIdis mapped to target.resource.attribute.labels.key/value

HubSiteIdis mapped to target.resource.attribute.labels.key/value

IsHubSiteIdis mapped to target.resource.attribute.labels.key/value

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

HubSiteRegistered

The following table lists the log fields and corresponding UDM mappings for the operation "HubSiteRegistered" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
EventData target.resource.attribute.labels.key/value

target.resource.attribute.labels.key/value

HubSiteIdis mapped to target.resource.attribute.labels.key/value

IsHubSiteIdis mapped to target.resource.attribute.labels.key/value

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

HubSiteUnjoined

The following table lists the log fields and corresponding UDM mappings for the operation "HubSiteUnjoined" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectID is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
EventData target.resource.attribute.labels.key/value

IsHubSiteIdis mapped to target.resource.attribute.labels.key/value

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

HubSiteUnregistered

The following table lists the log fields and corresponding UDM mappings for the operation "HubSiteUnregistered" and workload "HubSiteUnregistered":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

ObjectID is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
EventData target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

SharingPolicyChanged

The following table lists the log fields and corresponding UDM mappings for the operation "SharingPolicyChanged" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
CorrelationId security_result.detection_fields.key/value
Version metadata.product_version
AssertingApplicationId about.labels.key/value (deprecated)
AssertingApplicationId additional.fields.key and additional.fields.value.string_value
ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

NetworkAccessPolicyChanged

The following table lists the log fields and corresponding UDM mappings for the operation "NetworkAccessPolicyChanged" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ModifiedProperties target.ip

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value (deprecated)

If the Name log field value is equal to IPAddressAllowList, then the NewValue log field value is mapped to the target.ip UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

AlertEntityGenerated

The following table lists the log fields and corresponding UDM mappings for the operation "AlertEntityGenerated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

security_result.category is set to DATA_EXFILTRATION

AlertId target.resource.product_object_id
AlertType target.resource.attribute.labels.key/value
Name security_result.summary
PolicyId target.labels.key/value (deprecated)
PolicyId additional.fields.key and additional.fields.value.string_value
Status target.resource.attribute.labels.key/value
Severity security_result.severity
Category security_result.category_details
Source security_result.description
Comments about.labels.key/value (deprecated)
Comments additional.fields.key and additional.fields.value.string_value
Data about.labels.key/value (deprecated)
Data additional.fields.key and additional.fields.value.string_value
AlertEntityId target.user.userid or target.user.email_addresses
EntityType target.resource.attribute.labels.key/value
Version metadata.product_version

AlertTriggered

The following table lists the log fields and corresponding UDM mappings for the operation "AlertTriggered" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

security_result.category is set to DATA_EXFILTRATION

AlertId target.resource.product_object_id
AlertType target.resource.attribute.labels.key/value
Name security_result.summary
PolicyId target.labels.key/value (deprecated)
PolicyId additional.fields.key and additional.fields.value.string_value
Status target.resource.attribute.labels.key/value
Severity security_result.severity
Category security_result.category_details
Source security_result.description
Comments about.labels.key/value (deprecated)
Comments additional.fields.key and additional.fields.value.string_value
Data about.labels.key/value (deprecated)
Data additional.fields.key and additional.fields.value.string_value
AlertEntityId target.user.userid or target.user.email_addresses
EntityType target.resource.attribute.labels.key/value
Version metadata.product_version

AlertUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "AlertUpdated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT

security_result.category is set to DATA_EXFILTRATION

AlertId target.resource.product_object_id
AlertType target.resource.attribute.labels.key/value
Name security_result.summary
PolicyId target.labels.key/value (deprecated)
PolicyId additional.fields.key and additional.fields.value.string_value
Status target.resource.attribute.labels.key/value
Severity security_result.severity
Category security_result.category_details
Source security_result.description
Comments about.labels.key/value (deprecated)
Comments additional.fields.key and additional.fields.value.string_value
Data about.labels.key/value (deprecated)
Data additional.fields.key and additional.fields.value.string_value
AlertEntityId target.user.userid or target.user.email_addresses
EntityType target.resource.attribute.labels.key/value
Version metadata.product_version

Get-ComplianceCase

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceCase" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Get-CaseHoldPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-CaseHoldPolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_UNCATEGORIZED

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Get-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Remove-CaseHoldPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-CaseHoldPolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Set-CaseHoldPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CaseHoldPolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

New-CaseHoldRule

The following table lists the log fields and corresponding UDM mappings for the operation "New-CaseHoldRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Remove-CaseHoldRule

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-CaseHoldRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Set-CaseHoldRule

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CaseHoldRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Get-ComplianceSearchAction

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceSearchAction" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

New-ComplianceCase

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceCase" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line

target.resource.name

SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Remove-ComplianceCase

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceCase" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Set-ComplianceCase

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ComplianceCase" and workload "Set-ComplianceCase":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Add-ComplianceCaseMember

The following table lists the log fields and corresponding UDM mappings for the operation "Add-ComplianceCaseMember" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.user.email_addresses

target.user.userid

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Remove-ComplianceCaseMember

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceCaseMember" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.user.email_addresses

target.user.userid

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Update-ComplianceCaseMember

The following table lists the log fields and corresponding UDM mappings for the operation "Update-ComplianceCaseMember" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

New-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Remove-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Set-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Start-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "Start-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Stop-ComplianceSearch

The following table lists the log fields and corresponding UDM mappings for the operation "Stop-ComplianceSearch" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

New-ComplianceSearchAction

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceSearchAction" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Remove-ComplianceSearchAction

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceSearchAction" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

New-ComplianceSecurityFilter

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceSecurityFilter" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Remove-ComplianceSecurityFilter

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceSecurityFilter" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Set-ComplianceSecurityFilter

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ComplianceSecurityFilter" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Add-eDiscoveryCaseAdmin

The following table lists the log fields and corresponding UDM mappings for the operation "Add-eDiscoveryCaseAdmin" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_CREATION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.user.email_addresses

target.user.userid

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Remove-eDiscoveryCaseAdmin

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-eDiscoveryCaseAdmin" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_DELETION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.user.email_addresses

target.user.userid

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

New-CaseHoldPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-CaseHoldPolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATIONtarget.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Get-AadProtectionLevel

The following table lists the log fields and corresponding UDM mappings for the operation "Get-AadProtectionLevel" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Get-AutoSensitivityLabelPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-AutoSensitivityLabelPolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Get-DlpSensitiveInformationType

The following table lists the log fields and corresponding UDM mappings for the operation "Get-DlpSensitiveInformationType" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Get-Label

The following table lists the log fields and corresponding UDM mappings for the operation "Get-Label" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Get-LabelPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-LabelPolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Get-PolicyConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Get-PolicyConfig" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

ValidaterbacAccessCheck

The following table lists the log fields and corresponding UDM mappings for the operation "ValidaterbacAccessCheck" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType security_result.description
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

ApplicableAdaptiveScopeChange

The following table lists the log fields and corresponding UDM mappings for the operation "ApplicableAdaptiveScopeChange" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.resource.product_object_id

If Name is AssociatedAdaptiveScopeIds then Value is target.resource.product_object_id

CorrelationId security_result.detection_fields
ObjectType security_result.summary

NewComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "NewComplianceTag" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is LabelName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

NewRetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "NewRetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

NewRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "NewRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_CREATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

RemoveComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "RemoveComplianceTag" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/valueIf Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is LabelName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

RemoveRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "RemoveRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

SetComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "SetComplianceTag" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is LabelName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

SetRetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "SetRetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Required fields for SETTING_MODIFICATION UDM validation : principal.machineid (IP or hostname or assetId or mac etc).

ClientIP field is mandatory field for all the office 365 activities as per official doc of Office 365, but in some cases ClientIP field is absent

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

SetRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "SetRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATIONtarget.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Get-CsTeamsUpgradeOverridePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-CsTeamsUpgradeOverridePolicy" and workload "SkypeForBusiness":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion metadata.product_version
Parameters security_result.description

If Name is Tenant then Value is mapped to tenate_value

If Name is Identity then Vale is mapped to identity_value

security_result.description is Tenant = {tenate_value} / Identity = {identity_value}

SkypeForBusinessEventType about.labels.key/value (deprecated)
SkypeForBusinessEventType additional.fields.key and additional.fields.value.string_value
TenantName target.resource.product_object_id
Version metadata.product_version

TeamsAdminAction

The following table lists the log fields and corresponding UDM mappings for the operation "TeamsAdminAction" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS

If ResultStatus is Succeeded then

Action is set to ALLOW

If ResultStatus is Failed then

Action is set to BLOCK

AdminActionDetail security_result.summary
ClientApplication network.http.user_agent
ExtraProperties additional.fields.key and additional.fields.value.string_value
UserClaims security_result.description
Version metadata.product_version

Update-DistributionGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Update-DistributionGroupMember" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True then

Action is set to ALLOW

else

Action is set to BLOCK

ClientVersion metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.description

target.group.product_object_id or target.group.email_addresses

target.group.attribute.labels.key/value

If Name is Members then Value is mapped to security_result.description

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

else

target.group.attribute.labels.key/value

SessionId network.session_id
Version metadata.product_version

SupervisoryReviewOLAudit

The following table lists the log fields and corresponding UDM mappings for the operation "SupervisoryReviewOLAudit" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_TRANSACTION

extract auditscore form ResultStatus using

ResultStatus .*?Score:{auditScore}

and map with security_result.confidenece_details is {auditScore}

security_result.confidence will map based on auditScore

LogonType extensions.auth.mechanism
InternalLogonType about.labels.key/value (deprecated)
InternalLogonType additional.fields.key and additional.fields.value.string_value
MailboxGuid target.labels.key/value (deprecated)
MailboxGuid additional.fields.key and additional.fields.value.string_value
MailboxOwnerUPN target.user.email_addresses or target.user.userid
MailboxOwnerSid target.user.windows_sid
MailboxOwnerMasterAccountSid target.labels.key/value (deprecated)
MailboxOwnerMasterAccountSid additional.fields.key and additional.fields.value.string_value
LogonUserSid principal.user.windows_sid
LogonUserDisplayName principal.user.user_display_name
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientInfoString network.http.user_agent
ClientIPAddress principal.ip and principal.port
ClientMachineName principal.hostname
ClientProcessName principal.process.file.full_path
ClientVersion metadata.product_version
ExchangeDetails network.direection

network.email.from

network.email.mail_id

network.email.to

network.email.subject

If Directionality is Incoming then network.direction is mapped to INBOUND

If Directionality is Outgoining then network.direction is mapped to OUTBOUND

From is mapped to network.email.from

InternetMessageId is mapped to network.email.mail_id

Recipients is mapped to network.email.to

Subject is mapped to network.email.subject

Version metadata.product_version

CrmDefaultActivity

The following table lists the log fields and corresponding UDM mappings for the operation "CrmDefaultActivity" and workload "CRM":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
CrmOrganizationUniqueName principal.resource.name
InstanceUrl target.url
ItemUrl principal.labels.key/value (deprecated)
ItemUrl additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
Fields about.labels.key/value (deprecated)
Fields additional.fields.key and additional.fields.value.string_value
EntityId principal.labels.key/value (deprecated)
EntityId additional.fields.key and additional.fields.value.string_value
EntityName principal.labels.key/value (deprecated)
EntityName additional.fields.key and additional.fields.value.string_value
Message security_result.summary
Query security_result.description
PrimaryFieldValue about.labels.key/value (deprecated)
PrimaryFieldValue additional.fields.key and additional.fields.value.string_value
CorrelationId security_result.detection_fields.key/value.
QueryResults about.labels.key/value (deprecated)
QueryResults additional.fields.key and additional.fields.value.string_value
ServiceContextId principal.labels.key/value (deprecated)
ServiceContextId additional.fields.key and additional.fields.value.string_value
ServiceContextIdType about.labels.key/value (deprecated)
ServiceContextIdType additional.fields.key and additional.fields.value.string_value
ServiceName principal.application
SystemUserId principal.labels.key/value (deprecated)
SystemUserId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

TIMailData

The following table lists the log fields and corresponding UDM mappings for the operation "TIMailData" and workload "ThreatIntelligence":

Log field UDM mapping
metadata.event_type is mapped to EMAIL_TRANSACTION

ObjectId is set to metadata.product_log_id

AttachmentData about.file.full_path

about.file.mime_type

about.file.sha256

security_result.category_details

AttachmentData.FileName is mapped to about.file.full_path

AttachmentData.FileType is mapped to about.file.mime_type

AttachmentData.SHA256 is mapped to about.file.sha256

AttachmentData.FileVerdict is 0 then AttachmentData.MalwareFamily is mapped to security_result.category_details

DetectionType security_result.summary
DetectionMethod security_result.description
InternetMessageId about.labels.key/value (deprecated)
InternetMessageId additional.fields.key and additional.fields.value.string_value
NetworkMessageId about.labels.key/value (deprecated)
NetworkMessageId additional.fields.key and additional.fields.value.string_value
P1Sender principal.user.email_addresses
P2Sender network.email.from
Policy security_result.rule_name
PolicyAction security_result.action

PolicyAction is Quarantine then action is set to QUARANTINE

PolicyAction is MoveToJmf then action is set to ALLOW_WITH_MODIFICATION

Recipients network.email.to
SenderIp src.ip
Subject network.email.subject
Verdict security_result.category
MessageTime target.resource.attribute.labels.key/value
EventDeepLink metadata.url_back_to_product
DeliveryAction about.labels.key/value (deprecated)
DeliveryAction additional.fields.key and additional.fields.value.string_value
OriginalDeliveryLocation about.labels.key/value (deprecated)
OriginalDeliveryLocation additional.fields.key and additional.fields.value.string_value
LatestDeliveryLocation about.labels.key/value (deprecated)
LatestDeliveryLocation additional.fields.key and additional.fields.value.string_value
Directionality network.direction
ThreatsAndDetectionTech about.labels.key/value (deprecated)
ThreatsAndDetectionTech additional.fields.key and additional.fields.value.string_value
AdditionalActionsAndResults about.labels.key/value (deprecated)
AdditionalActionsAndResults additional.fields.key and additional.fields.value.string_value
Connectors about.labels.key/value (deprecated)
Connectors additional.fields.key and additional.fields.value.string_value
AuthDetails about.labels.key/value (deprecated)
AuthDetails additional.fields.key and additional.fields.value.string_value
PhishConfidenceLevel about.labels.key/value (deprecated)
PhishConfidenceLevel additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

SearchMtpStatus

The following table lists the log fields and corresponding UDM mappings for the operation "SearchMtpStatus" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value

RemovedFromSiteCollection

The following table lists the log fields and corresponding UDM mappings for the operation "RemovedFromSiteCollection" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
TargetUserOrGroupType target.group.group_display_name

target.user.userid

target.user.email_addresses

WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
CorrelationId security_result.detection_fields.key/value.
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ApplicationDisplayName target.application

CommentsDisabled

The following table lists the log fields and corresponding UDM mappings for the operation "CommentsDisabled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
SourceRelativeUrl if ObjectId field is not present in log then

target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

SourceFileName if ObjectId field is not present in log then

target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ListItemUniqueId principal.asset_id
ListId security_result.detection_fields.key/value
ApplicationDisplayName target.application

FileRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FileRecycled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension target.file.mime_type
UserSharedWith target.labels.key/value (deprecated)
UserSharedWith additional.fields.key and additional.fields.value.string_value
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
CorrelationId security_result.detection_fields.key/value.
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value

CommentsEnabled

The following table lists the log fields and corresponding UDM mappings for the operation "CommentsEnabled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SourceFileExtension target.file.mime_type
SiteUrl network.http.referral_url
SourceFileName if ObjectId field is not present in log then

target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

SourceRelativeUrl if ObjectId field is not present in log then

target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}

ApplicationDisplayName target.application

FolderRecycled

The following table lists the log fields and corresponding UDM mappings for the operation "FolderRecycled" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_DELETION

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListItemUniqueId principal.asset_id
ListId security_result.detection_fields.key/value
ApplicationDisplayName target.application
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension target.file.mime_type
UserSharedWith target.labels.key/value (deprecated)
UserSharedWith additional.fields.key and additional.fields.value.string_value
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
CorrelationId security_result.detection_fields.key/value.
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

FileTranscriptRequested

The following table lists the log fields and corresponding UDM mappings for the operation "FileTranscriptRequested" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListItemUniqueId principal.asset_id
ListId security_result.detection_fields.key/value
ApplicationDisplayName target.application
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension target.file.mime_type
UserSharedWith target.labels.key/value (deprecated)
UserSharedWith additional.fields.key and additional.fields.value.string_value
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
CorrelationId security_result.detection_fields.key/value.
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

WACTokenShared

The following table lists the log fields and corresponding UDM mappings for the operation "WACTokenShared" and workload "SharePoint" or "OneDrive":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
ListItemUniqueId principal.asset_id
ListId security_result.detection_fields.key/value
ApplicationDisplayName target.application
SiteUrl network.http.referral_url
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceFileExtension target.file.mime_type
UserSharedWith target.labels.key/value (deprecated)
UserSharedWith additional.fields.key and additional.fields.value.string_value
SharingType target.labels.key/value (deprecated)
SharingType additional.fields.key and additional.fields.value.string_value
SensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelId security_result.detection_fields.key/value
CorrelationId security_result.detection_fields.key/value.
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

Update label

The following table lists the log fields and corresponding UDM mappings for the operation "Update label." and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

SiteLocksChanged

The following table lists the log fields and corresponding UDM mappings for the operation "SiteLocksChanged" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

SiteIBModeSet

The following table lists the log fields and corresponding UDM mappings for the operation "SiteIBModeSet" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to SETTING_UNCATEGORIZED

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

SiteDesignInvoked

The following table lists the log fields and corresponding UDM mappings for the operation "SiteDesignInvoked" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
EventData target.resource.attribute.labels.key/value

SiteDesignId is mapped to target.resource.attribute.labels.key/value

SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

SiteContentTypeCreated

The following table lists the log fields and corresponding UDM mappings for the operation "SiteContentTypeCreated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ListTitle about.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

SiteCollectionQuotaModified

The following table lists the log fields and corresponding UDM mappings for the operation "SiteCollectionQuotaModified" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

ObjectId is mapped to target.url

Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

ShortcutAdded

The following table lists the log fields and corresponding UDM mappings for the operation "ShortcutAdded" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATIONObjectId is mapped to target.url
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SourceFileExtension target.file.mime_type
SiteUrl network.http.referral_url
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id

SPOIBIsEnabled

The following table lists the log fields and corresponding UDM mappings for the operation "SPOIBIsEnabled" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.

WebAccessRequestApproverModified

The following table lists the log fields and corresponding UDM mappings for the operation "WebAccessRequestApproverModified" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
ModifiedProperties target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to RequestAccessEmail, then the NewValue log field value is mapped to the target.user.email_addresses or target.user.userid UDM fields.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Set-TransportConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Set-TransportConfig" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
Parameters principal.user.email_addresses

principal.user.userid

If Name is Identity then Valueis mapped toprincipal.user.email_addresses or principal.user.userid

Set-TenantObjectVersion

The following table lists the log fields and corresponding UDM mappings for the operation "Set-TenantObjectVersion" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is DomainController, then the Value log field is mapped to the target.administrative_domain UDM field.

Else, the Value log field is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

Set-RecipientEnforcementProvisioningPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-RecipientEnforcementProvisioningPolicy" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value

Set-PolicyConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Set-PolicyConfig" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

target.resource.resource_type is set to ACCESS_POLICY

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Set-OwaMailboxPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-OwaMailboxPolicy" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value

Set-MailboxPlan

The following table lists the log fields and corresponding UDM mappings for the operation "Set-MailboxPlan" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value

Set-LabelProperties

The following table lists the log fields and corresponding UDM mappings for the operation "Set-LabelProperties" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
SessionId network.session_id

Set-Label

The following table lists the log fields and corresponding UDM mappings for the operation "Set-Label" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

target.resource.resource_type is set to SETTING

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Set-ExchangeAssistanceConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ExchangeAssistanceConfig" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.url

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to PrivacyStatementURL, then the Value log field is mapped to the target.url.

Else, the Value log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

Set-ConditionalAccessPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ConditionalAccessPolicy" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.resource.name

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to DisplayName, then the Value log field is mapped to the target.resource.name UDM field.

Else, Value log field value is mapped to target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

SessionID network.session_id

New-ConditionalAccessPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-ConditionalAccessPolicy" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.resource.name

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If Name log field value is equal to DisplayName, then Value log field is mapped to target.resource.name UDM field.

Else, the Value log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

SessionID network.session_id

RemovedSearchReport

The following table lists the log fields and corresponding UDM mappings for the operation "RemovedSearchReport" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

Get-PrivacyManagementPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-PrivacyManagementPolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

Set-RetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-RetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
Parameters target.process.command_line

SearchTrialOffer

The following table lists the log fields and corresponding UDM mappings for the operation "SearchTrialOffer" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchTIKustoClusterInformation

The following table lists the log fields and corresponding UDM mappings for the operation "SearchTIKustoClusterInformation" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchMtpRoleInfo

The following table lists the log fields and corresponding UDM mappings for the operation "SearchMtpRoleInfo" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchMailflowForwardingData

The following table lists the log fields and corresponding UDM mappings for the operation "SearchMailflowForwardingData" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchDataInsightsSubscription

The following table lists the log fields and corresponding UDM mappings for the operation "SearchDataInsightsSubscription" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchCustomerInsight

The following table lists the log fields and corresponding UDM mappings for the operation "SearchCustomerInsight" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchConnectorReportData

The following table lists the log fields and corresponding UDM mappings for the operation "SearchConnectorReportData" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchAlertAggregate

The following table lists the log fields and corresponding UDM mappings for the operation "SearchAlertAggregate" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchAlert

The following table lists the log fields and corresponding UDM mappings for the operation "SearchAlert" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

Enable-AddressListPaging

The following table lists the log fields and corresponding UDM mappings for the operation "Enable-AddressListPaging" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value

Install-AdminAuditLogConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Install-AdminAuditLogConfig" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value

AccessedAggregates

The following table lists the log fields and corresponding UDM mappings for the operation "AccessedAggregates" and workload "Mip":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
DataType security_result.description
version metadata.product_version

AccessedSiteList

The following table lists the log fields and corresponding UDM mappings for the operation "AccessedSiteList" and workload "Mip":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
DataType security_result.description
version metadata.product_version

Install-DataClassificationConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Install-DataClassificationConfig" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value

Set-UnifiedGroup

The following table lists the log fields and corresponding UDM mappings for the operation "Set-UnifiedGroup" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

if ResultStatus is TRUE then

security_result.action is set to ALLOW

else

security_result.action is set to BLOCK

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters network.application_protocol

target.user.email_addresses

target.group.email_addresses

If Name is EmailAddresses then extract value of Value, then emails and mail_key from that Value field, email_addresses with target.user.email_addresses, mail_key with network.email.mail_id

If Name is ExternalEmailAddress then extract value of Value field, then extract protocol and emails from it, map protocol with network.application_protocol and emails with target.group.email_addresses.

Protocol is mapped to network.application_protocol

EmailAddresses is mapped to target.user.email_addresses

ExternalEmailAddress is mapped to target.group.email_addresses

SessionId network.session_id

ApplicableAdaptivePolicyChange

The following table lists the log fields and corresponding UDM mappings for the operation "ApplicableAdaptivePolicyChange" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

ClientApplication principal.application
Version metadata.product_version
ExtendedProperties security_result.detection_fields.key/value.

target.resource.product_object_id

if Name is CorrelationId then Name is mapped to security_result.detection_fields.key/value.

if Name is AssociatedAdaptivePolicyIds then AssociatedAdaptivePolicyIds is mapped to target.resource.product_object_id

ObjectType security_result.summary

Get-AppRetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "Get-AppRetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.resource.product_object_id

Extract Policy using grok

grok {

match is mapped to {

Parameters .*-Policy \{:target_resource_product_object_id}\

}

}

New-AppRetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "New-AppRetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.resource.name

target.resource.product_object_id

Extract Policy and Name using grok

Name is mapped to target.resource.name

Policy is mapped to target.resource.product_object_id

StartTime target.resource.attribute.creation_time

New-AppRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-AppRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.resource.name

target.process.command_line

Extract Name using grok

Name is mapped to target.resource.name

StartTime target.resource.attribute.creation_time

Set-AppRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-AppRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
StartTime target.resource.attribute.creation_time

Install-DefaultSharingPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Install-DefaultSharingPolicy" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value

Install-ResourceConfig

The following table lists the log fields and corresponding UDM mappings for the operation "Install-ResourceConfig" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value

New-Mailbox

The following table lists the log fields and corresponding UDM mappings for the operation "New-Mailbox" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZEDObjectId is mapped to target.url
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
SessionId network.session_id

Add-MailboxFolderPermission

The following table lists the log fields and corresponding UDM mappings for the operation "Add-MailboxFolderPermission" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.resource.name

target.user.user_display_name

target.user.attribute.permissions.name

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Identity, then the Value log field is mapped to the target.resource.name UDM field.

Else, if the Name log field value is equal to User, then the Value log field is mapped to the target.user.user_display_name UDM field.

Else, if the Name log field value is equal to AccessRights, then the Value log field is mapped to the target.user.attribute.permissions.name UDM field.

Else, the Value log field is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

New-LabelPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-LabelPolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to ACCESS_POLICY

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.resource.name

target.process.command_line

Extract Name using grok

Name is mapped to target.resource.name

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

New-Label

The following table lists the log fields and corresponding UDM mappings for the operation "New-Label" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.resource.name

StartTime target.resource.attribute.creation_time
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

Get-ActivityAlert

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ActivityAlert" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-ProtectionAlert

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ProtectionAlert" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

SearchComplianceCase

The following table lists the log fields and corresponding UDM mappings for the operation "SearchComplianceCase" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

Remove-ComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-ComplianceTag" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Remove-AppRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-AppRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource_resource_type is set to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Remove-RetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-RetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource_resource_type is set to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

New-ComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceTag" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.resource.name

target.process.command_line

Extract Name using grok

Name is mapped to target.resource.name

UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Enable-ComplianceTagStorage

The following table lists the log fields and corresponding UDM mappings for the operation "Enable-ComplianceTagStorage" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-ComplianceRetentionEventType

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceRetentionEventType" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

AggregateActivityData

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateActivityData" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

Set-ComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "Set-ComplianceTag" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-FilePlanPropertyStructure

The following table lists the log fields and corresponding UDM mappings for the operation "Get-FilePlanPropertyStructure" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

New-ComplianceRetentionEventType

The following table lists the log fields and corresponding UDM mappings for the operation "New-ComplianceRetentionEventType" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is mapped to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line

target.resource.name

target_resource_name is mapped to target.resource.name

UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-DlpSensitiveInformationTypeRulePackage

The following table lists the log fields and corresponding UDM mappings for the operation "Get-DlpSensitiveInformationTypeRulePackage" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-ComplianceRetentionEvent

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceRetentionEvent" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

ComplianceSecurityFilter

The following table lists the log fields and corresponding UDM mappings for the operation "ComplianceSecurityFilter" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-QuarantineMessage

The following table lists the log fields and corresponding UDM mappings for the operation "Get-QuarantineMessage" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

AggregateThreatProfileDetails

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateThreatProfileDetails" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

Get-DlpDetectionsReport

The following table lists the log fields and corresponding UDM mappings for the operation "Get-DlpDetectionsReport" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
Parameters target.process.command_line
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-AppRetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-AppRetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Add-RoleGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Add-RoleGroupMember" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True {

Action is set to ALLOW

}

else {

Action is set to BLOCK

}

OriginatingServer principal.hostname
OrganizationName target.administrative_domain
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

else

target.group.attribute.labels.key/value

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
SessionId network.session_id

Update-RoleGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Update-RoleGroupMember" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True {

Action is set to ALLOW

}

else {

Action is set to BLOCK

}

OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientVersion metadata.product_version
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

else

target.group.attribute.labels.key/value

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
SessionId network.session_id

New-RoleGroup

The following table lists the log fields and corresponding UDM mappings for the operation "New-RoleGroup" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True {

Action is set to ALLOW

}

else {

Action is set to BLOCK

}

OriginatingServer principal.hostname
OrganizationName target.administrative_domain
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

else

target.group.attribute.labels.key/value

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
SessionId network.session_id
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value

Provision-ComplianceMailboxFolder

The following table lists the log fields and corresponding UDM mappings for the operation "Provision-ComplianceMailboxFolder" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientVersion metadata.product_version
version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
Parameters target.resource.product_object_id

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to FolderName, then the Value log field is mapped to the target.resource_product_object_id UDM field.

Else, the Value log field is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

Remove-Mailbox

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-Mailbox" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientVersion metadata.product_version
version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
Parameters target.resource.name

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Identity, then the Value log field is mapped to the target.resource.name UDM field.

Else, the Value log field is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

New-QuarantinePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-QuarantinePolicy" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
OriginatingServer principal.hostname
OrganizationName target.administrative_domain
ClientVersion metadata.product_version
version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
Parameters target.resource.name

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Identity, then the Value log field is mapped to the target.resource.name UDM field.

Else, the Value log field is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

SessionId network.session_id

Get-RoleGroup

The following table lists the log fields and corresponding UDM mappings for the operation "Get-RoleGroup" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True {

Action is set to ALLOW

}

else {

Action is set to BLOCK

}

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

else

target.group.attribute.labels.key/value

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

SearchLabelAnalyticsActivityData

The following table lists the log fields and corresponding UDM mappings for the operation "SearchLabelAnalyticsActivityData" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

Get-DlpCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-DlpCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value

SearchSecurityRedirection

The following table lists the log fields and corresponding UDM mappings for the operation "SearchSecurityRedirection" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

Get-ComplianceCaseMember

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceCaseMember" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

HoldViewed

The following table lists the log fields and corresponding UDM mappings for the operation "HoldViewed" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.category_details
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

Get-eDiscoveryCaseAdmin

The following table lists the log fields and corresponding UDM mappings for the operation "Get-eDiscoveryCaseAdmin" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-RoleGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Get-RoleGroupMember" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-ManagementRole

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ManagementRole" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Set-RoleGroup

The following table lists the log fields and corresponding UDM mappings for the operation "Set-RoleGroup" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.group.group_display_name

target.process.command_line

Extract DisplayName using grok

Name is mapped totarget.group.group_display_name

Version metadata.product_version
ResultCountSecurityComplianceCenterEventType about.labels.key/value (deprecated)
ResultCountSecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-SecurityPrincipal

The following table lists the log fields and corresponding UDM mappings for the operation "Get-SecurityPrincipal" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-CaseHoldRule

The following table lists the log fields and corresponding UDM mappings for the operation "Get-CaseHoldRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SETTING_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line

target.resource.product_object_id

Extract Policy using grok

grok {

match is mapped to {

Parameters .*-Policy \{target_resource_product_object_id}\

}

}

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

ViewedSearchReport

The following table lists the log fields and corresponding UDM mappings for the operation "ViewedSearchReport" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters principal.process.command_line

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Version metadata.product_version
Case metadata.description
ExchangeLocations security_result.summary
ExtendedProperties target.resource.product_object_id

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to CaseId, then the Value log field value is mapped to the target.resource.product_object_id UDM field.

Else, if the Name log field value is equal to SearchIds, then the Value log field value is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ObjectType security_result.summary
PublicFolderLocations security_result.category_details
Query security_result.description
SharepointLocations security_result.category_details

Get-AdaptiveScope

The following table lists the log fields and corresponding UDM mappings for the operation "Get-AdaptiveScope" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-RetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Get-RetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

target.resource.resource_type is set to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

New-RetentionCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation "New-RetentionCompliancePolicy" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

target.resource.resource_type is set to ACCESS_POLICY

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.resource.name

target.process.command_line

Extract Name using grok

Name is mapped to target.resource.name

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

New-RetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "New-RetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line

target.resource.product_object_id

Extract Policy using grok

grok {

match is mapped to {

Parameters .*-Policy \{target_resource_product_object_id}\

}

}

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-ComplianceTag

The following table lists the log fields and corresponding UDM mappings for the operation "Get-ComplianceTag" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Set-RetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "Set-RetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-RegulatoryComplianceUI

The following table lists the log fields and corresponding UDM mappings for the operation "Get-RegulatoryComplianceUI" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-RetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "Get-RetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line

target.resource.product_object_id

Extract Policy using grok

grok {

match is mapped to {

Parameters .*-Policy \{target_resource_product_object_id}\

}

}

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

New-AdaptiveScope

The following table lists the log fields and corresponding UDM mappings for the operation "New-AdaptiveScope" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.resource.name

target.process.command_line

Extract Name using grok

Name is mapped to target.resource.name

Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Enable-AdaptiveScopeStorage

The following table lists the log fields and corresponding UDM mappings for the operation "Enable-AdaptiveScopeStorage" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

SearchCustomTag

The following table lists the log fields and corresponding UDM mappings for the operation "SearchCustomTag" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

Set-RegulatoryComplianceUI

The following table lists the log fields and corresponding UDM mappings for the operation "Set-RegulatoryComplianceUI" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters target.process.command_line
Version metadata.product_version

RemoveRetentionComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "RemoveRetentionComplianceRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

The name and value for the parameters that were used with the corresponding cmdlet.

Version metadata.product_version
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

ObjectType security_result.summary

NewAdaptiveScope

The following table lists the log fields and corresponding UDM mappings for the operation "NewAdaptiveScope" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Parameters principal.process.command_line

The name and value for the parameters that were used with the corresponding cmdlet.

If Name is CmdletOptions then store value of Value in process_args variable.

If Name is Cmdlet then store value of Value in process_value variable.

then map principal.process.command_line is {process_value} {process_args}

Version metadata.product_version
ObjectType security_result.summary
ExtendedProperties target.user.user_display_name

target.resource.name

security_result.description

target.resource.attribute.labels.key/value

If Name is CreatedBy then Value is mapped to target.user.user_display_name

If Name is PolicyName then Value is mapped to target.resource.name

If Name is Description then Value is security_result.description

If Name is RetentionAction or WorkLoad or LabelName then target.resource.attribute.labels.key/value

CommentCreated

The following table lists the log fields and corresponding UDM mappings for the operation "CommentCreated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
SourceFileExtension target.file.mime_type
SiteUrl network.http.referral_url
SourceFileName target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
SourceRelativeUrl target.file.full_path is set to {SourceRelativeUrl}/{SourceFileName}
CommentId about.labels.key/value (deprecated)
CommentId additional.fields.key and additional.fields.value.string_value

DeviceAccessPolicyChanged

The following table lists the log fields and corresponding UDM mappings for the operation "DeviceAccessPolicyChanged" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version metadata.product_version
CorrelationId security_result.detection_fields.key/value.
ModifiedProperties target.labels.key/value (deprecated)
ModifiedProperties additional.fields.key and additional.fields.value.struct_value.fields

HeartBeat

The following table lists the log fields and corresponding UDM mappings for the operation "HeartBeat" and workload "Aip":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
Common target.resource.product_object_id

target.resource.name

target.process.command_line

target.hostname

metadata.product_version

ApplicationId is mapped to target.resource.product_object_id

ApplicationName is mapped to target.resource.name

ProcessName is mapped to target.process.command_line

DeviceName is mapped to target.hostname

ProductVersion is mapped to metadata.product_version

Version metadata.product_version

MessageCreation

The following table lists the log fields and corresponding UDM mappings for the operation "MessageCreation" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
MessageID target.resource.product_object_id

ThreadViewed

The following table lists the log fields and corresponding UDM mappings for the operation "ThreadViewed" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

if ResultStatus is SUCCEEDED then

action is set to ALLOW

else

action is set to BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
ThreadID about.labels.key/value (deprecated)
ThreadID additional.fields.key and additional.fields.value.string_value

StreamEditAdminGlobalRoleMembers

The following table lists the log fields and corresponding UDM mappings for the operation "StreamEditAdminGlobalRoleMembers" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION

if ResultStatus is SUCCEEDED then

action is set to ALLOW

else

action is set to BLOCK

ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeGetTextTrack

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeGetTextTrack" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeChannelView

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeChannelView" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeVideoMakePublic

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeVideoMakePublic" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

StreamInvokeGroupView

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeGroupView" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

Set-CsOnlineDirectoryTenant

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CsOnlineDirectoryTenant" and workload "SkypeForBusiness":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion metadata.product_version
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
SkypeForBusinessEventType about.labels.key/value (deprecated)
SkypeForBusinessEventType additional.fields.key and additional.fields.value.string_value
TenantName target.resource.product_object_id
Version metadata.product_version

Set-CsHostedVoicemailPolicy

The following table lists the log fields and corresponding UDM mappings for the operation "Set-CsHostedVoicemailPolicy" and workload "SkypeForBusiness":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion metadata.product_version
Parameters target.administrative_domain

target.url

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Organization, then the Value log field is mapped to the target.administrative_domain UDM field.

Else, if the Name log field value is equal to Destination, then the Value log field is mapped to the target.url UDM field.

Else, the Value log field is mapped to the target.labels.key/value (deprecated) and additional.field.key/value.string_value UDM fields.

SkypeForBusinessEventType about.labels.key/value (deprecated)
SkypeForBusinessEventType additional.fields.key and additional.fields.value.string_value
TenantName target.resource.product_object_id
Version metadata.product_version

Get-CSSimpleUrlConfiguration

The following table lists the log fields and corresponding UDM mappings for the operation "Get-CSSimpleUrlConfiguration" and workload "SkypeForBusiness":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
CmdletVersion metadata.product_version
Parameters target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is Organization, then the Value log field is mapped to the target.administrative_domain UDM field.

Else, the Value log field is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

SkypeForBusinessEventType about.labels.key/value (deprecated)
SkypeForBusinessEventType additional.fields.key and additional.fields.value.string_value
TenantName target.resource.product_object_id
Version metadata.product_version

New-ExchangeAssistanceConfig

The following table lists the log fields and corresponding UDM mappings for the operation "New-ExchangeAssistanceConfig" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value

New-App

The following table lists the log fields and corresponding UDM mappings for the operation "New-App" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
SessionId network.session_id

PublishToWebReport

The following table lists the log fields and corresponding UDM mappings for the operation "PublishToWebReport" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
DatasetName target.resource.attribute.labels.key/value
ReportName target.resource.name
WorkspaceId target.resource.attribute.labels.key/value
DatasetId target.resource.attribute.labels.key/value
ReportId target.resource.product_object_id
ReportType target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
DistributionMethod about.labels.key/value (deprecated)
DistributionMethod additional.fields.key and additional.fields.value.string_value

UpdateGateway

The following table lists the log fields and corresponding UDM mappings for the operation "UpdateGateway" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
WorkSpaceName target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
GatewayId target.resource.product_object_id

ShareDataset

The following table lists the log fields and corresponding UDM mappings for the operation "ShareDataset" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.attribute.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value
ArtifactId target.resource.product_object_id
ArtifactName target.resource.name
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
SharingAction about.labels.key/value (deprecated)
SharingAction additional.fields.key and additional.fields.value.string_value

GetRefreshablesAsAdmin

The following table lists the log fields and corresponding UDM mappings for the operation "GetRefreshablesAsAdmin" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.attribute.labels.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value

CreateTagJob

The following table lists the log fields and corresponding UDM mappings for the operation "CreateTagJob" and workload "Compliance":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
CaseID target.resource.product_object_id
CaseName target.resource.name
EndTime target.resource.attribute.last_update_time
ExtendedProperties target.resource.attribute.labels.key/value
StartTime target.resource.attribute.creation_time

Add delegated permission grant

The following table lists the log fields and corresponding UDM mappings for the operation Add delegated permission grant and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.name

security_result.summary

If Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is DelegatedPermissionGrant.Scope then NewValue and OldValue is mapped to target.resource.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.uset.userid or target.user.email_addresses

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Add app role assignment to service principal

The following table lists the log fields and corresponding UDM mappings for the operation "Add app role assignment to service principal" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.name

security_result.summary

If Name is ServicePrincipal.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is ServicePrincipal.DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Update to application

The following table lists the log fields and corresponding UDM mappings for the operation "Update to application" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Update application – Certificates and secrets management

The following table lists the log fields and corresponding UDM mappings for the operation Update application – Certificates and secrets management and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

if ObjectId has unique field in the log then and then only it will be mapped.

Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is RequiredResourceAccess then New Value and Old Value is mapped with target.resource.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Add owner to application

The following table lists the log fields and corresponding UDM mappings for the operation "Add owner to application" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.name

security_result.summaryIf Name is Application.ObjectId then NewValue is mapped to target.resource.product_object_id

If Name is Application.DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.labels.key/value (deprecated)
Target additional.fields.key and additional.fields.value.string_value
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Add to application

The following table lists the log fields and corresponding UDM mappings for the operation "Add to application" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.name

security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Add device configuration

The following table lists the log fields and corresponding UDM mappings for the operation "Add device configuration" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.name

security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Add unverified domain

The following table lists the log fields and corresponding UDM mappings for the operation "Add unverified domain" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.name

security_result.summary

If Name is Name then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Add policy

The following table lists the log fields and corresponding UDM mappings for the operation "Add policy" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Version metadata.product_version
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.name

security_result.summary

If Name is DisplayName then NewValue is mapped to target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target security_result.detection_fields.key/value
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

CreateResponse

The following table lists the log fields and corresponding UDM mappings for the operation "CreateResponse" and workload "MicrosoftForms":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes principal.labels.key/value (deprecated)
FormsUserTypes additional.fields.key and additional.fields.value.string_value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

EditForm

The following table lists the log fields and corresponding UDM mappings for the operation "EditForm" and workload "MicrosoftForms":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes principal.labels.key/value (deprecated)
FormsUserTypes additional.fields.key and additional.fields.value.string_value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

SubmitResponse

The following table lists the log fields and corresponding UDM mappings for the operation "SubmitResponse" and workload "MicrosoftForms":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
FormsUserTypes principal.labels.key/value (deprecated)
FormsUserTypes additional.fields.key and additional.fields.value.string_value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

ViewResponses

The following table lists the log fields and corresponding UDM mappings for the operation "ViewResponses" and workload "MicrosoftForms":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes principal.labels.key/value (deprecated)
FormsUserTypes additional.fields.key and additional.fields.value.string_value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

ViewRuntimeForm

The following table lists the log fields and corresponding UDM mappings for the operation "ViewRuntimeForm" and workload "MicrosoftForms":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
FormsUserTypes principal.labels.key/value (deprecated)
FormsUserTypes additional.fields.key and additional.fields.value.string_value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

DeleteFlow

The following table lists the log fields and corresponding UDM mappings for the operation "DeleteFlow" and workload "MicrosoftForms":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION
FormsUserTypes target.labels.key/value (deprecated)
FormsUserTypes additional.fields.key and additional.fields.value.string_value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

ListViewed

The following table lists the log fields and corresponding UDM mappings for the operation "ListViewed" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value (deprecated)
ListBaseTemplateType additional.fields.key and additional.fields.value.string_value
ListBaseType target.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ItemCount target.labels.key/value (deprecated)
ItemCount additional.fields.key and additional.fields.value.string_value
ListColor target.labels.key/value (deprecated)
ListColor additional.fields.key and additional.fields.value.string_value
ListIcon target.labels.key/value (deprecated)
ListIcon additional.fields.key and additional.fields.value.string_value
TemplateTypeId about.labels.key/value (deprecated)
TemplateTypeId additional.fields.key and additional.fields.value.string_value

ListColumnUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "ListColumnUpdated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value (deprecated)
ListBaseTemplateType additional.fields.key and additional.fields.value.string_value
ListBaseType target.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

ListContentTypeUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "ListContentTypeUpdated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value (deprecated)
ListBaseTemplateType additional.fields.key and additional.fields.value.string_value
ListBaseType target.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

ListItemDeleted

The following table lists the log fields and corresponding UDM mappings for the operation "ListItemDeleted" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value (deprecated)
ListBaseTemplateType additional.fields.key and additional.fields.value.string_value
ListBaseType target.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ListTitle about.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

ListUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "ListUpdated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value (deprecated)
ListBaseTemplateType additional.fields.key and additional.fields.value.string_value
ListBaseType target.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListColor target.labels.key/value (deprecated)
ListColor additional.fields.key and additional.fields.value.string_value
ListIcon target.labels.key/value (deprecated)
ListIcon additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
TemplateTypeId about.labels.key/value (deprecated)
TemplateTypeId additional.fields.key and additional.fields.value.string_value
ApplicationDisplayName target.application
ItemCount target.labels.key/value (deprecated)
ItemCount additional.fields.key and additional.fields.value.string_value

ListItemCreated

The following table lists the log fields and corresponding UDM mappings for the operation "ListItemCreated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value (deprecated)
ListBaseTemplateType additional.fields.key and additional.fields.value.string_value
ListBaseType target.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListColor target.labels.key/value (deprecated)
ListColor additional.fields.key and additional.fields.value.string_value
ListIcon target.labels.key/value (deprecated)
ListIcon additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
TemplateTypeId about.labels.key/value (deprecated)
TemplateTypeId additional.fields.key and additional.fields.value.string_value
ItemCount target.labels.key/value (deprecated)
ItemCount additional.fields.key and additional.fields.value.string_value

ListColumnCreated

The following table lists the log fields and corresponding UDM mappings for the operation "ListColumnCreated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListBaseTemplateType target.labels.key/value (deprecated)
ListBaseTemplateType additional.fields.key and additional.fields.value.string_value
ListBaseType target.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListColor target.labels.key/value (deprecated)
ListColor additional.fields.key and additional.fields.value.string_value
ListIcon target.labels.key/value (deprecated)
ListIcon additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
TemplateTypeId about.labels.key/value (deprecated)
TemplateTypeId additional.fields.key and additional.fields.value.string_value
ItemCount target.labels.key/value (deprecated)
ItemCount additional.fields.key and additional.fields.value.string_value

SiteContentTypeUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "SiteContentTypeUpdated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

ListItemViewed

The following table lists the log fields and corresponding UDM mappings for the operation "ListItemViewed" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
ItemCount target.labels.key/value (deprecated)
ItemCount additional.fields.key and additional.fields.value.string_value
ListBaseTemplateType target.labels.key/value (deprecated)
ListBaseTemplateType additional.fields.key and additional.fields.value.string_value
ListBaseType target.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListColor target.labels.key/value (deprecated)
ListColor additional.fields.key and additional.fields.value.string_value
ListIcon target.labels.key/value (deprecated)
ListIcon additional.fields.key and additional.fields.value.string_value
ListItemUniqueId principal.asset_id

ListItemUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "ListItemUpdated" and workload "SharePoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

ObjectId is mapped to target.url

Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
EventSource principal.application
SourceName principal.labels.key/value (deprecated)
SourceName additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
MachineDomainInfo target.asset.attribute.labels.key/value
MachineId target.asset.product_object_id
Version medata.product_version
CorrelationId security_result.detection_fields.key/value
ListId security_result.detection_fields.key/value
ListTitle about.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value
target.file.size target.labels.key/value (deprecated)
target.file.size additional.fields.key and additional.fields.value.string_value
ListBaseTemplateType target.labels.key/value (deprecated)
ListBaseTemplateType additional.fields.key and additional.fields.value.string_value
ListBaseType target.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListColor target.labels.key/value (deprecated)
ListColor additional.fields.key and additional.fields.value.string_value
ListIcon target.labels.key/value (deprecated)
ListIcon additional.fields.key and additional.fields.value.string_value
ListItemUniqueId principal.asset_id

FileRenamed

The following table lists the log fields and corresponding UDM mappings for the operation "FileRenamed" and workload "Endpoint":

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE
DestinationLocationType target.labels.key/value (deprecated)
DestinationLocationType additional.fields.key and additional.fields.value.string_value
DeviceName target.hostname
FileExtension target.file.mime_type
FileType target.resource.attribute.labels.key/value
PreviousFileName src.file.full_path
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value (deprecated)
SourceLocationType additional.fields.key and additional.fields.value.string_value
TargetFilePath target.file.full_path

UpdatePowerApp

The following table lists the log fields and corresponding UDM mappings for the operation "UpdatePowerApp" and workload "PowerApps":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
Id metadata.product_log_id

SubscribedToMessages

The following table lists the log fields and corresponding UDM mappings for the operation "SubscribedToMessages" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

ExtraProperties additional.fields.key and additional.fields.value.string_value
SubscriptionId target.resource.attribute.labels.key/value
OperationScope about.labels.key/value (deprecated)
OperationScope additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

MessageCreatedNotification

The following table lists the log fields and corresponding UDM mappings for the operation "MessageCreatedNotification" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

MessageId target.resource.product_object_id
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
MessageVersion target.resource.attribute.labels.key/value
SubscriptionId target.resource.attribute.labels.key/value
ChatThreadId target.user.group_identifiers

target.group.product_object_id

OperationScope about.labels.key/value (deprecated)
OperationScope additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

MessageUpdatedNotification

The following table lists the log fields and corresponding UDM mappings for the operation "MessageUpdatedNotification" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

MessageId target.resource.product_object_id
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
MessageVersion target.resource.attribute.labels.key/value
SubscriptionId target.resource.attribute.labels.key/value
ChatThreadId target.user.group_identifiers

target.group.product_object_id

OperationScope about.labels.key/value (deprecated)
OperationScope additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

The following table lists the log fields and corresponding UDM mappings for the operation "MessageCreatedHasLink" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
MessageId target.resource.product_object_id
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
SubscriptionId target.resource.attribute.labels.key/value
ChatThreadId target.user.group_identifiers

target.group.product_object_id

CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
MessageVersion target.resource.attribute.labels.key/value
OperationScope about.labels.key/value (deprecated)
OperationScope additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

MessagesListed

The following table lists the log fields and corresponding UDM mappings for the operation "MessagesListed" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

ChannelGuid target.resource.product_object_id
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
OperationScope about.labels.key/value (deprecated)
OperationScope additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers and target.group.product_object_id
TeamName target.group.group_display_name
Version metadata.product_version

PerformedCardAction

The following table lists the log fields and corresponding UDM mappings for the operation "PerformedCardAction" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

AddOnGuid target.labels.key/value (deprecated)
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnName target.labels.key/value (deprecated)
AddOnName additional.fields.key and additional.fields.value.string_value
AddOnType target.labels.key/value (deprecated)
AddOnType additional.fields.key and additional.fields.value.string_value
ChannelGuid target.resource.product_object_id
ChannelName target.resource.name
ChannelType target.labels.key/value (deprecated)
ChannelType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers and target.group.product_object_id
TeamName target.group.group_display_name
Version metadata.product_version

The following table lists the log fields and corresponding UDM mappings for the operation "MessageEditedHasLink" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
MessageId target.resource.product_object_id
MessageURLs target.resource.attribute.labels.key/value
MessageSizeInBytes target.resource.attribute.labels.key/value
SubscriptionId target.resource.attribute.labels.key/value
ChatThreadId target.user.group_identifiers

target.group.product_object_id

CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
ExtraProperties additional.fields.key and additional.fields.value.string_value
MessageVersion target.resource.attribute.labels.key/value
OperationScope about.labels.key/value (deprecated)
OperationScope additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

MeetingParticipantDetail

The following table lists the log fields and corresponding UDM mappings for the operation "MeetingParticipantDetail" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
Attendees about.resource.product_object_id

about.user.product_object_id

about.user.attribute.roles.name

OrganizationId is mapped to about.resource.product_object_id

Role is mapped to about.user.attribute.roles.name

UserObjectId is set to about.user.product_object_id

ExtraProperties additional.fields.key and additional.fields.value.string_value
JoinTime target.resource.attribute.creation_time
LeaveTime target.resource.attribute.last_update_time
MeetingDetailId target.resource.product_object_id
Version metadata.product_version

MeetingDetail

The following table lists the log fields and corresponding UDM mappings for the operation "MeetingDetail" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
StartTime target.resource.attribute.creation_time
EndTime target.resource.attribute.last_update_time
ExtraProperties additional.fields.key and additional.fields.value.string_value
MeetingURL target.url
MessageId target.resource.product_object_id
ChatThreadId target.user.group_identifiers

target.group.product_object_id

CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
Modalities security_result.summary
Organizer principal.user.product_object_id
Version metadata.product_version

MessageUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "MessageUpdated" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
ExtraProperties additional.fields.key and additional.fields.value.string_value
MessageVersion target.resource.attribute.labels.key/value
MessageId target.resource.product_object_id
ChatThreadId target.user.group_identifiers

target.group.product_object_id

CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

AggregateTransportQueueData

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateTransportQueueData" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

AuthorizeCustomerInsight

The following table lists the log fields and corresponding UDM mappings for the operation "AuthorizeCustomerInsight" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

AuthorizeConnectorReportData

The following table lists the log fields and corresponding UDM mappings for the operation "AuthorizeConnectorReportData" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchAlertOverride

The following table lists the log fields and corresponding UDM mappings for the operation "SearchAlertOverride" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

AuthorizeMailflowForwardingData

The following table lists the log fields and corresponding UDM mappings for the operation "AuthorizeMailflowForwardingData" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchDomainTrafficStatus

The following table lists the log fields and corresponding UDM mappings for the operation "SearchDomainTrafficStatus" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchAlertActivity

The following table lists the log fields and corresponding UDM mappings for the operation "SearchAlertActivity" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

AggregateMailmetadata

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateMailmetadata" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

InsightGenerated

The following table lists the log fields and corresponding UDM mappings for the operation "InsightGenerated" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Category security_result.category_details
Description security_result.description
InsightId target.resource.product_object_id
Name target.resource.name
Version metadata.product_version

UserSubmission

The following table lists the log fields and corresponding UDM mappings for the operation "UserSubmission" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SCAN_UNCATEGORIZED

security_result.category is MAIL_SPAM

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
InternetMessageId network.email.mail_id
KesMailId additional.fields.key and additional.fields.value.string_value
ExtendedProperties security_result.rule_name

security_result.rule_id

security_result.category_details

SubmissionSource is mapped to security_result.rule_name

SubmissionId is mapped to security_result.rule_id

SubmissionCategory is mapped to security_result.category_details

P1SenderDomain principal.administrative_domain
Recipients network.email.to
SenderIP principal.ip
Subject network.email.subject
P2Sender network.email.from
SubmissionState security_result.summary
P1Sender principal.user.email_addresses
Version metadata.product_version

SaveRoleGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "SaveRoleGroupMember" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

AggregateCampaignIntelligenceData

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateCampaignIntelligenceData" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchEmailTimelineEvents

The following table lists the log fields and corresponding UDM mappings for the operation "SearchEmailTimelineEvents" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

SearchAlertStory

The following table lists the log fields and corresponding UDM mappings for the operation "SearchAlertStory" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

AggregateThreatDetailsBulk

The following table lists the log fields and corresponding UDM mappings for the operation "AggregateThreatDetailsBulk" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

Get-User

The following table lists the log fields and corresponding UDM mappings for the operation "Get-User" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters target.process.command_line

target.resource.product_object_id

ClientApplication principal.application
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

Get-DlpComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation "Get-DlpComplianceRule" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters target.process.command_line

target.resource.product_object_id

ClientApplication principal.application
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value

AnalyzedByExternalApplication

The following table lists the log fields and corresponding UDM mappings for the operation "AnalyzedByExternalApplication" and workload "Power BI":

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.name
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.attribute.labels.key/value
SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value

New-MigrationBatch

The following table lists the log fields and corresponding UDM mappings for the operation "New-MigrationBatch" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.resource.name

target.administrative_domain

target.resource.attribute.key/value

If Name is Name then Value is mapped to target.resource.name

if Name is TargetDeliveryDomain then Value is mapped to target.administrative_domain

If Name is AutoStart then Value is mapped to target.resource.attribute.key/value

If Name is AutoComplete then Value is mapped to target.resource.attribute.key/value

SessionId network.session_id

UserSubmissionTriage

The following table lists the log fields and corresponding UDM mappings for the operation "UserSubmissionTriage" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to SCAN_UNCATEGORIZED

security_result.category is set to MAIL_SPAM

StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters about.labels.key/value (deprecated)
Parameters additional.fields.key and additional.fields.value.string_value
ClientApplication principal.application
Version metadata.product_version
ExtendedProperties security_result.rule_name

security_result.rule_id

security_result.category_details

SubmissionSource is mapped to security_result.rule_name

SubmissionId is mapped to security_result.rule_id

SubmissionCategory is mapped to security_result.category_details

GradingResult security_result.category_details
InternetMessageId network.email.mail_id
KesMailId additional.fields.key and additional.fields.value.string_value
P1Sender principal.user.email_addresses
P1SenderDomain principal.administrative_domain
P2Sender network.email.from
Recipients network.email.to
SenderIP principal.ip
Subject network.email.subject
SubmissionState security_result.summary

FileArchived

The following table lists the log fields and corresponding UDM mappings for the operation "FileArchived" and workload "Endpoint":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED
Application target.application
DestinationLocationType target.labels.key/value (deprecated)
DestinationLocationType additional.fields.key and additional.fields.value.string_value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value (deprecated)
SourceLocationType additional.fields.key and additional.fields.value.string_value
TargetFilePath target.file.full_path
Version metadata.product_version

FileCreatedOnNetworkShare

The following table lists the log fields and corresponding UDM mappings for the operation "FileCreatedOnNetworkShare" and workload "Endpoint":

Log field UDM mapping
metadata.event_type is mapped to FILE_CREATION
Application target.application
DestinationLocationType target.labels.key/value (deprecated)
DestinationLocationType additional.fields.key and additional.fields.value.string_value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value (deprecated)
SourceLocationType additional.fields.key and additional.fields.value.string_value
TargetFilePath target.file.full_path
Version metadata.product_version

FileCreatedOnRemovableMedia

The following table lists the log fields and corresponding UDM mappings for the operation "FileCreatedOnRemovableMedia" and workload "Endpoint":

Log field UDM mapping
metadata.event_type is mapped to FILE_CREATION
Application target.application
DestinationLocationType target.labels.key/value (deprecated)
DestinationLocationType additional.fields.key and additional.fields.value.string_value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value (deprecated)
SourceLocationType additional.fields.key and additional.fields.value.string_value
TargetFilePath target.file.full_path
Version metadata.product_version

SlimFilePrinted

The following table lists the log fields and corresponding UDM mappings for the operation "SlimFilePrinted" and workload "Endpoint":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

target.asset.type is PRINTER

Application target.application
DeviceName target.hostname
FileType target.resource.attribute.labels.key/value
TargetPrinterName target.asset.hostname
Version metadata.product_version

FilePrinted

The following table lists the log fields and corresponding UDM mappings for the operation "FilePrinted" and workload "Endpoint":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

target.asset.type is PRINTER

Application target.application
DestinationLocationType target.labels.key/value (deprecated)
DestinationLocationType additional.fields.key and additional.fields.value.string_value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value (deprecated)
SourceLocationType additional.fields.key and additional.fields.value.string_value
TargetPrinterName target.asset.hostname
Version metadata.product_version
Application target.application
DestinationLocationType target.labels.key/value (deprecated)
DestinationLocationType additional.fields.key and additional.fields.value.string_value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
PreviousFileName src.file.full_path
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value (deprecated)
SourceLocationType additional.fields.key and additional.fields.value.string_value
ObjectId additional.fields.key and additional.fields.value.string_value
TargetFilePath target.file.full_path
Version metadata.product_version

ArchiveCreated

The following table lists the log fields and corresponding UDM mappings for the operation "ArchiveCreated" and workload "Endpoint":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED
Application target.application
DestinationLocationType target.labels.key/value (deprecated)
DestinationLocationType additional.fields.key and additional.fields.value.string_value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value (deprecated)
SourceLocationType additional.fields.key and additional.fields.value.string_value
TargetFilePath target.file.full_path
Version metadata.product_version

FileDownloadedFromBrowser

The following table lists the log fields and corresponding UDM mappings for the operation "FileDownloadedFromBrowser" and workload "Endpoint":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT
Application target.application
DestinationLocationType target.labels.key/value (deprecated)
DestinationLocationType additional.fields.key and additional.fields.value.string_value
DeviceName target.hostname
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value (deprecated)
SourceLocationType additional.fields.key and additional.fields.value.string_value
TargetFilePath target.file.full_path
Version metadata.product_version

Create application password for user

The following table lists the log fields and corresponding UDM mappings for the operation "Create application password for user" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

security_result.detection_fields.key/value

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

SearchNdrDetailData

The following table lists the log fields and corresponding UDM mappings for the operation "SearchNdrDetailData" and workload "SecurityComplianceCenter":

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
StartTime target.resource.attribute.creation_time
ClientRequestId principal.labels.key/value (deprecated)
ClientRequestId additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Parameters target.process.command_line

target.resource.product_object_id

ClientApplication principal.application
Version metadata.product_version
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
DatabaseType target.resource.attribute.labels.key/value
DataType target.labels.key/value (deprecated)
DataType additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value

MessageUpdated

The following table lists the log fields and corresponding UDM mappings for the operation "MessageUpdated" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT

If ResultStatus is TRUE then

action is ALLOW

else

action is BLOCK

ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Access

The following table lists the log fields and corresponding UDM mappings for the operation "Access" and workload "Aip":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is set to target.file.full_path

Common target.resource.product_object_id

target.resource.name

target.process.command_line

target.hostname

metadata.product_version

ApplicationId is mapped to target.resource.product_object_id

ApplicationName is mapped to target.resource.name

ProcessName is mapped to target.process.command_line

DeviceName is mapped to target.hostname

ProductVersion is mapped to metadata.product_version

DataState security_result.summary
Version metadata.product_version

Discover

The following table lists the log fields and corresponding UDM mappings for the operation "Discover" and workload "Aip":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS

ObjectId is set to target.file.full_path

Common target.resource.product_object_id

target.resource.name

target.process.command_line

target.hostname

metadata.product_version

ApplicationId is mapped to target.resource.product_object_id

ApplicationName is mapped to target.resource.name

ProcessName is mapped to target.process.command_line

DeviceName is mapped to target.hostname

ProductVersion is mapped to metadata.product_version

DataState security_result.summary
Version metadata.product_version

TIUrlClickData

The following table lists the log fields and corresponding UDM mappings for the operation "TIUrlClickData" and workload "ThreatIntelligence":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
AppName target.application
AppVersion metadata.product_version
EventDeepLink metadata.url_back_to_product
SourceId AppName is Mail then SourceId is mapped to network.email.id
Url target.url
UserIp principal.ip
Version metadata.product_version
UrlClickAction security_result.detection_fields.key/value

Device no longer manged

The following table lists the log fields and corresponding UDM mappings for the operation "Device no longer manged" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION

target.resource.resource_type is set to DEVICE

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.asset.product_object_id

target.platform

If Name is TargetId.DeviceId then NewValue is mapped to target.asset.product_object_id

If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

AirInvestigationData

The following table lists the log fields and corresponding UDM mappings for the operation "AirInvestigationData" and workload "AirInvestigation":

Log field UDM mapping
metadata.event_type is mapped to SYSTEM_AUDIT_LOG_UNCATEGORIZED

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

LastUpdateTimeUtc target.resource.attribute.last_update_time
Status security_result.summary
InvestigationId target.resource.product_object_id
InvestigationType target.resource.attribute.labels.key/value
Data security_result.description

security_result.category_details

network.email.to

network.email.from

network.email.mail_id

network.email.subject

network.direction

principal.ip

principal.administrative_domain

principal.user.email_addresses

Data.Description is mapped to security_result.description

Data.Category is mapped to security_result.category_details

Data.Entities.1.Recipient is mapped to network.email.to

Data.Entities.1.Sender is mapped to network.email.from

Data.Entities.1.InternetMessageId is mapped to network.email.mail_id

Data.Entities.1.Subject is mapped to network.email.subject

Data.Entities.1.AntispamDirection is mapped to network.direction

Data.Entities.1.SenderIP is mapped to principal.ip

Data.Entities.1.P1SenderDomain is mapped to principal.administrative_domain

Data.Entities.1.P1Sender is mapped to principal.user.email_addresses

InvestigationName target.resource.name
StartTimeUtc target.resource.attribute.creation_time
Version metadata.product_versionn
DeepLinkUrl metadata.url_back_to_product

Set-MailboxJunkEmailConfiguration

The following table lists the log fields and corresponding UDM mappings for the operation "Set-MailboxJunkEmailConfiguration" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

OriginatingServer principal.hostname
OrganizationName target.administrative_domain
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
Parameters target.user.email_addresses

If Name is BlockedSendersAndDomains then Value is mapped to target.user.email_addresses (all email addresses comes as ; separated)

SessionId network.session_id
Version metadata.product_version

New-DistributionGroup

The following table lists the log fields and corresponding UDM mappings for the operation "New-DistributionGroup" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GROUP_CREATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True then

Action is set to ALLOW

else

Action is set to BLOCK

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

security_result.description

target.group.attribute.labels.key/value

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

If Name is ManagedBy then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Member then Value is mapped to security_result.description

else

target.group.attribute.labels.key/value

SessionId network.session_id

Add-DistributionGroupMember

The following table lists the log fields and corresponding UDM mappings for the operation "Add-DistributionGroupMember" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION

ObjectId is set to target.group.group_display_name

security_result.summary is set to Group Members definition

If ResultStatus is True then

Action is set to ALLOW

else

Action is set to BLOCK

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.group.product_object_id or target.group.email_addresses

target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.group.attribute.labels.key/value

If Name is Identity then Value is mapped to target.group.product_object_id or target.group.email_addresses

If Name is Member then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

else

target.group.attribute.labels.key/value

SessionId network.session_id

Remove-InboxRule

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-InboxRule" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to SETTING_DELETION

target.resource.resource_type is set to SETTING

ObjectId is set to target.group.product_object_id

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.rule_labels.key/value
SessionId network.session_id

Enable-Mailbox

The following table lists the log fields and corresponding UDM mappings for the operation "Enable-Mailbox" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.resource.attribute.labels.key/value

If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

if Name is Archive then Value is mapped to target.resource.attribute.labels.key/value

SessionId network.session_id

Import

The following table lists the log fields and corresponding UDM mappings for the operation "Import" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission target.user.email_addresses

target.user.attribute.permission.name

We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation about.user.email_addresses

about.user.user_display_name

about.user.product_object_id

about.user.attribute.permissions.name

RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.name
WorkspaceId target.resource.product_object_id
SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
ImportSource about.labels.key/value (deprecated)
ImportSource additional.fields.key and additional.fields.value.string_value
ImportType target.file.mime_type
ImportDisplayName target.file.full_path

Device no longer compliant

The following table lists the log fields and corresponding UDM mappings for the operation "Device no longer compliant" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS

target.resource.resource_type is set to DEVICE

AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.platform

target.resource.product_object_id

If Name is TargetId.DeviceId then NewValue is mapped to target.resource.product_object_id

If Name is TargetId.DeviceOSType then NewValue is mapped to target.platform

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Enable account

The following table lists the log fields and corresponding UDM mappings for the operation Enable account and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If Name is Included Updated Properties then NewValue is mapped to security_result.summary

If Name is Action Client Name then NewValue is mapped to target.resource.name

If Name is HardDeleted then NewValue and OldValue is mapped to security_result.detection_fields.key/value

If Name is GivenName then NewValue and OldValue is mapped to target.user.attribute.labels.key/value

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Add service principal credentials

The following table lists the log fields and corresponding UDM mappings for the operation "Add service principal credentials" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Set-SyncUser

The following table lists the log fields and corresponding UDM mappings for the operation "Set-SyncUser" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

SessionId network.session_id

MessageSent

The following table lists the log fields and corresponding UDM mappings for the operation "MessageSent" and workload "MicrosoftTeams":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE

If ClientIP field is absent then metadata.event_type is mapped to GENERIC_EVENT.

MessageSizeInBytes target.resource.attribute.labels.key/value
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
OperationScope about.labels.key/value (deprecated)
OperationScope additional.fields.key and additional.fields.value.string_value
TeamGuid target.user.group_identifiers

target.group.product_object_id

TeamName target.group.group_display_name
AADGroupId target.labels.key/value (deprecated)
AADGroupId additional.fields.key and additional.fields.value.string_value
CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
MessageId target.resource.product_object_id
Version metadata.product_version
MessageVersion target.resource.attribute.labels.key/value

Remove service principal credentials

The following table lists the log fields and corresponding UDM mappings for the operation "Remove service principal credentials" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Remove-MoveRequest

The following table lists the log fields and corresponding UDM mappings for the operation "Remove-MoveRequest" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters target.user.product_object_id or target.user.email_addresses or target.user.user_display_name

target.resource.attribute.labels.key/value

If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

If Name is ExecutingIdentity then Value is mapped to target.resource.attribute.labels.key/value

StreamInvokeGetTranscript

The following table lists the log fields and corresponding UDM mappings for the operation "StreamInvokeGetTranscript" and workload "MicrosoftStream":

Log field UDM mapping
metadata.event_type is mapped to USER_COMMUNICATION
ClientApplicationId principal.labels.key/value (deprecated)
ClientApplicationId additional.fields.key and additional.fields.value.string_value
EntityPath metadata.url.back_to_product
OperationDetails metadata.description
ResourceTitle target.resource.name
ResourceUrl target.url
Version metadata.product_version

Remove owner from group

The following table lists the log fields and corresponding UDM mappings for the operation "Remove owner from group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.group.product_object_id

target.group.group_display_nameIf Name is Group.ObjectID then NewValue is mapped to target.group.product_object_id

If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Add app role assignment to group

The following table lists the log fields and corresponding UDM mappings for the operation "Add app role assignment to group" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.product_object_id

target.resource.name

target.group.group_display_name

If Name is AppRole.Id then NewValue is mapped to target.resource.product_object_id

If Name is AppRole.DisplayName then NewValue is mapped to target.resource.name

If Name is Group.DisplayName then NewValue is mapped to target.group.group_display_name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

Disable-MailUser

The following table lists the log fields and corresponding UDM mappings for the operation "Disable-MailUser" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED

ResultStatus is True Action is set to BLOCK

Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters If Name is Identity then Value is mapped to target.user.product_object_id or target.user.email_addresses or target.user.userid

New-FolderMoveRequest

The following table lists the log fields and corresponding UDM mappings for the operation "New-FolderMoveRequest" and workload "Exchange":

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
Version metadata.product_version
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
ClientAppId target.labels.key/value (deprecated)
ClientAppId additional.fields.key and additional.fields.value.string_value
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters If Name is Name then Value is mapped to target.resource.name

If Name is DomainController then Value is mapped to target.administrative_domain

If Name is Folders then Value is mapped to target.resource.attribute.labels.key/value

Add owner to policy

The following table lists the log fields and corresponding UDM mappings for the operation "Add owner to policy" and workload "AzureActiveDirectory":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties If Name is Policy.ObjectID then NewValue is mapped to target.resource.product_object_id

If Name is Policy.DisplayName then NewValue is mapped to target.resource.name

Actor security_result.detection_fields.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
ActorIpAddress principal.ip and principal.port
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target target.user.userid or target.user.email_addresses

If Type is 5 then ID is mapped to target.user.userid or target.user.email_addresses

else

security_result.detection_fields.key/value

version metadata.product_version
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value

EditContentProviderProperties

The following table lists the log fields and corresponding UDM mappings for the operation "EditContentProviderProperties" and workload "PowerBI":

Log field UDM mapping
metadata.event_type is mapped to SETTING_MODIFICATION

target.resource.resource_type is set to SETTING

AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
DashboardName target.resource.attribute.labels.key/value
DataClassification target.labels.key/value (deprecated)
DataClassification additional.fields.key and additional.fields.value.string_value
DatasetName target.resource.attribute.labels.key/value
OrgAppPermission We map this field based on value of UpdateApp Operation value.

recipients is mapped to target.user.email_addresses

permissions is mapped to target.user.attribute.permissions.name

ReportName target.resource.attribute.labels.key/value
SharingInformation RecipientEmail is mapped to about.user.email_addresses

RecipientName is mapped to about.user.user_display_name

ObjectId is set to about.user.product_object_id

ResharePermission is mapped to about.user.attribute.permissions.name

WorkSpaceName target.resource.name
WorkspaceId target.resource.product_object_id
SwitchState about.labels.key/value (deprecated)
SwitchState additional.fields.key and additional.fields.value.string_value
ContentProviderCertificationStage security_result.summary
AppId target.labels.key/value (deprecated)
AppId additional.fields.key and additional.fields.value.string_value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value

ReportingAccessed

The following table lists the log fields and corresponding UDM mappings for the operation "ReportingAccessed" and workload "Project":

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
Version metadata.product_version
Action security_result.description
OnBehalfOfResId about.labels.key/value (deprecated)
OnBehalfOfResId additional.fields.key and additional.fields.value.string_value

GroupAccessFailure

The following table lists the log fields and corresponding UDM mappings for the operation "GroupAccessFailure" and workload "Yammer":

Log field UDM mapping
metadata.event_type is mapped to GROUP_UNCATEGORIZED
ActorUserId principal.user.email_addresses

principal.user.userid

ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
DataExportType target.resource.attribute.labels.key/value
FileId target.resource.product_object_id
FileName target.file.full_path
GroupName target.group.group_display_name
IsSoftDelete security_result.description is set to IsSoftDelete - {IsSoftDelete}
MessageId target.resource.product_object_id
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value
TargetUserId target.user.email_addresses
TargetYammerUserId target.labels.key/value (deprecated)
TargetYammerUserId additional.fields.key and additional.fields.value.string_value
VersionId about.labels.key/value (deprecated)
VersionId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

FileSensitivityLabelChanged

The following table lists the log fields and corresponding UDM mappings for the operation FileSensitivityLabelChanged and workload SharePoint or OneDrive:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED

ObjectId is mapped to target.file.full_path

AppAccessContext.CorrelationId security_result.detection_fields.key/value
CorrelationId security_result.detection_fields.key/value
DestinationFileExtension target.file.mime_type
DestinationFileName target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationRelativeUrl target.file.full_path is set to {DestinationRelativeUrl}/{DestinationFileName}
DestinationLabel target.labels.key/value (deprecated)
DestinationLabel additional.fields.key and additional.fields.value.string_value
EventSource principal.application
HighPriorityMediaProcessing about.labels.key/value (deprecated)
HighPriorityMediaProcessing additional.fields.key and additional.fields.value.string_value
IsManagedDevice about.labels.key/value (deprecated)
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
ListBaseType target.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ListServerTemplate security_result.detection_fields.key/value
SensitivityLabelEventData.ActionSource principal.labels.key/value (deprecated)
SensitivityLabelEventData.ActionSource additional.fields.key and additional.fields.value.string_value
SensitivityLabelEventData.LabelEventType target.labels.key/value (deprecated)
SensitivityLabelEventData.LabelEventType additional.fields.key and additional.fields.value.string_value
SensitivityLabelEventData.OldSensitivityLabelId target.resource.product_object_id
SensitivityLabelEventData.OldSensitivityLabelOwnerEmail security_result.detection_fields.key/value
SensitivityLabelEventData.SensitivityLabelId security_result.detection_fields.key/value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName}
SourceRelativeUrl src.file.full_path = %{SourceRelativeUrl}/%{SourceFileName}
SourceLabel src.labels.key/value (deprecated)
SourceLabel additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

FileRead

The following table lists the log fields and corresponding UDM mappings for the operation FileRead and workload Endpoint:

Log field UDM mapping
metadata.event_type is mapped to FILE_READ

ObjectId is mapped to target.url

Application principal.application
DeviceName target.hostname
DlpAuditEventMetadata.DlpPolicyMatchId security_result.detection_fields.key/value
DlpAuditEventMetadata.EvaluationTime security_result.detection_fields.key/value
EnforcementMode target.labels.key/value (deprecated)
EnforcementMode additional.fields.key and additional.fields.value.string_value
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Hidden security_result.detection_fields.key/value
JitTriggered security_result.detection_fields.key/value
MDATPDeviceId security_result.detection_fields.key/value
PolicyMatchInfo target.resource.product_object_id

security_result.summary

security_result.rule_id

security_result.rule_name

PolicyId is mapped to target.resource.product_object_id

PolicyName is mapped to security_result.summary

RuleId is mapped to security_result.rule_id

RuleName is mapped to security_result.rule_name

RMSEncrypted security_result.detection_fields.key/value
SensitiveInfoTypeData security_result.detection_fields.key/value

security_result.confidence_details

SensitivityLabelEventData.SensitivityLabelId security_result.detection_fields.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType principal.labels.key/value (deprecated)
SourceLocationType additional.fields.key and additional.fields.value.string_value

MessageReadReceiptReceived

The following table lists the log fields and corresponding UDM mappings for the operation MessageReadReceiptReceived and workload MicrosoftTeams:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE
ChatThreadId target.user.group_identifiers

target.group.product_object_id

CommunicationType about.labels.key/value (deprecated)
CommunicationType additional.fields.key and additional.fields.value.string_value
MessageId target.resource.product_object_id
MessageVersion target.resource.attribute.labels.key/value
MessageVisibilityTime target.resource.attribute.labels.key/value
ParticipantInfo.HasForeignTenantUsers security_result.detection_fields.key/value
ParticipantInfo.HasGuestUsers security_result.detection_fields.key/value
ParticipantInfo.HasOtherGuestUsers security_result.detection_fields.key/value
ParticipantInfo.HasUnauthenticatedUsers security_result.detection_fields.key/value
ParticipantInfo.ParticipatingTenantIds security_result.detection_fields.key/value

The following table lists the log fields and corresponding UDM mappings for the operation Search and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UNCATEGORIZED
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
DataType security_result.description

TaskDeleted

The following table lists the log fields and corresponding UDM mappings for the operation TaskDeleted and workload MicrosoftTodo:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_DELETION

target.resource.resource_type is set to TASK

ActorAppId target.labels.key/value (deprecated)
ActorAppId additional.fields.key and additional.fields.value.string_value
ItemId security_result.detection_fields.key/value
ItemType target.resource.attribute.labels.key/value
TargetActorId target.labels.key/value (deprecated)
TargetActorId additional.fields.key and additional.fields.value.string_value
TargetActorTenantId target.labels.key/value (deprecated)
TargetActorTenantId additional.fields.key and additional.fields.value.string_value

TaskUpdated

The following table lists the log fields and corresponding UDM mappings for the operation TaskUpdated and workload MicrosoftTodo:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN

target.resource.resource_type is set to TASK

ActorAppId target.labels.key/value (deprecated)
ActorAppId additional.fields.key and additional.fields.value.string_value
ItemId security_result.detection_fields.key/value
ItemType target.resource.attribute.labels.key/value
TargetActorId target.labels.key/value (deprecated)
TargetActorId additional.fields.key and additional.fields.value.string_value
TargetActorTenantId target.labels.key/value (deprecated)
TargetActorTenantId additional.fields.key and additional.fields.value.string_value

TaskCreation

The following table lists the log fields and corresponding UDM mappings for the operation TaskCreation and workload MicrosoftTodo:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_CREATION

target.resource.resource_type is set to TASK

ActorAppId target.labels.key/value (deprecated)
ActorAppId additional.fields.key and additional.fields.value.string_value
ItemId security_result.detection_fields.key/value
ItemType target.resource.attribute.labels.key/value
TargetActorId target.labels.key/value (deprecated)
TargetActorId additional.fields.key and additional.fields.value.string_value
TargetActorTenantId target.labels.key/value (deprecated)
TargetActorTenantId additional.fields.key and additional.fields.value.string_value

SecurityGroupModified

The following table lists the log fields and corresponding UDM mappings for the operation SecurityGroupModified and workload Project:

Log field UDM mapping
metadata.event_type is mapped to GROUP_MODIFICATION
CorrelationId security_result.detection_fields.key/value
Entity metadata.product_name
EventSource principal.application
ItemType target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
AppAccessContext.UniqueTokenId target.labels.key/value (deprecated)
AppAccessContext.UniqueTokenId additional.fields.key and additional.fields.value.string_value
AppAccessContext.CorrelationId security_result.detection_fields.key/value

LaunchPowerApp

The following table lists the log fields and corresponding UDM mappings for the operation LaunchPowerApp and workload PowerApps:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT
AppName target.labels.key/value (deprecated)
AppName additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

DeleteDatasetRows

The following table lists the log fields and corresponding UDM mappings for the operation DeleteDatasetRows and workload PowerBI:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION.

If ResultStatus is TRUE then Action is set to ALLOW and security_result.summary is set to DataSetRow deletion successful

else Action is set to BLOCK and security_result.summary is set to DataSetRow deletion failed.

UserAgentnetwork.http.user_agent
WorkSpaceNametarget.resource.attribute.labels.key/value
DatasetNametarget.resource.attribute.labels.key/value
WorkspaceIdtarget.resource.attribute.labels.key/value
DatasetIdtarget.resource.product_object_id
DataConnectivityModetarget.resource.attribute.labels.key/value
ArtifactIdtarget.resource.attribute.labels.key/value
RequestIdabout.labels.key/value (deprecated)
RequestIdadditional.fields.key and additional.fields.value.string_value
ActivityIdprincipal.labels.key/value (deprecated)
ActivityIdadditional.fields.key and additional.fields.value.string_value
TableNametarget.resource.attribute.labels.key/value
LastRefreshTimeabout.labels.key/value (deprecated)
LastRefreshTimeadditional.fields.key and additional.fields.value.string_value
ArtifactKindtarget.resource.attribute.labels.key/value

New-DlpCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation New-DlpCompliancePolicy and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.

target.resource.resource_type is set to ACCESS_POLICY.

ClientApplicationprincipal.labels.key/value (deprecated)
ClientApplicationadditional.fields.key and additional.fields.value.string_value
CmdletVersionmetadata.product_version
EffectiveOrganizationtarget.administrative_domain
ObjectIdtarget.resource.product_object_id
Parameterstarget.process.command_line
SecurityComplianceCenterEventTypeabout.labels.key/value (deprecated)
SecurityComplianceCenterEventTypeadditional.fields.key and additional.fields.value.string_value
SecurityComplianceCenterEventTypeabout.labels.key/value (deprecated)
SecurityComplianceCenterEventTypeadditional.fields.key and additional.fields.value.string_value
StartTimetarget.resource.attribute.creation_time
UserKeytarget.labels.key/value (deprecated)
UserKeyadditional.fields.key and additional.fields.value.string_value
UserServicePlanprincipal.labels.key/value (deprecated)
UserServicePlanadditional.fields.key and additional.fields.value.string_value
Versionmetadata.product_version

New-DlpComplianceRule

The following table lists the log fields and corresponding UDM mappings for the operation New-DlpComplianceRule and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.

target.resource.resource_type is set to ACCESS_POLICY.

ClientApplicationprincipal.labels.key/value (deprecated)
ClientApplicationadditional.fields.key and additional.fields.value.string_value
CmdletVersionmetadata.product_version
EffectiveOrganizationtarget.administrative_domain
ObjectIdtarget.resource.product_object_id
Parameterstarget.process.command_line
SecurityComplianceCenterEventTypeabout.labels.key/value (deprecated)
SecurityComplianceCenterEventTypeadditional.fields.key and additional.fields.value.string_value
StartTimetarget.resource.attribute.creation_time
UserKeytarget.labels.key/value (deprecated)
UserKeyadditional.fields.key and additional.fields.value.string_value
UserServicePlanprincipal.labels.key/value (deprecated)
UserServicePlanadditional.fields.key and additional.fields.value.string_value
Versionmetadata.product_version

Get-InsiderRiskPolicy

The following table lists the log fields and corresponding UDM mappings for the operation Get-InsiderRiskPolicy and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.
ClientApplicationprincipal.labels.key/value (deprecated)
ClientApplicationadditional.fields.key and additional.fields.value.string_value
CmdletVersionmetadata.product_version
EffectiveOrganizationtarget.administrative_domain
ObjectIdtarget.resource.product_object_id
Parameterstarget.process.command_line
SecurityComplianceCenterEventTypeabout.labels.key/value (deprecated)
SecurityComplianceCenterEventTypeadditional.fields.key and additional.fields.value.string_value
StartTimetarget.resource.attribute.creation_time
UserKeytarget.labels (deprecated)
UserKeyadditional.fields.key and additional.fields.value.string_value
UserServicePlanprincipal.labels.key/value (deprecated)
UserServicePlanadditional.fields.key and additional.fields.value.string_value
Versionmetadata.product_version

Set-HostedContentFilterPolicy

The following table lists the log fields and corresponding UDM mappings for the operation Set-HostedContentFilterPolicy and workload Exchange:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.

target.resource.resource_type is set to SETTING.

If ResultStatus is TRUE then Action is set to ALLOW

else Action is set to BLOCK.

ExternalAccessabout.labels.key/value (deprecated)
ExternalAccessadditional.fields.key and additional.fields.value.string_value
ObjectIdtarget.resource.product_object_id
Versionmetadata.product_version
Parameterstarget.resource.attribute.labels.key/value
UserKeytarget.labels.key/value (deprecated)
UserKeyadditional.fields.key and additional.fields.value.string_value

Enable Strong Authentication.

The following table lists the log fields and corresponding UDM mappings for the operation Enable Strong Authentication. and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS.
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to Included Updated Properties, then the NewValue log field value is mapped to the security_result.summary UDM field.

Else, the NewValue log field value is mapped to the target.labels.key/value (deprecated), additional.fields.key and additional.fields.value.struct_value.fields UDM fields.

ReactedToMessage

The following table lists the log fields and corresponding UDM mappings for the operation ReactedToMessage and workload MicrosoftTeams:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
AppAccessContext.IssuedAtTimetarget.labels.key/value (deprecated)
AppAccessContext.IssuedAtTime additional.fields.key and additional.fields.value.string_value
AppAccessContext.UniqueTokenIdtarget.labels.key/value (deprecated)
AppAccessContext.UniqueTokenId additional.fields.key and additional.fields.value.string_value
ChatThreadIdtarget.user.group_identifiers
ChatThreadIdtarget.group.product_object_id
MessageReactionTypetarget.resource.attribute.labels.key/value
ChatNametarget.group.group_display_name
MessageIdtarget.resource.product_object_id
ParticipantInfo.HasForeignTenantUserssecurity_result.detection_fields.key/value
ParticipantInfo.HasGuestUserssecurity_result.detection_fields.key/value
ParticipantInfo.HasOtherGuestUserssecurity_result.detection_fields.key/value
ParticipantInfo.HasUnauthenticatedUserssecurity_result.detection_fields.key/value
ParticipantInfo.ParticipatingTenantIdssecurity_result.detection_fields.key/value

RemovableMediaUnmount

The following table lists the log fields and corresponding UDM mappings for the operation RemovableMediaUnmount and workload Endpoint:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED.
MDATPDeviceIdtarget.asset.asset_id
Platformtarget.labels.key/value (deprecated)
Platform additional.fields.key and additional.fields.value.string_value
Scopetarget.labels.key/value (deprecated)
Scope additional.fields.key and additional.fields.value.string_value
RemovableMediaDeviceAttributes.Manufacturertarget.asset.hardware.manufacturer
RemovableMediaDeviceAttributes.Modeltarget.asset.hardware.model
RemovableMediaDeviceAttributes.SerialNumbertarget.asset.hardware.serial_number

FileUploadedToCloud

The following table lists the log fields and corresponding UDM mappings for the operation FileUploadedToCloud and workload Endpoint:

Log field UDM mapping
metadata.event_type is mapped to FILE_SYNC.
DlpAuditEventMetadata.DlpPolicyMatchIdsecurity_result.detection_fields.key/value
DlpAuditEventMetadata.EvaluationTimesecurity_result.detection_fields.key/value
EnforcementModetarget.labels.key/value (deprecated)
EnforcementMode additional.fields.key and additional.fields.value.string_value
EvidenceFile.FullUrltarget.file.full_path
EvidenceFile.StorageNametarget.file.names
Hiddensecurity_result.detection_fields.key/value
JitTriggeredsecurity_result.detection_fields.key/value
MDATPDeviceIdsecurity_result.detection_fields.key/value
ObjectId target.file.full_path
SensitiveInfoTypeData.Countsecurity_result.detection_fields.key/value
SensitiveInfoTypeData.Confidencesecurity_result.detection_fields.key/value
SensitiveInfoTypeData.SensitiveInfoTypeNamesecurity_result.detection_fields.key/value
TargetPrinterNametarget.asset.hostname
target.asset.type is set to PRINTER
TargetDomaintarget.labels.key/value (deprecated)
TargetDomain additional.fields.key and additional.fields.value.string_value

GenerateDataflowSasToken

The following table lists the log fields and corresponding UDM mappings for the operation GenerateDataflowSasToken and workload PowerBI:

Log field UDM mapping
metadata.event_type is mapped to USER_CHANGE_PERMISSIONS.
DataflowAccessTokenRequestParameters.entityNameprincipal.labels.key/value (deprecated)
DataflowAccessTokenRequestParameters.entityName additional.fields.key and additional.fields.value.string_value
DataflowAccessTokenRequestParameters.partitionUriprincipal.labels.key/value (deprecated)
DataflowAccessTokenRequestParameters.partitionUri additional.fields.key and additional.fields.value.string_value
DataflowAccessTokenRequestParameters.permissionsprincipal.labels.key/value (deprecated)
DataflowAccessTokenRequestParameters.permissions additional.fields.key and additional.fields.value.string_value
DataflowAccessTokenRequestParameters.tokenLifetimeInMinutesprincipal.labels.key/value (deprecated)
DataflowAccessTokenRequestParameters.tokenLifetimeInMinutes additional.fields.key and additional.fields.value.string_value
DataflowIdtarget.resource.product_object_id
DataflowNametarget.resource.name
IsSuccess

If IsSuccess is TRUE then Action is set to ALLOW

else Action is set to BLOCK.

ItemNametarget.labels.key/value (deprecated)
ItemName additional.fields.key and additional.fields.value.string_value

GenerateScreenshot

The following table lists the log fields and corresponding UDM mappings for the operation GenerateScreenshot and workload PowerBI:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.

MDCAssessments

The following table lists the log fields and corresponding UDM mappings for the operation MDCAssessments and workload CompliancePostureManagement:

Log field UDM mapping
metadata.event_type is mapped to SCAN_UNCATEGORIZED.
PropertyBag.AssessmentStatusPerInitiative.ArnEventIdabout.labels.key/value (deprecated)
PropertyBag.AssessmentStatusPerInitiative.ArnEventId additional.fields.key and additional.fields.value.string_value
PropertyBag.AssessmentStatusPerInitiative.CloudProviderabout.labels.key/value (deprecated)
PropertyBag.AssessmentStatusPerInitiative.CloudProvider additional.fields.key and additional.fields.value.string_value
PropertyBag.AssessmentStatusPerInitiative.CustomerResourceIdabout.resource.product_object_id
PropertyBag.AssessmentStatusPerInitiative.EventTypeabout.labels.key/value (deprecated)
PropertyBag.AssessmentStatusPerInitiative.EventType additional.fields.key and additional.fields.value.string_value
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeIdabout.labels.key/value (deprecated)
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeId additional.fields.key and additional.fields.value.string_value
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeNameabout.labels.key/value (deprecated)
PropertyBag.AssessmentStatusPerInitiative.PolicyInitiativeName additional.fields.key and additional.fields.value.string_value
PropertyBag.AssessmentStatusPerInitiative.ResourceNameabout.resource.name
PropertyBag.AssessmentStatusPerInitiative.ResourceTypeabout.resource.resource_subtype
PropertyBag.AssessmentStatusPerInitiative.SecurityAssessmentIdabout.labels.key/value (deprecated)
PropertyBag.AssessmentStatusPerInitiative.SecurityAssessmentId additional.fields.key and additional.fields.value.string_value
PropertyBag.AssessmentStatusPerInitiative.StatusChangeDateabout.labels.key/value (deprecated)
PropertyBag.AssessmentStatusPerInitiative.StatusChangeDate additional.fields.key and additional.fields.value.string_value
PropertyBag.AssessmentStatusPerInitiative.StatusCodeabout.labels.key/value (deprecated)
PropertyBag.AssessmentStatusPerInitiative.StatusCode additional.fields.key and additional.fields.value.string_value
PropertyBag.AssessmentStatusPerInitiative.StatusFirstEvaluationDateabout.labels.key/value (deprecated)
PropertyBag.AssessmentStatusPerInitiative.StatusFirstEvaluationDate additional.fields.key and additional.fields.value.string_value
PropertyBag.AssessmentStatusPerInitiative.SubscriptionIdabout.labels.key/value (deprecated)
PropertyBag.AssessmentStatusPerInitiative.SubscriptionId additional.fields.key and additional.fields.value.string_value
PropertyBag.AssessmentStatusPerInitiative.SubscriptionNameabout.labels.key/value (deprecated)
PropertyBag.AssessmentStatusPerInitiative.SubscriptionName additional.fields.key and additional.fields.value.string_value
PropertyBag.DataTypeabout.labels.key/value (deprecated)
PropertyBag.DataType additional.fields.key and additional.fields.value.string_value

RemovableMediaMount

The following table lists the log fields and corresponding UDM mappings for the operation RemovableMediaMount and workload Endpoint:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED.
MDATPDeviceIdtarget.asset.asset_id
Platformtarget.labels.key/value (deprecated)
Platform additional.fields.key and additional.fields.value.string_value
Scopetarget.labels.key/value (deprecated)
Scope additional.fields.key and additional.fields.value.string_value
RemovableMediaDeviceAttributes.Manufacturertarget.asset.hardware.manufacturer
RemovableMediaDeviceAttributes.Modeltarget.asset.hardware.model
RemovableMediaDeviceAttributes.SerialNumbertarget.asset.hardware.serial_number

SignInEvent

The following table lists the log fields and corresponding UDM mappings for the operation SignInEvent and workload SharePoint:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED.
AuthenticationTypeprincipal.labels.key/value (deprecated)
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserNameprincipal.labels.key/value (deprecated)
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersionprincipal.labels.key/value (deprecated)
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayNameprincipal.labels.key/value (deprecated)
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
IsManagedDeviceprincipal.labels.key/value (deprecated)
IsManagedDevice additional.fields.key and additional.fields.value.string_value

ApprovedRequest

The following table lists the log fields and corresponding UDM mappings for the operation ApprovedRequest and workload MicrosoftTeams:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_PERMISSIONS.
ItemNametarget.labels.key/value (deprecated)
ItemName additional.fields.key and additional.fields.value.string_value

CreateForm

The following table lists the log fields and corresponding UDM mappings for the operation CreateForm and workload MicrosoftForms:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_CREATION.
FormsUserTypetarget.labels.key/value (deprecated)
FormsUserType additional.fields.key and additional.fields.value.string_value
SourceAppprincipal.application

ListForms

The following table lists the log fields and corresponding UDM mappings for the operation ListForms and workload MicrosoftForms:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.

MDCRegulatoryComplianceAssessments

The following table lists the log fields and corresponding UDM mappings for the operation MDCRegulatoryComplianceAssessments and workload CompliancePostureManagement:

Log field UDM mapping
metadata.event_type is mapped to SCAN_UNCATEGORIZED.
PropertyBag.DataTypeabout.labels.key/value (deprecated)
PropertyBag.DataType additional.fields.key and additional.fields.value.string_value
PropertyBag.Policy.ArnEventIdabout.labels.key/value (deprecated)
PropertyBag.Policy.ArnEventId additional.fields.key and additional.fields.value.string_value
PropertyBag.Policy.Descriptionabout.labels.key/value (deprecated)
PropertyBag.Policy.Description additional.fields.key and additional.fields.value.string_value
PropertyBag.Policy.DetailsLinkabout.labels.key/value (deprecated)
PropertyBag.Policy.DetailsLink additional.fields.key and additional.fields.value.string_value
PropertyBag.Policy.EventTimeabout.labels.key/value (deprecated)
PropertyBag.Policy.EventTime additional.fields.key and additional.fields.value.string_value
PropertyBag.Policy.EventTypeabout.labels.key/value (deprecated)
PropertyBag.Policy.EventType additional.fields.key and additional.fields.value.string_value
PropertyBag.Policy.PolicyInitiativeIdabout.labels.key/value (deprecated)
PropertyBag.Policy.PolicyInitiativeId additional.fields.key and additional.fields.value.string_value
PropertyBag.Policy.PolicyInitiativeNameabout.labels.key/value (deprecated)
PropertyBag.Policy.PolicyInitiativeName additional.fields.key and additional.fields.value.string_value

PreviewForm

The following table lists the log fields and corresponding UDM mappings for the operation PreviewForm and workload MicrosoftForms:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS.

ViewedApprovalRequest

The following table lists the log fields and corresponding UDM mappings for the operation ViewedApprovalRequest and workload MicrosoftTeams:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS.
ItemNametarget.labels.key/value (deprecated)
ItemName additional.fields.key and additional.fields.value.string_value

ListCreated

The following table lists the log fields and corresponding UDM mappings for the operation ListCreated and workload SharePoint:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
AppAccessContext.UniqueTokenIdtarget.labels.key/value (deprecated)
AppAccessContext.UniqueTokenId additional.fields.key and additional.fields.value.string_value
ListColortarget.labels.key/value (deprecated)
ListColor additional.fields.key and additional.fields.value.string_value
ListIcontarget.labels.key/value (deprecated)
ListIcon additional.fields.key and additional.fields.value.string_value

SiteColumnCreated

The following table lists the log fields and corresponding UDM mappings for the operation SiteColumnCreated and workload OneDrive:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
ObjectIdtarget.resource.product_object_id

ListViewUpdated

The following table lists the log fields and corresponding UDM mappings for the operation ListViewUpdated and workload SharePoint:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
AppAccessContext.UniqueTokenIdtarget.labels.key/value (deprecated)
AppAccessContext.UniqueTokenId additional.fields.key and additional.fields.value.string_value
AuthenticationTypeprincipal.labels.key/value (deprecated)
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserNameprincipal.labels.key/value (deprecated)
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersionprincipal.labels.key/value (deprecated)
BrowserVersion additional.fields.key and additional.fields.value.string_value
CustomizedDoclibprincipal.labels.key/value (deprecated)
CustomizedDoclib additional.fields.key and additional.fields.value.string_value
DeviceDisplayNameprincipal.labels.key/value (deprecated)
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
FromAppprincipal.labels.key/value (deprecated)
FromApp additional.fields.key and additional.fields.value.string_value
IsManagedDeviceprincipal.labels.key/value (deprecated)
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemCounttarget.labels.key/value (deprecated)
ItemCount additional.fields.key and additional.fields.value.string_value
ItemTypetarget.resource.attribute.labels.key/value
ListBaseTemplateTypetarget.labels.key/value (deprecated)
ListBaseTemplateType additional.fields.key and additional.fields.value.string_value
ListBaseTypetarget.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListColortarget.labels.key/value (deprecated)
ListColor additional.fields.key and additional.fields.value.string_value
ListIcontarget.labels.key/value (deprecated)
ListIcon additional.fields.key and additional.fields.value.string_value
ListIdsecurity_result.detection_fields.key/value
ListTitleabout.labels.key/value (deprecated)
ListTitle additional.fields.key and additional.fields.value.string_value
ObjectIdtarget.url
Platformtarget.labels.key/value (deprecated)
Platform additional.fields.key and additional.fields.value.string_value
RecordTypesecurity_result.detection_fields.key/value
Sitetarget.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
Sourcesecurity_result.description
TemplateTypeIdabout.labels.key/value (deprecated)
TemplateTypeId additional.fields.key and additional.fields.value.string_value
WebIdabout.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

TeamsUserSignedOut

The following table lists the log fields and corresponding UDM mappings for the operation TeamsUserSignedOut and workload MicrosoftTeams:

Log field UDM mapping
metadata.event_type is mapped to USER_LOGOUT.
extension.auth.auth_type is mapped to SSO.
ChannelGuid target.labels.key/value (deprecated)
ChannelGuid additional.fields.key and additional.fields.value.string_value
ChannelName target.labels.key/value (deprecated)
ChannelName additional.fields.key and additional.fields.value.string_value
ChatName target.group.group_display_name
ChatThreadId target.user.group_identifiers
DeviceInformation principal.labels.key/value (deprecated)
DeviceInformation additional.fields.key and additional.fields.value.string_value
ItemName target.labels.key/value (deprecated)
ItemName additional.fields.key and additional.fields.value.string_value
MessageId target.labels.key/value (deprecated)
MessageId additional.fields.key and additional.fields.value.string_value
MessageVersion target.labels.key/value (deprecated)
MessageVersion additional.fields.key and additional.fields.value.string_value
ObjectId target.labels.key/value (deprecated)
ObjectId additional.fields.key and additional.fields.value.string_value
TeamGuid target.group.product_object_id
TeamName target.group.group_display_name
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
UserType target.user.attribute.roles
Version metadata.product_version

GetWorkspaces

The following table lists the log fields and corresponding UDM mappings for the operation GetWorkspaces and workload PowerBI:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
Activity about.labels.key/value (deprecated)
Activity additional.fields.key and additional.fields.value.string_value
ActivityId about.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
AggregatedWorkspaceInformation.WorkspaceCount target.labels.key/value (deprecated)
AggregatedWorkspaceInformation.WorkspaceCount additional.fields.key and additional.fields.value.string_value
AggregatedWorkspaceInformation.WorkspacesByCapacitySku target.labels.key/value (deprecated)
AggregatedWorkspaceInformation.WorkspacesByCapacitySku additional.fields.key and additional.fields.value.string_value
AggregatedWorkspaceInformation.WorkspacesByType target.labels.key/value (deprecated)
AggregatedWorkspaceInformation.WorkspacesByType additional.fields.key and additional.fields.value.string_value
IsSuccess security_result.action
UserAgent network.http.user_agent

ConnectFromExternalApplication

The following table lists the log fields and corresponding UDM mappings for the operation ConnectFromExternalApplication and workload PowerBI:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
Activity about.labels.key/value (deprecated)
Activity additional.fields.key and additional.fields.value.string_value
CustomData about.labels.key/value (deprecated)
CustomData additional.fields.key and additional.fields.value.string_value

TaskListRead

The following table lists the log fields and corresponding UDM mappings for the operation TaskListRead and workload Planner:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
UserKey principal.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
ObjectId target.labels.key/value (deprecated)
ObjectId additional.fields.key and additional.fields.value.string_value
TaskList target.labels.key/value (deprecated)
TaskList additional.fields.key and additional.fields.value.string_value

PutConnection

The following table lists the log fields and corresponding UDM mappings for the operation PutConnection and workload PowerApps:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ObjectId target.labels.key/value (deprecated)
ObjectId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
AdditionalInfo.actionName security_result.detection_fields.key/value
ResourceId target.labels.key/value (deprecated)
ResourceId additional.fields.key and additional.fields.value.string_value
UserKey target.label.key/value
AdditionalInfo.environmentName target.labels.key/value (deprecated)
AdditionalInfo.environmentName additional.fields.key and additional.fields.value.string_value

AdminSubmissionTablAllow

The following table lists the log fields and corresponding UDM mappings for the operation AdminSubmissionTablAllow and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT.
SubmissionContent security_result.detection_fields.key/value
SubmissionContentType security_result.detection_fields.key/value
ObjectId target.labels.key/value (deprecated)
ObjectId additional.fields.key and additional.fields.value.string_value
Recipients network.email.to
SubmissionState security_result.summary
SubmissionId security_result.detection_fields.key/value
ExtendedProperties principal.labels.key/value (deprecated)

about.labels.key/value (deprecated)

If the Name log field value is equal to AdminReviewTime or AdminReviewResult, then the Value is mapped to the principal.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

SubmissionConfidenceLevel security_result.detection_fields.key/value
SubmissionType security_result.detection_fields.key/value
MessageDate about.labels.key/value (deprecated)
MessageDate additional.fields.key and additional.fields.value.string_value
P1SenderDomain principal.administrative_domain
UserKey target.label.key/value
P2SenderDomain about.administrative_domain
Subject network.email.subject
Version metadata.product_version

Add contact.

The following table lists the log fields and corresponding UDM mappings for the operation Add contact. and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_CREATION.

target.resource.resource_subtype is set to Contact.

ObjectId target.labels.key/value (deprecated)
ObjectId additional.fields.key and additional.fields.value.string_value
IntraSystemId target.resource.attribute.labels.key/value
ActorContextId principal.labels.key/value (deprecated)
ActorContextId additional.fields.key and additional.fields.value.string_value
SupportTicketId about.labels.key/value (deprecated)
SupportTicketId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
TargetContextId target.labels.key/value (deprecated)
TargetContextId additional.fields.key and additional.fields.value.string_value
UserKey target.label.key/value
Target security_result.detection_fields.key/value
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
Actor security_result.detection_fields.key/value
Version metadata.product_version
ExtendedProperties target.resource.attribute.labels.key/value

about.labels.key/value (deprecated)

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the about.labels.key/value (deprecated), additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties target.resource.name

target.resource.attribute.labels.key/value

security_result.detection_fields.key/value

security_result.summary

If Name is Included Updated Properties then NewValue is mapped to security_result.summary and OldValue is mapped to security_result.detection_field.key/value.

Else if Name is DisplayName then NewValue is mapped to target.resource.name and OldValue is mapped to target.resource.attribute.key/value.

Else target.resource.attribute.labels.key/value.

WorkspacePortalUrlReceived

The following table lists the log fields and corresponding UDM mappings for the operation WorkspacePortalUrlReceived and workload MicrosoftDefenderForIdentity:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ResultDescription security_result.detection_fields.key.value
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value

PutConnectionPermission

The following table lists the log fields and corresponding UDM mappings for the operation PutConnectionPermission and workload PowerApps:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE.

target.resource.resource_type is set to SETTING.

ObjectId target.labels.key/value (deprecated)
ObjectId additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
AdditionalInfo.actionName security_result.detection_fields.key/value
ResourceId target.resource.attribute.labels.key/value
UserKey target.label.key/value
AdditionalInfo.environmentName target.resource.attribute.labels.key/value
AdditionalInfo.targetObjectId target.resource.product_object_id

SensitivityLabeledFileOpened

The following table lists the log fields and corresponding UDM mappings for the operation SensitivityLabeledFileOpened and workload PublicEndpoint:

Log field UDM mapping
metadata.event_type is mapped to FILE_OPEN.
PreviousProtectionType.protectionType security_result.detection_fields.key/value
CurrentProtectionType.protectionType security_result.detection_fields.key/value
DeviceName target.hostname
CurrentProtectionType.documentEncrypted security_result.detection_fields.key/value
CurrentProtectionType.owner security_result.about.email_addresses
TargetLocation target.labels.key/value (deprecated)
TargetLocation additional.fields.key and additional.fields.value.string_value
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
LabelId target.labels.key/value (deprecated)
LabelId additional.fields.key and additional.fields.value.string_value
CurrentProtectionType.templateId security_result.detection_fields.key/value
ProtectionEventType security_result.detection_fields.key/value
ContentType target.labels.key/value (deprecated)
ContentType additional.fields.key and additional.fields.value.string_value
Platform target.platform
UserSku principal.labels.key/value (deprecated)
UserSku additional.fields.key and additional.fields.value.string_value
PreviousProtectionType.documentEncrypted security_result.detection_fields.key/value
ObjectId target.url
PreviousProtectionType.owner security_result.about.email_addresses
Application principal.application
PreviousProtectionType.templateId security_result.detection_fields.key/value

Validate

The following table lists the log fields and corresponding UDM mappings for the operation Validate and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ResultCount target.labels.key/value (deprecated)
ResultCount additional.fields.key and additional.fields.value.string_value
DataType security_result.description
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
AadAppId target.labels.key/value (deprecated)
AadAppId additional.fields.key and additional.fields.value.string_value
RelativeUrl target.url

SensitivityLabeledFileRenamed

The following table lists the log fields and corresponding UDM mappings for the operation SensitivityLabeledFileRenamed and workload PublicEndpoint:

Log field UDM mapping
metadata.event_type is mapped to FILE_MOVE.
PreviousProtectionType.protectionType security_result.detection_fields.key/value
CurrentProtectionType.protectionType security_result.detection_fields.key/value
DeviceName target.hostname
CurrentProtectionType.documentEncrypted security_result.detection_fields.key/value
CurrentProtectionType.owner security_result.about.email_addresses
TargetLocation target.labels.key/value (deprecated)
TargetLocation additional.fields.key and additional.fields.value.string_value
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
LabelId target.labels.key/value (deprecated)
LabelId additional.fields.key and additional.fields.value.string_value
CurrentProtectionType.templateId security_result.detection_fields.key/value
ProtectionEventType security_result.detection_fields.key/value
ContentType target.labels.key/value (deprecated)
ContentType additional.fields.key and additional.fields.value.string_value
Platform target.platform
UserSku principal.labels.key/value (deprecated)
UserSku additional.fields.key and additional.fields.value.string_value
PreviousProtectionType.documentEncrypted security_result.detection_fields.key/value
ObjectId target.url
PreviousProtectionType.owner security_result.about.email_addresses
Application principal.application
PreviousProtectionType.templateId security_result.detection_fields.key/value
PreviousTarget src.url

TaskModified

The following table lists the log fields and corresponding UDM mappings for the operation TaskModified and workload Planner:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN.

target.resource.type is set to TASK.

PlanId target.resource.attribute.labels.key/value
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
ObjectId target.resource.product_object_id

DeleteTile

The following table lists the log fields and corresponding UDM mappings for the operation TaskModified and workload PowerBI:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_DELETION.
WorkspaceId target.resource.product_object_id
WorkSpaceName target.resource.name
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
ActivityId principal.labels.key/value (deprecated)
ActivityId additional.fields.key and additional.fields.value.string_value
RefreshEnforcementPolicy security_result.detection_fields.key/value
RequestId about.labels.key/value (deprecated)
RequestId additional.fields.key and additional.fields.value.string_value
IsSuccess security_result.action
UserAgent network.http.user_agent
ObjectId target.resource.attribute.labels.key/value

QuarantineReleaseMessage

The following table lists the log fields and corresponding UDM mappings for the operation QuarantineReleaseMessage and workload Quarantine:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
NetworkMessageId security_result.detection_fields.key/value
ReleaseTo security_result.detection_fields.key/value
RequestType security_result.detection_fields.key/value
RequestSource security_result.detection_fields.key/value

WorkspaceStatusReceived

The following table lists the log fields and corresponding UDM mappings for the operation WorkspaceStatusReceived and workload MicrosoftDefenderForIdentity:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ResultDescription security_result.detection_fields.key/value

LinkedEntityUpdated

The following table lists the log fields and corresponding UDM mappings for the operation LinkedEntityUpdated and workload MicrosoftTodo:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN.

target.resource.resource_type is set to TASK.

ActorAppId target.labels.key/value (deprecated)
ActorAppId additional.fields.key and additional.fields.value.string_value
ItemId security_result.detection_fields.key/value and target.resource.product_object_id
ItemType target.resource.attribute.labels.key/value
TargetActorId target.labels.key/value (deprecated)
TargetActorId additional.fields.key and additional.fields.value.string_value
TargetActorTenantId target.labels.key/value (deprecated)
TargetActorTenantId additional.fields.key and additional.fields.value.string_value

ViewResponse

The following table lists the log fields and corresponding UDM mappings for the operation ViewResponse and workload MicrosoftForms:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
FormsUserTypes principal.labels.key/value (deprecated)
FormsUserTypes additional.fields.key and additional.fields.value.string_value
SourceApp principal.application
FormName target.resource.name
FormId target.resource.product_object_id

PlanListRead

The following table lists the log fields and corresponding UDM mappings for the operation PlanListRead and workload Planner:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ.

target.resource.resource_subtype is set to Plan.

PlanList target.resource.product_object_id
ObjectId target.resource.attribute.labels.key/value

O365SyncAdminUserPromotion

The following table lists the log fields and corresponding UDM mappings for the operation O365SyncAdminUserPromotion and workload Yammer:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ActorUserId principal.user.email_addresses or principal.user.userid
ActorYammerUserId principal.labels.key/value (deprecated)
ActorYammerUserId additional.fields.key and additional.fields.value.string_value
ObjectId target.labels.key/value (deprecated)
ObjectId additional.fields.key and additional.fields.value.string_value
YammerNetworkId principal.labels.key/value (deprecated)
YammerNetworkId additional.fields.key and additional.fields.value.string_value

FileCopiedToClipboard

The following table lists the log fields and corresponding UDM mappings for the operation FileCopiedToClipboard and workload Endpoint:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED.
Application principal.application
DeviceName target.hostname
DlpAuditEventMetadata.DlpPolicyMatchId security_result.detection_fields.key/value
DlpAuditEventMetadata.EvaluationTime security_result.detection_fields.key/value
EnforcementMode target.labels.key/value (deprecated)
EnforcementMode additional.fields.key and additional.fields.value.string_value
EvidenceFile.FullUrl target.labels.key/value (deprecated)
EvidenceFile.FullUrl additional.fields.key and additional.fields.value.string_value
EvidenceFile.StorageName target.labels.key/value (deprecated)
EvidenceFile.StorageName additional.fields.key and additional.fields.value.string_value
FileExtension target.file.mime_type
FileType target.resource.attribute.labels.key/value
FileSizeBytes target.file.size
Hidden security_result.detection_fields.key/value
JitTriggered security_result.detection_fields.key/value
MDATPDeviceId security_result.detection_fields.key/value
ObjectId target.file.full_path
Platform target.labels.key/value (deprecated)
Platform additional.fields.key and additional.fields.value.string_value
PolicyMatchInfo target.resource.product_object_id

security_result.summary

security_result.rule_id

security_result.rule_name

PolicyId is mapped to target.resource.product_object_id

PolicyName is mapped to security_result.summary

RuleId is mapped to security_result.rule_id

RuleName is mapped to security_result.rule_name

SensitiveInfoTypeData security_result.detection_fields.key/value

security_result.confidence_details

Scope target.labels.key/value (deprecated)
Scope additional.fields.key and additional.fields.value.string_value
RMSEncrypted security_result.detection_fields.key/value
SensitivityLabelEventData.SensitivityLabelId security_result.detection_fields.key/value
SourceLocationType principal.labels.key/value (deprecated)
SourceLocationType additional.fields.key and additional.fields.value.string_value
TargetDomain target.domain.name
TargetFilePath target.labels.key/value (deprecated)
TargetFilePath additional.fields.key and additional.fields.value.string_value
OriginatingDomain principal.domain.name

FileTranscriptContentAccessed

The following table lists the log fields and corresponding UDM mappings for the operation FileTranscriptContentAccessed and workload OneDrive:

Log field UDM mapping
metadata.event_type is mapped to FILE_READ.
AlternateStreamId security_result.detection_fields.key/value
ApplicationDisplayName target.application and target.resource.name
ApplicationId target.resource.product_object_id
AuthenticationType principal.labels.key/value (deprecated)
AuthenticationType additional.fields.key and additional.fields.value.string_value
AppAccessContext.UniqueTokenId target.labels.key/value (deprecated)
AppAccessContext.UniqueTokenId additional.fields.key and additional.fields.value.string_value
BrowserName principal.labels.key/value (deprecated)
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion principal.labels.key/value (deprecated)
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName principal.labels.key/value (deprecated)
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
IsManagedDevice principal.labels.key/value (deprecated)
IsManagedDevice additional.fields.key and additional.fields.value.string_value
EventSource principal.application
HighPriorityMediaProcessing about.labels.key/value (deprecated)
HighPriorityMediaProcessing additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
ListBaseType target.labels.key/value (deprecated)
ListBaseType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ListServerTemplate security_result.detection_fields.key/value
ObjectId target.url
Platform target.labels.key/value (deprecated)
Platform additional.fields.key and additional.fields.value.string_value
Site target.labels.key/value (deprecated)
Site additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path is mapped to SourceRelativeUrl/SourceFileName.
SourceRelativeUrl target.file.full_path is mapped to SourceRelativeUrl/SourceFileName.
UserAgent network.http.user_agent
WebId about.labels.key/value (deprecated)
WebId additional.fields.key and additional.fields.value.string_value

Set-DlpCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation Set-DlpCompliancePolicy and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.

target.resource.resource_type is set to ACCESS_POLICY.

ClientApplication principal.labels.key/value (deprecated)
ClientApplication additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
ObjectId target.resource.product_object_id
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
StartTime target.resource.attribute.creation_time
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Remove-DlpCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation Remove-DlpCompliancePolicy and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION.

target.resource.resource_type is set to ACCESS_POLICY.

ClientApplication principal.labels.key/value (deprecated)
ClientApplication additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
ObjectId target.resource.product_object_id
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
StartTime target.resource.attribute.creation_time
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Remove-DlpCompliancePolicy

The following table lists the log fields and corresponding UDM mappings for the operation Remove-DlpCompliancePolicy and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_DELETION.

target.resource.resource_type is set to ACCESS_POLICY.

ClientApplication principal.labels.key/value (deprecated)
ClientApplication additional.fields.key and additional.fields.value.string_value
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
ObjectId target.resource.product_object_id
Parameters target.process.command_line
SecurityComplianceCenterEventType about.labels.key/value (deprecated)
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
StartTime target.resource.attribute.creation_time
UserKey target.labels.key/value (deprecated)
UserKey additional.fields.key and additional.fields.value.string_value
UserServicePlan principal.labels.key/value (deprecated)
UserServicePlan additional.fields.key and additional.fields.value.string_value
Version metadata.product_version

Add-MailboxLocation

The following table lists the log fields and corresponding UDM mappings for the operation Add-MailboxLocation and workload Exchange:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
AppAccessContext.UniqueTokenId additional.fields.key and additional.fields.value.string_value
AppId target.resource.attribute.labels.key/value
ClientAppId additional.fields.key and additional.fields.value.string_value
ObjectId target.resource.product_object_id
OrganizationName target.administrative_domain
OriginatingServer principal.hostname
Parameters security_result.detection_fields.key/value
SessionId network.session_id
Version metadata.product_version
RequestId additional.fields.key and additional.fields.value.string_value

Release-QuarantineMessage

The following table lists the log fields and corresponding UDM mappings for the operation Release-QuarantineMessage and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
ObjectId target.resource.product_object_id
Parameters target.process.command_line
SecurityComplianceCenterEventType additional.fields.key and additional.fields.value.string_value
StartTime target.resource.attribute.creation_time
UserServicePlan additional.fields.key and additional.fields.value.string_value

SensitivityLabelApplied

The following table lists the log fields and corresponding UDM mappings for the operation SensitivityLabelApplied and workload PublicEndpoint:

Log field UDM mapping
metadata.event_type is mapped to GENERIC_EVENT.

target.resource.resource_type is set to SETTING.

Application principal.application
ContentType additional.fields.key and additional.fields.value.string_value
CurrentProtectionType.protectionType target.resource.attribute.labels.key/value
CurrentProtectionType.documentEncrypted target.resource.attribute.labels.key/value
CurrentProtectionType.owner target.resource.attribute.labels.key/value
CurrentProtectionType.templateId target.resource.attribute.labels.key/value
DeviceName target.hostname
EmailInfo.cc network.email.cc
EmailInfo.bcc network.email.bcc
EmailInfo.from network.email.from
EmailInfo.subject network.email.subject
EmailInfo.to network.email.to
Platform target.platform
PreviousProtectionType.protectionType target.resource.attribute.labels.key/value
PreviousProtectionType.documentEncrypted target.resource.attribute.labels.key/value
PreviousProtectionType.owner target.resource.attribute.labels.key/value
PreviousProtectionType.templateId target.resource.attribute.labels.key/value
ProtectionEventType security_result.detection_fields.key/value
TargetLocation additional.fields.key and additional.fields.value.string_value
UserSku additional.fields.key and additional.fields.value.string_value
SensitivityLabelEventData.ActionSource security_result.detection_fields.key/value
SensitivityLabelEventData.ActionSourceDetail security_result.detection_fields.key/value
SensitivityLabelEventData.LabelEventType security_result.detection_fields.key/value
SensitivityLabelEventData.SensitivityLabelId target.resource.product_object_id

SharingLinkCreated

The following table lists the log fields and corresponding UDM mappings for the operation SharingLinkCreated and workload OneDrive:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_CREATION.

target.resource.resource_subtype is set to Link.

ApplicationDisplayName target.application and target.resource.name
ApplicationId target.resource.product_object_id
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
EventSource principal.application
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ObjectId target.url
Permission target.resource.attribute.permissions.name
Platform target.platform
SharingLinkScope target.resource.attribute.labels.key/value
Site additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
UniqueSharingId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId additional.fields.key and additional.fields.value.string_value

TimesheetSaved

The following table lists the log fields and corresponding UDM mappings for the operation TimesheetSaved and workload Project:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ.

target.resource.resource_subtype is set to Timesheet.

Action security_result.description
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
Entity metadata.product_name
EventSource principal.application
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
Platform target.platform
UserAgent network.http.user_agent

ResourceCheckedOut

The following table lists the log fields and corresponding UDM mappings for the operation ResourceCheckedOut and workload Project:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ.
Action security_result.description
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
Entity metadata.product_name
EventSource principal.application
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
Platform target.platform
UserAgent network.http.user_agent

TimesheetAccessed

The following table lists the log fields and corresponding UDM mappings for the operation TimesheetAccessed and workload Project:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ.

target.resource.resource_subtype is set to Timesheet.

Action security_result.description
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
Entity metadata.product_name
EventSource principal.application
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
Platform target.platform
UserAgent network.http.user_agent

ListItemRecycled

The following table lists the log fields and corresponding UDM mappings for the operation ListItemRecycled and workload SharePoint:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ApplicationDisplayName target.application and target.resource.name
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
EventSource principal.application
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
ListBaseTemplateType additional.fields.key and additional.fields.value.string_value
ListBaseType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ListTitle additional.fields.key and additional.fields.value.string_value
ObjectId target.url
Platform target.platform
Site additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId additional.fields.key and additional.fields.value.string_value

SensitivityLabelUpdated

The following table lists the log fields and corresponding UDM mappings for the operation SensitivityLabelUpdated and workload PowerPoint:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
Application principal.application
ContentType additional.fields.key and additional.fields.value.string_value
CurrentProtectionType.documentEncrypted security_result.detection_fields.key/value
CurrentProtectionType.owner security_result.about.user.email_addresses
CurrentProtectionType.protectionType security_result.detection_fields.key/value
CurrentProtectionType.templateId security_result.detection_fields.key/value
DeviceName target.hostname
ObjectId target.url
Platform target.platform
PreviousProtectionType.documentEncrypted security_result.detection_fields.key/value
PreviousProtectionType.owner security_result.about.user.email_addresses
PreviousProtectionType.protectionType security_result.detection_fields.key/value
PreviousProtectionType.templateId security_result.detection_fields.key/value
ProtectionEventType security_result.detection_fields.key/value
SensitivityLabelEventData.ActionSource additional.fields.key and additional.fields.value.string_value
SensitivityLabelEventData.LabelEventType additional.fields.key and additional.fields.value.string_value
SensitivityLabelEventData.OldSensitivityLabelId security_result.detection_fields.key/value
SensitivityLabelEventData.SensitivityLabelId target.resource.product_object_id
TargetLocation additional.fields.key and additional.fields.value.string_value
UserSku additional.fields.key and additional.fields.value.string_value
SensitivityLabelEventData.JustificationText security_result.detection_fields.key/value

GetGroupUsers

The following table lists the log fields and corresponding UDM mappings for the operation GetGroupUsers and workload PowerBI:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ.
Activity additional.fields.key and additional.fields.value.string_value
ActivityId additional.fields.key and additional.fields.value.string_value
CapacityId additional.fields.key and additional.fields.value.string_value
IsSuccess security_result.action
ObjectId target.resource.name
RefreshEnforcementPolicy security_result.detection_fields.key/value
RequestId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WorkspaceId target.resource.product_object_id

SubTaskCreated

The following table lists the log fields and corresponding UDM mappings for the operation SubTaskCreated and workload MicrosoftTodo:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_CREATION.

target.resource.type is set to TASK.

ActorAppId additional.fields.key and additional.fields.value.string_value
ItemId target.resource.product_object_id
ItemType target.resource.attribute.labels.key/value
TargetActorId additional.fields.key and additional.fields.value.string_value
TargetActorTenantId additional.fields.key and additional.fields.value.string_value

TaskRead

The following table lists the log fields and corresponding UDM mappings for the operation TaskRead and workload MicrosoftTodo:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ.

target.resource.type is set to TASK.

ActorAppId additional.fields.key and additional.fields.value.string_value
ItemId target.resource.product_object_id
ItemType target.resource.attribute.labels.key/value
TargetActorId additional.fields.key and additional.fields.value.string_value
TargetActorTenantId additional.fields.key and additional.fields.value.string_value

SubTaskUpdated

The following table lists the log fields and corresponding UDM mappings for the operation SubTaskUpdated and workload MicrosoftTodo:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN.

target.resource.type is set to TASK.

ActorAppId additional.fields.key and additional.fields.value.string_value
ItemId target.resource.product_object_id
ItemType target.resource.attribute.labels.key/value
TargetActorId additional.fields.key and additional.fields.value.string_value
TargetActorTenantId additional.fields.key and additional.fields.value.string_value

SharingLinkUpdated

The following table lists the log fields and corresponding UDM mappings for the operation SharingLinkUpdated and workload OneDrive:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN.

target.resource.resource_subtype is set to Link.

ApplicationDisplayName target.application and target.resource.name
ApplicationId target.resource.product_object_id
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
EventSource principal.application
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ObjectId target.url
Permission target.resource.attribute.permissions.name
Platform target.platform
SharingLinkScope target.resource.attribute.labels.key/value
Site additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
UniqueSharingId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId additional.fields.key and additional.fields.value.string_value
SensitivityLabelId security_result.detection_fields.key/value

Authorize

The following table lists the log fields and corresponding UDM mappings for the operation Authorize and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
AadAppId additional.fields.key and additional.fields.value.string_value
DataType security_result.description
RelativeUrl target.url
ResultCount additional.fields.key and additional.fields.value.string_value

The following table lists the log fields and corresponding UDM mappings for the operation AddedToSharingLink and workload OneDrive:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN.

ApplicationDisplayName target.application and target.resource.name
ApplicationId target.resource.product_object_id
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
EventSource principal.application
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ObjectId target.url
Permission target.resource.attribute.permissions.name
Platform target.platform
SharingLinkScope target.resource.attribute.labels.key/value
Site additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
UniqueSharingId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId additional.fields.key and additional.fields.value.string_value
SensitivityLabelId security_result.detection_fields.key/value
TargetUserOrGroupName If the TargetUserOrGroupType log field value contain one of the following values, then the TargetUserOrGroupName field is mapped to the target.group.group_display_name UDM field:
  • SecurityGroup
  • SharePointGroup

Else, if the TargetUserOrGroupType log field value contain one of the following values, then the TargetUserOrGroupName field is mapped to the target.user.email_addresses UDM field:
  • Member
  • Guest

SharingLinkUsed

The following table lists the log fields and corresponding UDM mappings for the operation SharingLinkUsed and workload OneDrive:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ.

target.resource.resource_subtype is set to Link.

ApplicationDisplayName target.application and target.resource.name
ApplicationId target.resource.product_object_id
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
EventSource principal.application
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ObjectId target.url
Permission target.resource.attribute.permissions.name
Platform target.platform
SharingLinkScope target.resource.attribute.labels.key/value
Site additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
UniqueSharingId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
WebId additional.fields.key and additional.fields.value.string_value
SensitivityLabelId security_result.detection_fields.key/value

Update policy.

The following table lists the log fields and corresponding UDM mappings for the operation Update policy. and workload AzureActiveDirectory:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_UPDATE_CONTENT.
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, the Value log field is mapped to the additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.summary

target.resource.name

If the Name log field value is equal to DisplayName, then NewValue log field is mapped to the target.resource.name UDM field.

If the Name log field value is equal to Updated Properties, then NewValue log field is mapped to the security_result.summary UDM field.

Actor security_result.detection_fields.key/value
ActorContextId additional.fields.key and additional.fields.value.string_value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target security_result.detection_fields.key/value
TargetContextId additional.fields.key and additional.fields.value.string_value
ObjectId target.resource.product_object_id

FileSensitivityLabelApplied

The following table lists the log fields and corresponding UDM mappings for the operation FileSensitivityLabelApplied and workload SharePoint or OneDrive:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED.
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DestinationFileExtension target.file.mime_type
DestinationFileName target.file.full_path
DestinationRelativeUrl target.file.full_path
DestinationLabel additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
EventSource principal.application
HighPriorityMediaProcessing additional.fields.key and additional.fields.value.string_value
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
ListBaseType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ListServerTemplate security_result.detection_fields.key/value
ObjectId target.url
Platform target.platform
SensitivityLabelEventData.LabelEventType additional.fields.key and additional.fields.value.string_value
SensitivityLabelEventData.SensitivityLabelId security_result.detection_fields.key/value
SensitivityLabelEventData.SensitivityLabelOwnerEmail security_result.about.user.email_addresses
SensitivityLabelJustificationText security_result.detection_fields.key/value
Site target.labels.key/value
SiteUrl network.http.referral_url
SourceFileExtension src.file.mime_type
SourceFileName src.file.full_path
SourceRelativeUrl src.file.full_path
SourceLabel additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent
UserKey additional.fields.key and additional.fields.value.string_value
Version metadata.product_version
WebId additional.fields.key and additional.fields.value.string_value

QuarantineDenyReleaseMessage

The following table lists the log fields and corresponding UDM mappings for the operation QuarantineDenyReleaseMessage and workload Quarantine:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
Identity additional.fields.key and additional.fields.value.string_value
NetworkMessageId security_result.detection_fields.key/value
QuarantinePolicy security_result.detection_fields.key/value
QuarantineType security_result.detection_fields.key/value
RecipientTags security_result.detection_fields.key/value
RequestSource security_result.detection_fields.key/value
RequestType security_result.detection_fields.key/value

QuarantineApproveReleaseMessage

The following table lists the log fields and corresponding UDM mappings for the operation QuarantineApproveReleaseMessage and workload Quarantine:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
Identity additional.fields.key and additional.fields.value.string_value
NetworkMessageId security_result.detection_fields.key/value
QuarantinePolicy security_result.detection_fields.key/value
QuarantineType security_result.detection_fields.key/value
RecipientTags security_result.detection_fields.key/value
RequestSource security_result.detection_fields.key/value
RequestType security_result.detection_fields.key/value

CopilotInteraction

The following table lists the log fields and corresponding UDM mappings for the operation CopilotInteraction and workload Copilot:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ.

target.resource.resource_sub_type is set to Copilot Chat.

CopilotEventData.AppHost target.application
CopilotEventData.ThreadId target.resource.product_object_id
CopilotEventData.AccessedResources target.resource.attribute.labels.key/value
CopilotEventData.Contexts target.resource.attribute.labels.key/value
CopilotEventData.MessageIds target.resource.attribute.labels.key/value

Remove delegated permission grant.

The following table lists the log fields and corresponding UDM mappings for the operation Remove delegated permission grant. and workload Copilot:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_PERMISSIONS_CHANGE.
Actor security_result.detection_fields.key/value
ActorContextId additional.fields.key and additional.fields.value.string_value
AzureActiveDirectoryEventType target.resource.attribute.labels.key/value
InterSystemsId target.resource.attribute.labels.key/value
IntraSystemId target.resource.attribute.labels.key/value
ObjectId target.resource.product_object_id
SupportTicketId additional.fields.key and additional.fields.value.string_value
Target security_result.detection_fields.key/value
TargetContextId additional.fields.key and additional.fields.value.string_value
ExtendedProperties network.http.user_agent

target.resource.attribute.labels.key/value

additional.fields.key and additional.fields.value.string_value

If the Name log field value is equal to additionalDetails, then User-Agent is extracted from the Value log field using the Grok pattern and mapped to the network.http.user_agent UDM field.

Else, if the Name log field value is equal to extendedAuditEventCategory, then the Value log field is mapped to the target.resource.attribute.labels.key/value UDM field.

Else, the Value log field is mapped to the additional.fields.key and additional.fields.value.string_value UDM fields.

ModifiedProperties security_result.detection_fields.key/value

FileCopiedToRemovableMedia

The following table lists the log fields and corresponding UDM mappings for the operation FileCopiedToRemovableMedia and workload Endpoint:

Log field UDM mapping
metadata.event_type is mapped to FILE_COPY.
Application principal.application
DestinationLocationType additional.fields.key and additional.fields.value.string_value
DeviceName target.hostname
DlpAuditEventMetadata.DlpPolicyMatchId security_result.detection_fields.key/value
DlpAuditEventMetadata.EvaluationTime security_result.detection_fields.key/value
EnforcementMode additional.fields.key and additional.fields.value.string_value
EvidenceFile.FullUrl additional.fields.key and additional.fields.value.string_value
EvidenceFile.StorageName additional.fields.key and additional.fields.value.string_value
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Hidden security_result.detection_fields.key/value
JitTriggered security_result.detection_fields.key/value
MDATPDeviceId security_result.detection_fields.key/value
MatchedPolicies.PolicyId security_result.detection_fields.key/value
MatchedPolicies.PolicyName security_result.detection_fields.key/value
MatchedPolicies.RuleId security_result.rule_id
MatchedPolicies.RuleName security_result.rule_name
ObjectId src.file.full_path
OriginatingDomain principal.domain.name
Platform target.platform
PolicyMatchInfo.PolicyId target.resource.product_object_id
PolicyMatchInfo.PolicyName security_result.summary
PolicyMatchInfo.RuleId security_result.rule_id
PolicyMatchInfo.RuleName security_result.rule_name
PreviousFileName src.file.names
RMSEncrypted security_result.detection_fields.key/value
RemovableMediaDeviceAttributes.Manufacturer target.asset.hardware.manufacturer
RemovableMediaDeviceAttributes.Model target.asset.hardware.model
RemovableMediaDeviceAttributes.SerialNumber target.asset.hardware.serial_number
Scope additional.fields.key and additional.fields.value.string_value
SensitiveInfoTypeData.Confidence security_result.confidence_details
SensitiveInfoTypeData.Count security_result.detection_fields.key/value
SensitiveInfoTypeData.SensitiveInfoTypeId security_result.detection_fields.key/value
SensitiveInfoTypeData.SensitiveInfoTypeName security_result.detection_fields.key/value
SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Confidence security_result.detection_fields.key/value
SensitiveInfoTypeData.SensitiveInformationDetailedClassificationAttributes.Count security_result.detection_fields.key/value
SensitivityLabelEventData.SensitivityLabelId security_result.detection_fields.key/value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType additional.fields.key and additional.fields.value.string_value
TargetDomain target.domain.name
TargetFilePath target.file.full_path
TargetPrinterName target.asset.hostname

TaskStatusSubmitted

The following table lists the log fields and corresponding UDM mappings for the operation TaskStatusSubmitted and workload Project:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_WRITTEN.

target.resource.type is set to TASK.

ApplicationDisplayName target.application and target.resource.name
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
Entity metadata.product_name
EventSource principal.application
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
Platform target.platform
UserAgent network.http.user_agent

ViewTile

The following table lists the log fields and corresponding UDM mappings for the operation ViewTile and workload PowerBI:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ.

target.resource.resource_sub_type is set to Tile.

Activity additional.fields.key and additional.fields.value.string_value
ActivityId additional.fields.key and additional.fields.value.string_value
ConsumptionMethod additional.fields.key and additional.fields.key/value
DashboardId target.resource.attribute.labels.key/value
DashboardName target.resource.attribute.labels.key/value
IsSuccess security_result.action
ObjectId target.resource.name
RefreshEnforcementPolicy security_result.detection_fields.key/value
RequestId additional.fields.key and additional.fields.value.string_value
TileText target.resource.attribute.labels.key/value
UserAgent network.http.user_agent
WorkSpaceName target.resource.attribute.labels.key/value
WorkspaceId target.resource.attribute.labels.key/value

AppDlpEvaluationResultChange

The following table lists the log fields and corresponding UDM mappings for the operation AppDlpEvaluationResultChange and workload PowerApps:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
AdditionalInfo additional.fields.key and additional.fields.value.string_value
ObjectId additional.fields.key and additional.fields.value.string_value

ExportForm

The following table lists the log fields and corresponding UDM mappings for the operation ExportForm and workload MicrosoftForms:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED.
ActivityParameters.ExportFormat target.file.mime_type
FormId target.resource.product_object_id
FormName target.resource.name
FormsUserType additional.fields.key and additional.fields.value.string_value
ObjectId target.resource.product_object_id
SourceApp principal.application

AppCleanedUpAfterExpiration

The following table lists the log fields and corresponding UDM mappings for the operation AppCleanedUpAfterExpiration and workload MicrosoftTeams:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
AddOnGuid additional.fields.key and additional.fields.value.string_value
AddOnType additional.fields.key and additional.fields.value.string_value
AppAccessContext.IssuedAtTime additional.fields.key and additional.fields.value.string_value
AppAccessContext.UniqueTokenId additional.fields.key and additional.fields.value.string_value
ChatThreadId target.user.group_identifiers
ChatThreadId target.group.product_object_id
OperationScope additional.fields.key and additional.fields.value.string_value

PlanRead

The following table lists the log fields and corresponding UDM mappings for the operation PlanRead and workload Planner:

Log field UDM mapping
metadata.event_type is mapped to RESOURCE_READ.
ContainerId target.resource.attribute.labels.key/value
ContainerType target.resource.attribute.labels.key/value
ObjectId target.resource.product_object_id

FileTimelineMetadataAccessed

The following table lists the log fields and corresponding UDM mappings for the operation FileTimelineMetadataAccessed and workload OneDrive:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED.
AlternateStreamId security_result.detection_fields.key/value
ApplicationDisplayName target.application and target.resource.name
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
EventSource principal.application
HighPriorityMediaProcessing additional.fields.key and additional.fields.value.string_value
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
ListBaseType additional.fields.key and additional.fields.value.string_value
ListId security_result.detection_fields.key/value
ListItemUniqueId principal.asset_id
ListServerTemplate security_result.detection_fields.key/value
ObjectId target.url
Platform target.platform
Site additional.fields.key and additional.fields.value.string_value
SiteUrl network.http.referral_url
SourceFileExtension target.file.mime_type
SourceFileName target.file.full_path
SourceRelativeUrl target.file.full_path
UserAgent network.http.user_agent

TimesheetSubmitted

The following table lists the log fields and corresponding UDM mappings for the operation TimesheetSubmitted and workload Project:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED.

target.resource.resource_subtype is set to Timesheet.

ApplicationDisplayName target.application and target.resource.name
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
Entity metadata.product_name
EventSource principal.application
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
Platform target.platform
UserAgent network.http.user_agent

ViewForm

The following table lists the log fields and corresponding UDM mappings for the operation ViewForm and workload MicrosoftForms:

Log field UDM mapping
metadata.event_type is mapped to USER_RESOURCE_ACCESS.
FormId target.resource.product_object_id
FormName target.resource.name
FormsUserType additional.fields.key and additional.fields.value.string_value
SourceApp principal.application

TaskStatusSaved

The following table lists the log fields and corresponding UDM mappings for the operation TaskStatusSaved and workload Project:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED.
ApplicationDisplayName target.application and target.resource.name
AuthenticationType additional.fields.key and additional.fields.value.string_value
BrowserName additional.fields.key and additional.fields.value.string_value
BrowserVersion additional.fields.key and additional.fields.value.string_value
DeviceDisplayName additional.fields.key and additional.fields.value.string_value
Entity metadata.product_name
EventSource principal.application
IsManagedDevice additional.fields.key and additional.fields.value.string_value
ItemType target.resource.attribute.labels.key/value
Platform target.platform
UserAgent network.http.user_agent

RecordScopesConsent

The following table lists the log fields and corresponding UDM mappings for the operation RecordScopesConsent and workload PowerApps:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
AppName additional.fields.key and additional.fields.value.string_value
ObjectId additional.fields.key and additional.fields.value.string_value

EditFlow

The following table lists the log fields and corresponding UDM mappings for the operation EditFlow and workload MicrosoftFlow:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED.
FlowConnectorNames target.resource.name
FlowDetailsUrl metadata.url_back_to_product
ObjectId target.resource.product_object_id
LicenseDisplayName additional.fields.key and additional.fields.value.string_value
SharingPermission target.resource.attribute.labels.key/value
UserTypeInitiated principal.user.attribute.labels.key/value
UserUPN principal.user.attribute.labels.key/value

AttackSimulationEvent

The following table lists the log fields and corresponding UDM mappings for the operation AttackSimulationEvent and workload AttackSimulation:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
AttackSimEvent security_result.detection_fields.key/value
AttackTechnique security_result.attack_details.technique.name
BatchId security_result.detection_fields.key/value
CampaignId security_result.detection_fields.key/value
EndTimeData security_result.detection_fields.key/value
TimeData security_result.detection_fields.key/value
UserDisplayName principal.user.user_display_name

TaskAssigned

The following table lists the log fields and corresponding UDM mappings for the operation TaskAssigned and workload Planner:

Log field UDM mapping
metadata.event_type is mapped to USER_UNCATEGORIZED.
ObjectId target.resource.product_object_id
PlanId target.resource.attribute.labels.key/value

FileTransferredByBluetooth

The following table lists the log fields and corresponding UDM mappings for the operation FileTransferredByBluetooth and workload Endpoint:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED.
Application principal.application
DeviceName target.hostname
DlpAuditEventMetadata.DlpPolicyMatchId security_result.detection_fields.key/value
DlpAuditEventMetadata.EvaluationTime security_result.detection_fields.key/value
EnforcementMode additional.fields.key and additional.fields.value.string_value
EvidenceFile.FullUrl additional.fields.key and additional.fields.value.string_value
EvidenceFile.StorageName additional.fields.key and additional.fields.value.string_value
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Hidden security_result.detection_fields.key/value
JitTriggered security_result.detection_fields.key/value
MDATPDeviceId security_result.detection_fields.key/value
ObjectId target.file.full_path
Platform additional.fields.key and additional.fields.value.string_value
RMSEncrypted security_result.detection_fields.key/value
Scope additional.fields.key and additional.fields.value.string_value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType additional.fields.key and additional.fields.value.string_value
TargetDomain target.domain.name
TargetFilePath additional.fields.key and additional.fields.value.string_value
TargetPrinterName target.asset.hostname

FileCopiedToRemoteDesktopSession

The following table lists the log fields and corresponding UDM mappings for the operation FileCopiedToRemoteDesktopSession and workload Endpoint:

Log field UDM mapping
metadata.event_type is mapped to FILE_UNCATEGORIZED.
Application principal.application
DeviceName target.hostname
DlpAuditEventMetadata.DlpPolicyMatchId security_result.detection_fields.key/value
DlpAuditEventMetadata.EvaluationTime security_result.detection_fields.key/value
EnforcementMode additional.fields.key and additional.fields.value.string_value
EvidenceFile.FullUrl additional.fields.key and additional.fields.value.string_value
EvidenceFile.StorageName additional.fields.key and additional.fields.value.string_value
FileExtension target.file.mime_type
FileSize target.file.size
FileType target.resource.attribute.labels.key/value
Hidden security_result.detection_fields.key/value
JitTriggered security_result.detection_fields.key/value
MDATPDeviceId security_result.detection_fields.key/value
ObjectId target.file.full_path
Platform additional.fields.key and additional.fields.value.string_value
RMSEncrypted security_result.detection_fields.key/value
Scope additional.fields.key and additional.fields.value.string_value
Sha1 target.file.sha1
Sha256 target.file.sha256
SourceLocationType additional.fields.key and additional.fields.value.string_value
TargetDomain target.domain.name
TargetFilePath additional.fields.key and additional.fields.value.string_value
TargetPrinterName target.asset.hostname

New-InsiderRiskPolicy

The following table lists the log fields and corresponding UDM mappings for the operation New-InsiderRiskPolicy and workload SecurityComplianceCenter:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ClientApplication principal.application
CmdletVersion metadata.product_version
EffectiveOrganization target.administrative_domain
ObjectId target.resource.product_object_id
Parameters target.process.command_line
SecurityComplianceCenterEventType additional.fields.key/value.string_value
StartTime target.resource.attribute.creation_time
UserServicePlan additional.fields.key/value.string_value

AutoSensitivityLabelRuleMatch

The following table lists the log fields and corresponding UDM mappings for the operation AutoSensitivityLabelRuleMatch and workload Exchange:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
ConditionMatch.SensitiveInformation.ClassifierType security_result.detection_fields.key/value
ConditionMatch.SensitiveInformation.Confidence security_result.confidence_details
ConditionMatch.SensitiveInformation.Count security_result.detection_fields.key/value
ConditionMatch.SensitiveInformation.Id security_result.detection_fields.key/value
ConditionMatch.SensitiveInformation.Location security_result.detection_fields.key/value
ConditionMatch.SensitiveInformation.SensitiveInformationDetailedClassificationAttributes.Confidence security_result.detection_fields.key/value
ConditionMatch.SensitiveInformation.SensitiveInformationDetailedClassificationAttributes.Count security_result.detection_fields.key/value
ConditionMatch.SensitiveInformation.SensitiveInformationDetailedClassificationAttributes.IsMatch security_result.detection_fields.key/value
ConditionMatch.SensitiveInformation.UniqueCount security_result.detection_fields.key/value
ExchangeMetaData.From network.email.from
ExchangeMetaData.MessageID additional.fields.key and additional.fields.value.string_value
ExchangeMetaData.RecipientCount additional.fields.key and additional.fields.value.string_value
ExchangeMetaData.Sent additional.fields.key and additional.fields.value.string_value
ExchangeMetaData.To network.email.to
ExecutionRuleId security_result.rule_id
ExecutionRuleName security_result.rule_name
ExecutionRuleVersion security_result.rule_version
IsViewableByExternalUsers additional.fields.key and additional.fields.value.string_value
ItemCreationTime target.resource.attribute.labels.key/value
ItemLastModifiedTime target.resource.attribute.labels.key/value
ItemSize target.resource.attribute.labels.key/value
LabelId target.resource.attribute.labels.key/value
LabelName target.resource.attribute.labels.key/value
ItemName target.resource.name
MachineName principal.hostname
MgtRuleId security_result.detection_fields.key/value
OverRideReason security_result.detection_fields.key/value
OverRideType security_result.detection_fields.key/value
PolicyId security_result.detection_fields.key/value
PolicyName security_result.detection_fields.key/value
PolicyVersion security_result.detection_fields.key/value
RuleMode security_result.detection_fields.key/value
ScopedLocationId security_result.detection_fields.key/value
SensitiveInfoDetectionIsIncluded security_result.detection_fields.key/value
WorkLoadItemId additional.fields.key and additional.fields.value.string_value
Severity security_result.severity

GetRefreshablesForCapacityAsAdmin

The following table lists the log fields and corresponding UDM mappings for the operation GetRefreshablesForCapacityAsAdmin and workload PowerBI:

Log field UDM mapping
metadata.event_type is mapped to STATUS_UPDATE.
Activity additional.fields.key and additional.fields.value.string_value
ActivityId additional.fields.key and additional.fields.value.string_value
IsSuccess security_result.action
RefreshEnforcementPolicy security_result.detection_fields.key/value
RequestId additional.fields.key and additional.fields.value.string_value
UserAgent network.http.user_agent

What's next